Back to index

openldap  2.4.31
config.c
Go to the documentation of this file.
00001 /* $OpenLDAP$ */
00002 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
00003  *
00004  * Copyright 1999-2012 The OpenLDAP Foundation.
00005  * Portions Copyright 2001-2003 Pierangelo Masarati.
00006  * Portions Copyright 1999-2003 Howard Chu.
00007  * All rights reserved.
00008  *
00009  * Redistribution and use in source and binary forms, with or without
00010  * modification, are permitted only as authorized by the OpenLDAP
00011  * Public License.
00012  *
00013  * A copy of this license is available in the file LICENSE in the
00014  * top-level directory of the distribution or, alternatively, at
00015  * <http://www.OpenLDAP.org/license.html>.
00016  */
00017 /* ACKNOWLEDGEMENTS:
00018  * This work was initially developed by the Howard Chu for inclusion
00019  * in OpenLDAP Software and subsequently enhanced by Pierangelo
00020  * Masarati.
00021  */
00022 
00023 #include "portable.h"
00024 
00025 #include <stdio.h>
00026 
00027 #include <ac/string.h>
00028 #include <ac/socket.h>
00029 
00030 #include "slap.h"
00031 #include "lutil.h"
00032 #include "../back-ldap/back-ldap.h"
00033 #include "back-meta.h"
00034 
00035 static int
00036 meta_back_new_target( 
00037        metatarget_t  **mtp )
00038 {
00039        char                 *rargv[ 3 ];
00040        metatarget_t         *mt;
00041 
00042        *mtp = NULL;
00043 
00044        mt = ch_calloc( sizeof( metatarget_t ), 1 );
00045 
00046        mt->mt_rwmap.rwm_rw = rewrite_info_init( REWRITE_MODE_USE_DEFAULT );
00047        if ( mt->mt_rwmap.rwm_rw == NULL ) {
00048               ch_free( mt );
00049               return -1;
00050        }
00051 
00052        /*
00053         * the filter rewrite as a string must be disabled
00054         * by default; it can be re-enabled by adding rules;
00055         * this creates an empty rewriteContext
00056         */
00057        rargv[ 0 ] = "rewriteContext";
00058        rargv[ 1 ] = "searchFilter";
00059        rargv[ 2 ] = NULL;
00060        rewrite_parse( mt->mt_rwmap.rwm_rw, "<suffix massage>", 1, 2, rargv );
00061 
00062        rargv[ 0 ] = "rewriteContext";
00063        rargv[ 1 ] = "default";
00064        rargv[ 2 ] = NULL;
00065        rewrite_parse( mt->mt_rwmap.rwm_rw, "<suffix massage>", 1, 2, rargv );
00066 
00067        ldap_pvt_thread_mutex_init( &mt->mt_uri_mutex );
00068 
00069        mt->mt_idassert_mode = LDAP_BACK_IDASSERT_LEGACY;
00070        mt->mt_idassert_authmethod = LDAP_AUTH_NONE;
00071        mt->mt_idassert_tls = SB_TLS_DEFAULT;
00072 
00073        /* by default, use proxyAuthz control on each operation */
00074        mt->mt_idassert_flags = LDAP_BACK_AUTH_PRESCRIPTIVE;
00075 
00076        *mtp = mt;
00077 
00078        return 0;
00079 }
00080 
00081 static int
00082 check_true_false( char *str )
00083 {
00084        if ( strcasecmp( str, "true" ) == 0 || strcasecmp( str, "yes" ) == 0 ) {
00085               return 1;
00086        }
00087 
00088        if ( strcasecmp( str, "false" ) == 0 || strcasecmp( str, "no" ) == 0 ) {
00089               return 0;
00090        }
00091 
00092        return -1;
00093 }
00094 
00095 int
00096 meta_subtree_destroy( metasubtree_t *ms )
00097 {
00098        if ( ms->ms_next ) {
00099               meta_subtree_destroy( ms->ms_next );
00100        }
00101 
00102        switch ( ms->ms_type ) {
00103        case META_ST_SUBTREE:
00104        case META_ST_SUBORDINATE:
00105               ber_memfree( ms->ms_dn.bv_val );
00106               break;
00107 
00108        case META_ST_REGEX:
00109               regfree( &ms->ms_regex );
00110               ch_free( ms->ms_regex_pattern );
00111               break;
00112 
00113        default:
00114               return -1;
00115        }
00116 
00117        ch_free( ms );
00118 
00119        return 0;
00120 }
00121 
00122 static int
00123 meta_subtree_config(
00124        metatarget_t *mt,
00125        int argc,
00126        char **argv,
00127        char *buf,
00128        ber_len_t buflen,
00129        char *log_prefix )
00130 {
00131        meta_st_t     type = META_ST_SUBTREE;
00132        char          *pattern;
00133        struct berval ndn = BER_BVNULL;
00134        metasubtree_t *ms = NULL;
00135 
00136        if ( strcasecmp( argv[0], "subtree-exclude" ) == 0 ) {
00137               if ( mt->mt_subtree && !mt->mt_subtree_exclude ) {
00138                      snprintf( buf, buflen,
00139                             "\"subtree-exclude\" incompatible with previous \"subtree-include\" directives" );
00140                      return 1;
00141               }
00142 
00143               mt->mt_subtree_exclude = 1;
00144 
00145        } else {
00146               if ( mt->mt_subtree && mt->mt_subtree_exclude ) {
00147                      snprintf( buf, buflen,
00148                             "\"subtree-include\" incompatible with previous \"subtree-exclude\" directives" );
00149                      return 1;
00150               }
00151        }
00152 
00153        switch ( argc ) {
00154        case 1:
00155               snprintf( buf, buflen, "missing pattern" );
00156               return 1;
00157 
00158        case 2:
00159               break;
00160 
00161        default:
00162               snprintf( buf, buflen, "too many args" );
00163               return 1;
00164        }
00165 
00166        pattern = argv[1];
00167        if ( strncasecmp( pattern, "dn", STRLENOF( "dn" ) ) == 0 ) {
00168               char *style;
00169 
00170               pattern = &pattern[STRLENOF( "dn")];
00171 
00172               if ( pattern[0] == '.' ) {
00173                      style = &pattern[1];
00174 
00175                      if ( strncasecmp( style, "subtree", STRLENOF( "subtree" ) ) == 0 ) {
00176                             type = META_ST_SUBTREE;
00177                             pattern = &style[STRLENOF( "subtree" )];
00178 
00179                      } else if ( strncasecmp( style, "children", STRLENOF( "children" ) ) == 0 ) {
00180                             type = META_ST_SUBORDINATE;
00181                             pattern = &style[STRLENOF( "children" )];
00182 
00183                      } else if ( strncasecmp( style, "sub", STRLENOF( "sub" ) ) == 0 ) {
00184                             type = META_ST_SUBTREE;
00185                             pattern = &style[STRLENOF( "sub" )];
00186 
00187                      } else if ( strncasecmp( style, "regex", STRLENOF( "regex" ) ) == 0 ) {
00188                             type = META_ST_REGEX;
00189                             pattern = &style[STRLENOF( "regex" )];
00190 
00191                      } else {
00192                             snprintf( buf, buflen, "unknown style in \"dn.<style>\"" );
00193                             return 1;
00194                      }
00195               }
00196 
00197               if ( pattern[0] != ':' ) {
00198                      snprintf( buf, buflen, "missing colon after \"dn.<style>\"" );
00199                      return 1;
00200               }
00201               pattern++;
00202        }
00203 
00204        switch ( type ) {
00205        case META_ST_SUBTREE:
00206        case META_ST_SUBORDINATE: {
00207               struct berval dn;
00208 
00209               ber_str2bv( pattern, 0, 0, &dn );
00210               if ( dnNormalize( 0, NULL, NULL, &dn, &ndn, NULL )
00211                      != LDAP_SUCCESS )
00212               {
00213                      snprintf( buf, buflen, "DN=\"%s\" is invalid", pattern );
00214                      return 1;
00215               }
00216 
00217               if ( !dnIsSuffix( &ndn, &mt->mt_nsuffix ) ) {
00218                      snprintf( buf, buflen,
00219                             "DN=\"%s\" is not a subtree of target \"%s\"",
00220                             pattern, mt->mt_nsuffix.bv_val );
00221                      ber_memfree( ndn.bv_val );
00222                      return( 1 );
00223               }
00224               } break;
00225 
00226        default:
00227               /* silence warnings */
00228               break;
00229        }
00230 
00231        ms = ch_calloc( sizeof( metasubtree_t ), 1 );
00232        ms->ms_type = type;
00233 
00234        switch ( ms->ms_type ) {
00235        case META_ST_SUBTREE:
00236        case META_ST_SUBORDINATE:
00237               ms->ms_dn = ndn;
00238               break;
00239 
00240        case META_ST_REGEX: {
00241               int rc;
00242 
00243               rc = regcomp( &ms->ms_regex, pattern, REG_EXTENDED|REG_ICASE );
00244               if ( rc != 0 ) {
00245                      char regerr[ SLAP_TEXT_BUFLEN ];
00246 
00247                      regerror( rc, &ms->ms_regex, regerr, sizeof(regerr) );
00248 
00249                      snprintf( buf, sizeof( buf ),
00250                             "regular expression \"%s\" bad because of %s",
00251                             pattern, regerr );
00252                      ch_free( ms );
00253                      return 1;
00254               }
00255               ms->ms_regex_pattern = ch_strdup( pattern );
00256               } break;
00257        }
00258 
00259        if ( mt->mt_subtree == NULL ) {
00260                mt->mt_subtree = ms;
00261 
00262        } else {
00263               metasubtree_t **msp;
00264 
00265               for ( msp = &mt->mt_subtree; *msp; ) {
00266                      switch ( ms->ms_type ) {
00267                      case META_ST_SUBTREE:
00268                             switch ( (*msp)->ms_type ) {
00269                             case META_ST_SUBTREE:
00270                                    if ( dnIsSuffix( &(*msp)->ms_dn, &ms->ms_dn ) ) {
00271                                           metasubtree_t *tmp = *msp;
00272                                           Debug( LDAP_DEBUG_CONFIG,
00273                                                  "%s: previous rule \"dn.subtree:%s\" is contained in rule \"dn.subtree:%s\" (replaced)\n",
00274                                                  log_prefix, pattern, (*msp)->ms_dn.bv_val );
00275                                           *msp = (*msp)->ms_next;
00276                                           tmp->ms_next = NULL;
00277                                           meta_subtree_destroy( tmp );
00278                                           continue;
00279 
00280                                    } else if ( dnIsSuffix( &ms->ms_dn, &(*msp)->ms_dn ) ) {
00281                                           Debug( LDAP_DEBUG_CONFIG,
00282                                                  "%s: previous rule \"dn.subtree:%s\" contains rule \"dn.subtree:%s\" (ignored)\n",
00283                                                  log_prefix, (*msp)->ms_dn.bv_val, pattern );
00284                                           meta_subtree_destroy( ms );
00285                                           ms = NULL;
00286                                           return( 0 );
00287                                    }
00288                                    break;
00289 
00290                             case META_ST_SUBORDINATE:
00291                                    if ( dnIsSuffix( &(*msp)->ms_dn, &ms->ms_dn ) ) {
00292                                           metasubtree_t *tmp = *msp;
00293                                           Debug( LDAP_DEBUG_CONFIG,
00294                                                  "%s: previous rule \"dn.children:%s\" is contained in rule \"dn.subtree:%s\" (replaced)\n",
00295                                                  log_prefix, pattern, (*msp)->ms_dn.bv_val );
00296                                           *msp = (*msp)->ms_next;
00297                                           tmp->ms_next = NULL;
00298                                           meta_subtree_destroy( tmp );
00299                                           continue;
00300 
00301                                    } else if ( dnIsSuffix( &ms->ms_dn, &(*msp)->ms_dn ) && ms->ms_dn.bv_len > (*msp)->ms_dn.bv_len ) {
00302                                           Debug( LDAP_DEBUG_CONFIG,
00303                                                  "%s: previous rule \"dn.children:%s\" contains rule \"dn.subtree:%s\" (ignored)\n",
00304                                                  log_prefix, (*msp)->ms_dn.bv_val, pattern );
00305                                           meta_subtree_destroy( ms );
00306                                           ms = NULL;
00307                                           return( 0 );
00308                                    }
00309                                    break;
00310 
00311                             case META_ST_REGEX:
00312                                    if ( regexec( &(*msp)->ms_regex, ms->ms_dn.bv_val, 0, NULL, 0 ) == 0 ) {
00313                                           Debug( LDAP_DEBUG_CONFIG,
00314                                                  "%s: previous rule \"dn.regex:%s\" may contain rule \"dn.subtree:%s\"\n",
00315                                                  log_prefix, (*msp)->ms_regex_pattern, ms->ms_dn.bv_val );
00316                                    }
00317                                    break;
00318                             }
00319                             break;
00320 
00321                      case META_ST_SUBORDINATE:
00322                             switch ( (*msp)->ms_type ) {
00323                             case META_ST_SUBTREE:
00324                                    if ( dnIsSuffix( &(*msp)->ms_dn, &ms->ms_dn ) ) {
00325                                           metasubtree_t *tmp = *msp;
00326                                           Debug( LDAP_DEBUG_CONFIG,
00327                                                  "%s: previous rule \"dn.children:%s\" is contained in rule \"dn.subtree:%s\" (replaced)\n",
00328                                                  log_prefix, pattern, (*msp)->ms_dn.bv_val );
00329                                           *msp = (*msp)->ms_next;
00330                                           tmp->ms_next = NULL;
00331                                           meta_subtree_destroy( tmp );
00332                                           continue;
00333 
00334                                    } else if ( dnIsSuffix( &ms->ms_dn, &(*msp)->ms_dn ) && ms->ms_dn.bv_len > (*msp)->ms_dn.bv_len ) {
00335                                           Debug( LDAP_DEBUG_CONFIG,
00336                                                  "%s: previous rule \"dn.children:%s\" contains rule \"dn.subtree:%s\" (ignored)\n",
00337                                                  log_prefix, (*msp)->ms_dn.bv_val, pattern );
00338                                           meta_subtree_destroy( ms );
00339                                           ms = NULL;
00340                                           return( 0 );
00341                                    }
00342                                    break;
00343 
00344                             case META_ST_SUBORDINATE:
00345                                    if ( dnIsSuffix( &(*msp)->ms_dn, &ms->ms_dn ) ) {
00346                                           metasubtree_t *tmp = *msp;
00347                                           Debug( LDAP_DEBUG_CONFIG,
00348                                                  "%s: previous rule \"dn.children:%s\" is contained in rule \"dn.children:%s\" (replaced)\n",
00349                                                  log_prefix, pattern, (*msp)->ms_dn.bv_val );
00350                                           *msp = (*msp)->ms_next;
00351                                           tmp->ms_next = NULL;
00352                                           meta_subtree_destroy( tmp );
00353                                           continue;
00354 
00355                                    } else if ( dnIsSuffix( &ms->ms_dn, &(*msp)->ms_dn ) ) {
00356                                           Debug( LDAP_DEBUG_CONFIG,
00357                                                  "%s: previous rule \"dn.children:%s\" contains rule \"dn.children:%s\" (ignored)\n",
00358                                                  log_prefix, (*msp)->ms_dn.bv_val, pattern );
00359                                           meta_subtree_destroy( ms );
00360                                           ms = NULL;
00361                                           return( 0 );
00362                                    }
00363                                    break;
00364 
00365                             case META_ST_REGEX:
00366                                    if ( regexec( &(*msp)->ms_regex, ms->ms_dn.bv_val, 0, NULL, 0 ) == 0 ) {
00367                                           Debug( LDAP_DEBUG_CONFIG,
00368                                                  "%s: previous rule \"dn.regex:%s\" may contain rule \"dn.subtree:%s\"\n",
00369                                                  log_prefix, (*msp)->ms_regex_pattern, ms->ms_dn.bv_val );
00370                                    }
00371                                    break;
00372                             }
00373                             break;
00374 
00375                      case META_ST_REGEX:
00376                             switch ( (*msp)->ms_type ) {
00377                             case META_ST_SUBTREE:
00378                             case META_ST_SUBORDINATE:
00379                                    if ( regexec( &ms->ms_regex, (*msp)->ms_dn.bv_val, 0, NULL, 0 ) == 0 ) {
00380                                           Debug( LDAP_DEBUG_CONFIG,
00381                                                  "%s: previous rule \"dn.subtree:%s\" may be contained in rule \"dn.regex:%s\"\n",
00382                                                  log_prefix, (*msp)->ms_dn.bv_val, ms->ms_regex_pattern );
00383                                    }
00384                                    break;
00385 
00386                             case META_ST_REGEX:
00387                                    /* no check possible */
00388                                    break;
00389                             }
00390                             break;
00391                      }
00392 
00393                      msp = &(*msp)->ms_next;
00394               }
00395 
00396               *msp = ms;
00397        }
00398 
00399        return 0;
00400 }
00401 
00402 int
00403 meta_back_db_config(
00404               BackendDB     *be,
00405               const char    *fname,
00406               int           lineno,
00407               int           argc,
00408               char          **argv )
00409 {
00410        metainfo_t    *mi = ( metainfo_t * )be->be_private;
00411 
00412        assert( mi != NULL );
00413 
00414        /* URI of server to query */
00415        if ( strcasecmp( argv[ 0 ], "uri" ) == 0 ) {
00416               int           i = mi->mi_ntargets;
00417               LDAPURLDesc   *ludp;
00418               struct berval dn;
00419               int           rc;
00420               int           c;
00421 
00422               metatarget_t  *mt;
00423 
00424               char          **uris = NULL;
00425               
00426               if ( argc == 1 ) {
00427                      Debug( LDAP_DEBUG_ANY,
00428        "%s: line %d: missing URI "
00429        "in \"uri <protocol>://<server>[:port]/<naming context>\" line\n",
00430                             fname, lineno, 0 );
00431                      return 1;
00432               }
00433 
00434               if ( be->be_nsuffix == NULL ) {
00435                      Debug( LDAP_DEBUG_ANY,
00436        "%s: line %d: the suffix must be defined before any target.\n",
00437                             fname, lineno, 0 );
00438                      return 1;
00439               }
00440               
00441               ++mi->mi_ntargets;
00442 
00443               mi->mi_targets = ( metatarget_t ** )ch_realloc( mi->mi_targets, 
00444                      sizeof( metatarget_t * ) * mi->mi_ntargets );
00445               if ( mi->mi_targets == NULL ) {
00446                      Debug( LDAP_DEBUG_ANY,
00447        "%s: line %d: out of memory while storing server name"
00448        " in \"uri <protocol>://<server>[:port]/<naming context>\" line\n",
00449                             fname, lineno, 0 );
00450                      return 1;
00451               }
00452 
00453               if ( meta_back_new_target( &mi->mi_targets[ i ] ) != 0 ) {
00454                      Debug( LDAP_DEBUG_ANY,
00455        "%s: line %d: unable to init server"
00456        " in \"uri <protocol>://<server>[:port]/<naming context>\" line\n",
00457                             fname, lineno, 0 );
00458                      return 1;
00459               }
00460 
00461               mt = mi->mi_targets[ i ];
00462 
00463               mt->mt_rebind_f = mi->mi_rebind_f;
00464               mt->mt_urllist_f = mi->mi_urllist_f;
00465               mt->mt_urllist_p = mt;
00466 
00467               mt->mt_nretries = mi->mi_nretries;
00468               mt->mt_quarantine = mi->mi_quarantine;
00469               if ( META_BACK_QUARANTINE( mi ) ) {
00470                      ldap_pvt_thread_mutex_init( &mt->mt_quarantine_mutex );
00471               }
00472               mt->mt_flags = mi->mi_flags;
00473               mt->mt_version = mi->mi_version;
00474 #ifdef SLAPD_META_CLIENT_PR
00475               mt->mt_ps = mi->mi_ps;
00476 #endif /* SLAPD_META_CLIENT_PR */
00477               mt->mt_network_timeout = mi->mi_network_timeout;
00478               mt->mt_bind_timeout = mi->mi_bind_timeout;
00479               for ( c = 0; c < SLAP_OP_LAST; c++ ) {
00480                      mt->mt_timeout[ c ] = mi->mi_timeout[ c ];
00481               }
00482 
00483               for ( c = 1; c < argc; c++ ) {
00484                      char   **tmpuris = ldap_str2charray( argv[ c ], "\t" );
00485 
00486                      if ( tmpuris == NULL ) {
00487                             Debug( LDAP_DEBUG_ANY,
00488        "%s: line %d: unable to parse URIs #%d"
00489        " in \"uri <protocol>://<server>[:port]/<naming context>\" line\n",
00490                             fname, lineno, c - 1 );
00491                             return 1;
00492                      }
00493 
00494                      if ( c == 0 ) {
00495                             uris = tmpuris;
00496 
00497                      } else {
00498                             ldap_charray_merge( &uris, tmpuris );
00499                             ldap_charray_free( tmpuris );
00500                      }
00501               }
00502 
00503               for ( c = 0; uris[ c ] != NULL; c++ ) {
00504                      char *tmpuri = NULL;
00505 
00506                      /*
00507                       * uri MUST be legal!
00508                       */
00509                      if ( ldap_url_parselist_ext( &ludp, uris[ c ], "\t",
00510                                    LDAP_PVT_URL_PARSE_NONE ) != LDAP_SUCCESS
00511                             || ludp->lud_next != NULL )
00512                      {
00513                             Debug( LDAP_DEBUG_ANY,
00514               "%s: line %d: unable to parse URI #%d"
00515               " in \"uri <protocol>://<server>[:port]/<naming context>\" line\n",
00516                                    fname, lineno, c );
00517                             ldap_charray_free( uris );
00518                             return 1;
00519                      }
00520 
00521                      if ( c == 0 ) {
00522 
00523                             /*
00524                              * uri MUST have the <dn> part!
00525                              */
00526                             if ( ludp->lud_dn == NULL ) {
00527                                    Debug( LDAP_DEBUG_ANY,
00528                      "%s: line %d: missing <naming context> "
00529                      " in \"uri <protocol>://<server>[:port]/<naming context>\" line\n",
00530                                           fname, lineno, 0 );
00531                                    ldap_free_urllist( ludp );
00532                                    ldap_charray_free( uris );
00533                                    return 1;
00534                             }
00535 
00536                             /*
00537                              * copies and stores uri and suffix
00538                              */
00539                             ber_str2bv( ludp->lud_dn, 0, 0, &dn );
00540                             rc = dnPrettyNormal( NULL, &dn, &mt->mt_psuffix,
00541                                    &mt->mt_nsuffix, NULL );
00542                             if ( rc != LDAP_SUCCESS ) {
00543                                    Debug( LDAP_DEBUG_ANY, "%s: line %d: "
00544                                           "target \"%s\" DN is invalid\n",
00545                                           fname, lineno, argv[ 1 ] );
00546                                    ldap_free_urllist( ludp );
00547                                    ldap_charray_free( uris );
00548                                    return( 1 );
00549                             }
00550 
00551                             ludp->lud_dn[ 0 ] = '\0';
00552 
00553                             switch ( ludp->lud_scope ) {
00554                             case LDAP_SCOPE_DEFAULT:
00555                                    mt->mt_scope = LDAP_SCOPE_SUBTREE;
00556                                    break;
00557 
00558                             case LDAP_SCOPE_SUBTREE:
00559                             case LDAP_SCOPE_SUBORDINATE:
00560                                    mt->mt_scope = ludp->lud_scope;
00561                                    break;
00562 
00563                             default:
00564                                    Debug( LDAP_DEBUG_ANY, "%s: line %d: "
00565                                           "invalid scope for target \"%s\"\n",
00566                                           fname, lineno, argv[ 1 ] );
00567                                    ldap_free_urllist( ludp );
00568                                    ldap_charray_free( uris );
00569                                    return( 1 );
00570                             }
00571 
00572                      } else {
00573                             /* check all, to apply the scope check on the first one */
00574                             if ( ludp->lud_dn != NULL && ludp->lud_dn[ 0 ] != '\0' ) {
00575                                    Debug( LDAP_DEBUG_ANY, "%s: line %d: "
00576                                           "multiple URIs must have "
00577                                           "no DN part\n",
00578                                           fname, lineno, 0 );
00579                                    ldap_free_urllist( ludp );
00580                                    ldap_charray_free( uris );
00581                                    return( 1 );
00582 
00583                             }
00584                      }
00585 
00586                      tmpuri = ldap_url_list2urls( ludp );
00587                      ldap_free_urllist( ludp );
00588                      if ( tmpuri == NULL ) {
00589                             Debug( LDAP_DEBUG_ANY, "%s: line %d: no memory?\n",
00590                                    fname, lineno, 0 );
00591                             ldap_charray_free( uris );
00592                             return( 1 );
00593                      }
00594                      ldap_memfree( uris[ c ] );
00595                      uris[ c ] = tmpuri;
00596               }
00597 
00598               mt->mt_uri = ldap_charray2str( uris, " " );
00599               ldap_charray_free( uris );
00600               if ( mt->mt_uri == NULL) {
00601                      Debug( LDAP_DEBUG_ANY, "%s: line %d: no memory?\n",
00602                             fname, lineno, 0 );
00603                      return( 1 );
00604               }
00605               
00606               /*
00607                * uri MUST be a branch of suffix!
00608                */
00609               for ( c = 0; !BER_BVISNULL( &be->be_nsuffix[ c ] ); c++ ) {
00610                      if ( dnIsSuffix( &mt->mt_nsuffix, &be->be_nsuffix[ c ] ) ) {
00611                             break;
00612                      }
00613               }
00614 
00615               if ( BER_BVISNULL( &be->be_nsuffix[ c ] ) ) {
00616                      Debug( LDAP_DEBUG_ANY,
00617        "%s: line %d: <naming context> of URI must be within the naming context of this database.\n",
00618                             fname, lineno, 0 );
00619                      return 1;
00620               }
00621 
00622        /* subtree-exclude */
00623        } else if ( strcasecmp( argv[ 0 ], "subtree-exclude" ) == 0 ||
00624               strcasecmp( argv[ 0 ], "subtree-include" ) == 0)
00625        {
00626               char log_prefix[SLAP_TEXT_BUFLEN];
00627               char textbuf[SLAP_TEXT_BUFLEN];
00628               char *arg0;
00629               int i = mi->mi_ntargets - 1;
00630 
00631               if ( i < 0 ) {
00632                      Debug( LDAP_DEBUG_ANY,
00633               "%s: line %d: need \"uri\" directive first\n",
00634                             fname, lineno, 0 );
00635                      return 1;
00636               }
00637 
00638               if ( strcasecmp( argv[ 0 ], "subtree-exclude" ) == 0 ) {
00639                      arg0 = "subtree-exclude";
00640 
00641               } else {
00642                      arg0 = "subtree-include";
00643               }
00644 
00645               snprintf( log_prefix, sizeof(log_prefix), "%s: line %d: %s", fname, lineno, arg0 );
00646 
00647               if ( meta_subtree_config( mi->mi_targets[ i ], argc, argv, textbuf, sizeof(textbuf), log_prefix ) ) {
00648                      Debug( LDAP_DEBUG_ANY, "%s: %s\n", log_prefix, textbuf, 0 );
00649                      return 1;
00650               }
00651 
00652        /* default target directive */
00653        } else if ( strcasecmp( argv[ 0 ], "default-target" ) == 0 ) {
00654               int           i = mi->mi_ntargets - 1;
00655               
00656               if ( argc == 1 ) {
00657                      if ( i < 0 ) {
00658                             Debug( LDAP_DEBUG_ANY,
00659        "%s: line %d: \"default-target\" alone need be"
00660               " inside a \"uri\" directive\n",
00661                                    fname, lineno, 0 );
00662                             return 1;
00663                      }
00664                      mi->mi_defaulttarget = i;
00665 
00666               } else {
00667                      if ( strcasecmp( argv[ 1 ], "none" ) == 0 ) {
00668                             if ( i >= 0 ) {
00669                                    Debug( LDAP_DEBUG_ANY,
00670        "%s: line %d: \"default-target none\""
00671               " should go before uri definitions\n",
00672                                           fname, lineno, 0 );
00673                             }
00674                             mi->mi_defaulttarget = META_DEFAULT_TARGET_NONE;
00675 
00676                      } else {
00677                             
00678                             if ( lutil_atoi( &mi->mi_defaulttarget, argv[ 1 ] ) != 0
00679                                    || mi->mi_defaulttarget < 0
00680                                    || mi->mi_defaulttarget >= i - 1 )
00681                             {
00682                                    Debug( LDAP_DEBUG_ANY,
00683        "%s: line %d: illegal target number %d\n",
00684                                           fname, lineno, mi->mi_defaulttarget );
00685                                    return 1;
00686                             }
00687                      }
00688               }
00689               
00690        /* ttl of dn cache */
00691        } else if ( strcasecmp( argv[ 0 ], "dncache-ttl" ) == 0 ) {
00692               if ( argc != 2 ) {
00693                      Debug( LDAP_DEBUG_ANY,
00694        "%s: line %d: missing ttl in \"dncache-ttl <ttl>\" line\n",
00695                             fname, lineno, 0 );
00696                      return 1;
00697               }
00698               
00699               if ( strcasecmp( argv[ 1 ], "forever" ) == 0 ) {
00700                      mi->mi_cache.ttl = META_DNCACHE_FOREVER;
00701 
00702               } else if ( strcasecmp( argv[ 1 ], "disabled" ) == 0 ) {
00703                      mi->mi_cache.ttl = META_DNCACHE_DISABLED;
00704 
00705               } else {
00706                      unsigned long t;
00707 
00708                      if ( lutil_parse_time( argv[ 1 ], &t ) != 0 ) {
00709                             Debug( LDAP_DEBUG_ANY,
00710        "%s: line %d: unable to parse ttl \"%s\" in \"dncache-ttl <ttl>\" line\n",
00711                                    fname, lineno, argv[ 1 ] );
00712                             return 1;
00713                      }
00714                      mi->mi_cache.ttl = (time_t)t;
00715               }
00716 
00717        /* network timeout when connecting to ldap servers */
00718        } else if ( strcasecmp( argv[ 0 ], "network-timeout" ) == 0 ) {
00719               unsigned long t;
00720               time_t        *tp = mi->mi_ntargets ?
00721                             &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_network_timeout
00722                             : &mi->mi_network_timeout;
00723 
00724               if ( argc != 2 ) {
00725                      Debug( LDAP_DEBUG_ANY,
00726        "%s: line %d: missing network timeout in \"network-timeout <seconds>\" line\n",
00727                             fname, lineno, 0 );
00728                      return 1;
00729               }
00730 
00731               if ( lutil_parse_time( argv[ 1 ], &t ) ) {
00732                      Debug( LDAP_DEBUG_ANY,
00733        "%s: line %d: unable to parse timeout \"%s\" in \"network-timeout <seconds>\" line\n",
00734                             fname, lineno, argv[ 1 ] );
00735                      return 1;
00736 
00737               }
00738 
00739               *tp = (time_t)t;
00740 
00741        /* idle timeout when connecting to ldap servers */
00742        } else if ( strcasecmp( argv[ 0 ], "idle-timeout" ) == 0 ) {
00743               unsigned long t;
00744 
00745               switch ( argc ) {
00746               case 1:
00747                      Debug( LDAP_DEBUG_ANY,
00748        "%s: line %d: missing timeout value in \"idle-timeout <seconds>\" line\n",
00749                             fname, lineno, 0 );
00750                      return 1;
00751               case 2:
00752                      break;
00753               default:
00754                      Debug( LDAP_DEBUG_ANY,
00755        "%s: line %d: extra cruft after timeout value in \"idle-timeout <seconds>\" line\n",
00756                             fname, lineno, 0 );
00757                      return 1;
00758               }
00759 
00760               if ( lutil_parse_time( argv[ 1 ], &t ) ) {
00761                      Debug( LDAP_DEBUG_ANY,
00762        "%s: line %d: unable to parse timeout \"%s\" in \"idle-timeout <seconds>\" line\n",
00763                             fname, lineno, argv[ 1 ] );
00764                      return 1;
00765 
00766               }
00767 
00768               mi->mi_idle_timeout = (time_t)t;
00769 
00770        /* conn ttl */
00771        } else if ( strcasecmp( argv[ 0 ], "conn-ttl" ) == 0 ) {
00772               unsigned long t;
00773 
00774               switch ( argc ) {
00775               case 1:
00776                      Debug( LDAP_DEBUG_ANY,
00777        "%s: line %d: missing ttl value in \"conn-ttl <seconds>\" line\n",
00778                             fname, lineno, 0 );
00779                      return 1;
00780               case 2:
00781                      break;
00782               default:
00783                      Debug( LDAP_DEBUG_ANY,
00784        "%s: line %d: extra cruft after ttl value in \"conn-ttl <seconds>\" line\n",
00785                             fname, lineno, 0 );
00786                      return 1;
00787               }
00788 
00789               if ( lutil_parse_time( argv[ 1 ], &t ) ) {
00790                      Debug( LDAP_DEBUG_ANY,
00791        "%s: line %d: unable to parse ttl \"%s\" in \"conn-ttl <seconds>\" line\n",
00792                             fname, lineno, argv[ 1 ] );
00793                      return 1;
00794 
00795               }
00796 
00797               mi->mi_conn_ttl = (time_t)t;
00798 
00799        /* bind timeout when connecting to ldap servers */
00800        } else if ( strcasecmp( argv[ 0 ], "bind-timeout" ) == 0 ) {
00801               unsigned long t;
00802               struct timeval       *tp = mi->mi_ntargets ?
00803                             &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_bind_timeout
00804                             : &mi->mi_bind_timeout;
00805 
00806               switch ( argc ) {
00807               case 1:
00808                      Debug( LDAP_DEBUG_ANY,
00809        "%s: line %d: missing timeout value in \"bind-timeout <microseconds>\" line\n",
00810                             fname, lineno, 0 );
00811                      return 1;
00812               case 2:
00813                      break;
00814               default:
00815                      Debug( LDAP_DEBUG_ANY,
00816        "%s: line %d: extra cruft after timeout value in \"bind-timeout <microseconds>\" line\n",
00817                             fname, lineno, 0 );
00818                      return 1;
00819               }
00820 
00821               if ( lutil_atoul( &t, argv[ 1 ] ) != 0 ) {
00822                      Debug( LDAP_DEBUG_ANY,
00823        "%s: line %d: unable to parse timeout \"%s\" in \"bind-timeout <microseconds>\" line\n",
00824                             fname, lineno, argv[ 1 ] );
00825                      return 1;
00826 
00827               }
00828 
00829               tp->tv_sec = t/1000000;
00830               tp->tv_usec = t%1000000;
00831 
00832        /* name to use for meta_back_group */
00833        } else if ( strcasecmp( argv[ 0 ], "acl-authcDN" ) == 0
00834                      || strcasecmp( argv[ 0 ], "binddn" ) == 0 )
00835        {
00836               int           i = mi->mi_ntargets - 1;
00837               struct berval dn;
00838 
00839               if ( i < 0 ) {
00840                      Debug( LDAP_DEBUG_ANY,
00841        "%s: line %d: need \"uri\" directive first\n",
00842                             fname, lineno, 0 );
00843                      return 1;
00844               }
00845               
00846               if ( argc != 2 ) {
00847                      Debug( LDAP_DEBUG_ANY,
00848        "%s: line %d: missing name in \"binddn <name>\" line\n",
00849                             fname, lineno, 0 );
00850                      return 1;
00851               }
00852 
00853               if ( strcasecmp( argv[ 0 ], "binddn" ) == 0 ) {
00854                      Debug( LDAP_DEBUG_ANY, "%s: line %d: "
00855                             "\"binddn\" statement is deprecated; "
00856                             "use \"acl-authcDN\" instead\n",
00857                             fname, lineno, 0 );
00858                      /* FIXME: some day we'll need to throw an error */
00859               }
00860 
00861               ber_str2bv( argv[ 1 ], 0, 0, &dn );
00862               if ( dnNormalize( 0, NULL, NULL, &dn, &mi->mi_targets[ i ]->mt_binddn,
00863                      NULL ) != LDAP_SUCCESS )
00864               {
00865                      Debug( LDAP_DEBUG_ANY, "%s: line %d: "
00866                                    "bind DN '%s' is invalid\n",
00867                                    fname, lineno, argv[ 1 ] );
00868                      return( 1 );
00869               }
00870 
00871        /* password to use for meta_back_group */
00872        } else if ( strcasecmp( argv[ 0 ], "acl-passwd" ) == 0
00873                      || strcasecmp( argv[ 0 ], "bindpw" ) == 0 )
00874        {
00875               int           i = mi->mi_ntargets - 1;
00876 
00877               if ( i < 0 ) {
00878                      Debug( LDAP_DEBUG_ANY,
00879        "%s: line %d: need \"uri\" directive first\n",
00880                             fname, lineno, 0 );
00881                      return 1;
00882               }
00883 
00884               if ( argc != 2 ) {
00885                      Debug( LDAP_DEBUG_ANY,
00886        "%s: line %d: missing password in \"bindpw <password>\" line\n",
00887                          fname, lineno, 0 );
00888                      return 1;
00889               }
00890 
00891               if ( strcasecmp( argv[ 0 ], "bindpw" ) == 0 ) {
00892                      Debug( LDAP_DEBUG_ANY, "%s: line %d: "
00893                             "\"bindpw\" statement is deprecated; "
00894                             "use \"acl-passwd\" instead\n",
00895                             fname, lineno, 0 );
00896                      /* FIXME: some day we'll need to throw an error */
00897               }
00898 
00899               ber_str2bv( argv[ 1 ], 0L, 1, &mi->mi_targets[ i ]->mt_bindpw );
00900               
00901        /* save bind creds for referral rebinds? */
00902        } else if ( strcasecmp( argv[ 0 ], "rebind-as-user" ) == 0 ) {
00903               unsigned      *flagsp = mi->mi_ntargets ?
00904                             &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags
00905                             : &mi->mi_flags;
00906 
00907               if ( argc > 2 ) {
00908                      Debug( LDAP_DEBUG_ANY,
00909        "%s: line %d: \"rebind-as-user {NO|yes}\" takes 1 argument.\n",
00910                          fname, lineno, 0 );
00911                      return( 1 );
00912               }
00913 
00914               if ( argc == 1 ) {
00915                      Debug( LDAP_DEBUG_ANY,
00916        "%s: line %d: deprecated use of \"rebind-as-user {FALSE|true}\" with no arguments.\n",
00917                          fname, lineno, 0 );
00918                      *flagsp |= LDAP_BACK_F_SAVECRED;
00919 
00920               } else {
00921                      switch ( check_true_false( argv[ 1 ] ) ) {
00922                      case 0:
00923                             *flagsp &= ~LDAP_BACK_F_SAVECRED;
00924                             break;
00925 
00926                      case 1:
00927                             *flagsp |= LDAP_BACK_F_SAVECRED;
00928                             break;
00929 
00930                      default:
00931                             Debug( LDAP_DEBUG_ANY,
00932        "%s: line %d: \"rebind-as-user {FALSE|true}\" unknown argument \"%s\".\n",
00933                                 fname, lineno, argv[ 1 ] );
00934                             return 1;
00935                      }
00936               }
00937 
00938        } else if ( strcasecmp( argv[ 0 ], "chase-referrals" ) == 0 ) {
00939               unsigned      *flagsp = mi->mi_ntargets ?
00940                             &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags
00941                             : &mi->mi_flags;
00942 
00943               if ( argc != 2 ) {
00944                      Debug( LDAP_DEBUG_ANY,
00945        "%s: line %d: \"chase-referrals {TRUE|false}\" needs 1 argument.\n",
00946                             fname, lineno, 0 );
00947                      return( 1 );
00948               }
00949 
00950               /* this is the default; we add it because the default might change... */
00951               switch ( check_true_false( argv[ 1 ] ) ) {
00952               case 1:
00953                      *flagsp |= LDAP_BACK_F_CHASE_REFERRALS;
00954                      break;
00955 
00956               case 0:
00957                      *flagsp &= ~LDAP_BACK_F_CHASE_REFERRALS;
00958                      break;
00959 
00960               default:
00961                      Debug( LDAP_DEBUG_ANY,
00962               "%s: line %d: \"chase-referrals {TRUE|false}\": unknown argument \"%s\".\n",
00963                             fname, lineno, argv[ 1 ] );
00964                      return( 1 );
00965               }
00966        
00967        } else if ( strcasecmp( argv[ 0 ], "tls" ) == 0 ) {
00968               unsigned      *flagsp = mi->mi_ntargets ?
00969                             &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags
00970                             : &mi->mi_flags;
00971 
00972               /* start */
00973               if ( strcasecmp( argv[ 1 ], "start" ) == 0 ) {
00974                      *flagsp |= ( LDAP_BACK_F_USE_TLS | LDAP_BACK_F_TLS_CRITICAL );
00975        
00976               /* try start tls */
00977               } else if ( strcasecmp( argv[ 1 ], "try-start" ) == 0 ) {
00978                      *flagsp &= ~LDAP_BACK_F_TLS_CRITICAL;
00979                      *flagsp |= LDAP_BACK_F_USE_TLS;
00980        
00981               /* propagate start tls */
00982               } else if ( strcasecmp( argv[ 1 ], "propagate" ) == 0 ) {
00983                      *flagsp |= ( LDAP_BACK_F_PROPAGATE_TLS | LDAP_BACK_F_TLS_CRITICAL );
00984               
00985               /* try start tls */
00986               } else if ( strcasecmp( argv[ 1 ], "try-propagate" ) == 0 ) {
00987                      *flagsp &= ~LDAP_BACK_F_TLS_CRITICAL;
00988                      *flagsp |= LDAP_BACK_F_PROPAGATE_TLS;
00989 
00990               } else {
00991                      Debug( LDAP_DEBUG_ANY,
00992               "%s: line %d: \"tls <what>\": unknown argument \"%s\".\n",
00993                             fname, lineno, argv[ 1 ] );
00994                      return( 1 );
00995               }
00996 
00997               if ( argc > 2 ) {
00998                      metatarget_t  *mt = NULL;
00999                      int           i;
01000 
01001                      if ( mi->mi_ntargets - 1 < 0 ) {
01002                             Debug( LDAP_DEBUG_ANY,
01003               "%s: line %d: need \"uri\" directive first\n",
01004                                    fname, lineno, 0 );
01005                             return 1;
01006                      }
01007 
01008                      mt = mi->mi_targets[ mi->mi_ntargets - 1 ];
01009 
01010                      for ( i = 2; i < argc; i++ ) {
01011                             if ( bindconf_tls_parse( argv[i], &mt->mt_tls ))
01012                                    return 1;
01013                      }
01014                      bindconf_tls_defaults( &mt->mt_tls );
01015               }
01016 
01017        } else if ( strcasecmp( argv[ 0 ], "t-f-support" ) == 0 ) {
01018               unsigned      *flagsp = mi->mi_ntargets ?
01019                             &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags
01020                             : &mi->mi_flags;
01021 
01022               if ( argc != 2 ) {
01023                      Debug( LDAP_DEBUG_ANY,
01024               "%s: line %d: \"t-f-support {FALSE|true|discover}\" needs 1 argument.\n",
01025                             fname, lineno, 0 );
01026                      return( 1 );
01027               }
01028 
01029               switch ( check_true_false( argv[ 1 ] ) ) {
01030               case 0:
01031                      *flagsp &= ~LDAP_BACK_F_T_F_MASK2;
01032                      break;
01033 
01034               case 1:
01035                      *flagsp |= LDAP_BACK_F_T_F;
01036                      break;
01037 
01038               default:
01039                      if ( strcasecmp( argv[ 1 ], "discover" ) == 0 ) {
01040                             *flagsp |= LDAP_BACK_F_T_F_DISCOVER;
01041 
01042                      } else {
01043                             Debug( LDAP_DEBUG_ANY,
01044        "%s: line %d: unknown value \"%s\" for \"t-f-support {no|yes|discover}\".\n",
01045                                    fname, lineno, argv[ 1 ] );
01046                             return 1;
01047                      }
01048                      break;
01049               }
01050 
01051        /* onerr? */
01052        } else if ( strcasecmp( argv[ 0 ], "onerr" ) == 0 ) {
01053               if ( argc != 2 ) {
01054                      Debug( LDAP_DEBUG_ANY,
01055        "%s: line %d: \"onerr {CONTINUE|report|stop}\" takes 1 argument\n",
01056                             fname, lineno, 0 );
01057                      return( 1 );
01058               }
01059 
01060               if ( strcasecmp( argv[ 1 ], "continue" ) == 0 ) {
01061                      mi->mi_flags &= ~META_BACK_F_ONERR_MASK;
01062 
01063               } else if ( strcasecmp( argv[ 1 ], "stop" ) == 0 ) {
01064                      mi->mi_flags |= META_BACK_F_ONERR_STOP;
01065 
01066               } else if ( strcasecmp( argv[ 1 ], "report" ) == 0 ) {
01067                      mi->mi_flags |= META_BACK_F_ONERR_REPORT;
01068 
01069               } else {
01070                      Debug( LDAP_DEBUG_ANY,
01071        "%s: line %d: \"onerr {CONTINUE|report|stop}\": invalid arg \"%s\".\n",
01072                             fname, lineno, argv[ 1 ] );
01073                      return 1;
01074               }
01075 
01076        /* bind-defer? */
01077        } else if ( strcasecmp( argv[ 0 ], "pseudoroot-bind-defer" ) == 0
01078               || strcasecmp( argv[ 0 ], "root-bind-defer" ) == 0 )
01079        {
01080               if ( argc != 2 ) {
01081                      Debug( LDAP_DEBUG_ANY,
01082        "%s: line %d: \"[pseudo]root-bind-defer {TRUE|false}\" takes 1 argument\n",
01083                             fname, lineno, 0 );
01084                      return( 1 );
01085               }
01086 
01087               switch ( check_true_false( argv[ 1 ] ) ) {
01088               case 0:
01089                      mi->mi_flags &= ~META_BACK_F_DEFER_ROOTDN_BIND;
01090                      break;
01091 
01092               case 1:
01093                      mi->mi_flags |= META_BACK_F_DEFER_ROOTDN_BIND;
01094                      break;
01095 
01096               default:
01097                      Debug( LDAP_DEBUG_ANY,
01098        "%s: line %d: \"[pseudo]root-bind-defer {TRUE|false}\": invalid arg \"%s\".\n",
01099                             fname, lineno, argv[ 1 ] );
01100                      return 1;
01101               }
01102 
01103        /* single-conn? */
01104        } else if ( strcasecmp( argv[ 0 ], "single-conn" ) == 0 ) {
01105               if ( argc != 2 ) {
01106                      Debug( LDAP_DEBUG_ANY,
01107        "%s: line %d: \"single-conn {FALSE|true}\" takes 1 argument\n",
01108                             fname, lineno, 0 );
01109                      return( 1 );
01110               }
01111 
01112               if ( mi->mi_ntargets > 0 ) {
01113                      Debug( LDAP_DEBUG_ANY,
01114        "%s: line %d: \"single-conn\" must appear before target definitions\n",
01115                             fname, lineno, 0 );
01116                      return( 1 );
01117               }
01118 
01119               switch ( check_true_false( argv[ 1 ] ) ) {
01120               case 0:
01121                      mi->mi_flags &= ~LDAP_BACK_F_SINGLECONN;
01122                      break;
01123 
01124               case 1:
01125                      mi->mi_flags |= LDAP_BACK_F_SINGLECONN;
01126                      break;
01127 
01128               default:
01129                      Debug( LDAP_DEBUG_ANY,
01130        "%s: line %d: \"single-conn {FALSE|true}\": invalid arg \"%s\".\n",
01131                             fname, lineno, argv[ 1 ] );
01132                      return 1;
01133               }
01134 
01135        /* use-temporaries? */
01136        } else if ( strcasecmp( argv[ 0 ], "use-temporary-conn" ) == 0 ) {
01137               if ( argc != 2 ) {
01138                      Debug( LDAP_DEBUG_ANY,
01139        "%s: line %d: \"use-temporary-conn {FALSE|true}\" takes 1 argument\n",
01140                             fname, lineno, 0 );
01141                      return( 1 );
01142               }
01143 
01144               if ( mi->mi_ntargets > 0 ) {
01145                      Debug( LDAP_DEBUG_ANY,
01146        "%s: line %d: \"use-temporary-conn\" must appear before target definitions\n",
01147                             fname, lineno, 0 );
01148                      return( 1 );
01149               }
01150 
01151               switch ( check_true_false( argv[ 1 ] ) ) {
01152               case 0:
01153                      mi->mi_flags &= ~LDAP_BACK_F_USE_TEMPORARIES;
01154                      break;
01155 
01156               case 1:
01157                      mi->mi_flags |= LDAP_BACK_F_USE_TEMPORARIES;
01158                      break;
01159 
01160               default:
01161                      Debug( LDAP_DEBUG_ANY,
01162        "%s: line %d: \"use-temporary-conn {FALSE|true}\": invalid arg \"%s\".\n",
01163                             fname, lineno, argv[ 1 ] );
01164                      return 1;
01165               }
01166 
01167        /* privileged connections pool max size ? */
01168        } else if ( strcasecmp( argv[ 0 ], "conn-pool-max" ) == 0 ) {
01169               if ( argc != 2 ) {
01170                      Debug( LDAP_DEBUG_ANY,
01171        "%s: line %d: \"conn-pool-max <n>\" takes 1 argument\n",
01172                             fname, lineno, 0 );
01173                      return( 1 );
01174               }
01175 
01176               if ( mi->mi_ntargets > 0 ) {
01177                      Debug( LDAP_DEBUG_ANY,
01178        "%s: line %d: \"conn-pool-max\" must appear before target definitions\n",
01179                             fname, lineno, 0 );
01180                      return( 1 );
01181               }
01182 
01183               if ( lutil_atoi( &mi->mi_conn_priv_max, argv[1] )
01184                      || mi->mi_conn_priv_max < LDAP_BACK_CONN_PRIV_MIN
01185                      || mi->mi_conn_priv_max > LDAP_BACK_CONN_PRIV_MAX )
01186               {
01187                      Debug( LDAP_DEBUG_ANY,
01188        "%s: line %d: \"conn-pool-max <n>\": invalid arg \"%s\".\n",
01189                             fname, lineno, argv[ 1 ] );
01190                      return 1;
01191               }
01192 
01193        } else if ( strcasecmp( argv[ 0 ], "cancel" ) == 0 ) {
01194               unsigned      flag = 0;
01195               unsigned      *flagsp = mi->mi_ntargets ?
01196                             &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags
01197                             : &mi->mi_flags;
01198 
01199               if ( argc != 2 ) {
01200                      Debug( LDAP_DEBUG_ANY,
01201        "%s: line %d: \"cancel {abandon|ignore|exop}\" takes 1 argument\n",
01202                             fname, lineno, 0 );
01203                      return( 1 );
01204               }
01205 
01206               if ( strcasecmp( argv[ 1 ], "abandon" ) == 0 ) {
01207                      flag = LDAP_BACK_F_CANCEL_ABANDON;
01208 
01209               } else if ( strcasecmp( argv[ 1 ], "ignore" ) == 0 ) {
01210                      flag = LDAP_BACK_F_CANCEL_IGNORE;
01211 
01212               } else if ( strcasecmp( argv[ 1 ], "exop" ) == 0 ) {
01213                      flag = LDAP_BACK_F_CANCEL_EXOP;
01214 
01215               } else if ( strcasecmp( argv[ 1 ], "exop-discover" ) == 0 ) {
01216                      flag = LDAP_BACK_F_CANCEL_EXOP_DISCOVER;
01217 
01218               } else {
01219                      Debug( LDAP_DEBUG_ANY,
01220        "%s: line %d: \"cancel {abandon|ignore|exop[-discover]}\": unknown mode \"%s\" \n",
01221                             fname, lineno, argv[ 1 ] );
01222                      return( 1 );
01223               }
01224 
01225               *flagsp &= ~LDAP_BACK_F_CANCEL_MASK2;
01226               *flagsp |= flag;
01227 
01228        } else if ( strcasecmp( argv[ 0 ], "timeout" ) == 0 ) {
01229               char   *sep;
01230               time_t *tv = mi->mi_ntargets ?
01231                             mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_timeout
01232                             : mi->mi_timeout;
01233               int    c;
01234 
01235               if ( argc < 2 ) {
01236                      Debug( LDAP_DEBUG_ANY,
01237        "%s: line %d: \"timeout [{add|bind|delete|modify|modrdn}=]<val> [...]\" takes at least 1 argument\n",
01238                             fname, lineno, 0 );
01239                      return( 1 );
01240               }
01241 
01242               for ( c = 1; c < argc; c++ ) {
01243                      time_t        *t = NULL;
01244                      unsigned long val;
01245 
01246                      sep = strchr( argv[ c ], '=' );
01247                      if ( sep != NULL ) {
01248                             size_t len = sep - argv[ c ];
01249 
01250                             if ( strncasecmp( argv[ c ], "bind", len ) == 0 ) {
01251                                    t = &tv[ SLAP_OP_BIND ];
01252                             /* unbind makes little sense */
01253                             } else if ( strncasecmp( argv[ c ], "add", len ) == 0 ) {
01254                                    t = &tv[ SLAP_OP_ADD ];
01255                             } else if ( strncasecmp( argv[ c ], "delete", len ) == 0 ) {
01256                                    t = &tv[ SLAP_OP_DELETE ];
01257                             } else if ( strncasecmp( argv[ c ], "modrdn", len ) == 0 ) {
01258                                    t = &tv[ SLAP_OP_MODRDN ];
01259                             } else if ( strncasecmp( argv[ c ], "modify", len ) == 0 ) {
01260                                    t = &tv[ SLAP_OP_MODIFY ];
01261                             } else if ( strncasecmp( argv[ c ], "compare", len ) == 0 ) {
01262                                    t = &tv[ SLAP_OP_COMPARE ];
01263                             } else if ( strncasecmp( argv[ c ], "search", len ) == 0 ) {
01264                                    t = &tv[ SLAP_OP_SEARCH ];
01265                             /* abandon makes little sense */
01266 #if 0                       /* not implemented yet */
01267                             } else if ( strncasecmp( argv[ c ], "extended", len ) == 0 ) {
01268                                    t = &tv[ SLAP_OP_EXTENDED ];
01269 #endif
01270                             } else {
01271                                    char   buf[ SLAP_TEXT_BUFLEN ];
01272                                    snprintf( buf, sizeof( buf ),
01273                                           "unknown/unhandled operation \"%s\" for timeout #%d",
01274                                           argv[ c ], c - 1 );
01275                                    Debug( LDAP_DEBUG_ANY,
01276                                           "%s: line %d: %s.\n",
01277                                           fname, lineno, buf );
01278                                    return 1;
01279                             }
01280                             sep++;
01281        
01282                      } else {
01283                             sep = argv[ c ];
01284                      }
01285        
01286                      if ( lutil_parse_time( sep, &val ) != 0 ) {
01287                             Debug( LDAP_DEBUG_ANY,
01288               "%s: line %d: unable to parse value \"%s\" for timeout.\n",
01289                                    fname, lineno, sep );
01290                             return 1;
01291                      }
01292               
01293                      if ( t ) {
01294                             *t = (time_t)val;
01295        
01296                      } else {
01297                             int    i;
01298        
01299                             for ( i = 0; i < SLAP_OP_LAST; i++ ) {
01300                                    tv[ i ] = (time_t)val;
01301                             }
01302                      }
01303               }
01304        
01305        /* name to use as pseudo-root dn */
01306        } else if ( strcasecmp( argv[ 0 ], "pseudorootdn" ) == 0 ) {
01307               int           i = mi->mi_ntargets - 1;
01308 
01309               if ( i < 0 ) {
01310                      Debug( LDAP_DEBUG_ANY,
01311        "%s: line %d: need \"uri\" directive first\n",
01312                             fname, lineno, 0 );
01313                      return 1;
01314               }
01315               
01316               if ( argc != 2 ) {
01317                      Debug( LDAP_DEBUG_ANY,
01318        "%s: line %d: missing name in \"pseudorootdn <name>\" line\n",
01319                             fname, lineno, 0 );
01320                      return 1;
01321               }
01322 
01323               /*
01324                * exact replacement:
01325                *
01326 
01327 idassert-bind bindmethod=simple
01328               binddn=<pseudorootdn>
01329               credentials=<pseudorootpw>
01330               mode=none
01331               flags=non-prescriptive
01332 idassert-authzFrom   "dn:<rootdn>"
01333 
01334                * so that only when authc'd as <rootdn> the proxying occurs
01335                * rebinding as the <pseudorootdn> without proxyAuthz.
01336                */
01337 
01338               Debug( LDAP_DEBUG_ANY,
01339                      "%s: line %d: \"pseudorootdn\", \"pseudorootpw\" are no longer supported; "
01340                      "use \"idassert-bind\" and \"idassert-authzFrom\" instead.\n",
01341                      fname, lineno, 0 );
01342 
01343               {
01344                      char   binddn[ SLAP_TEXT_BUFLEN ];
01345                      char   *cargv[] = {
01346                             "idassert-bind",
01347                             "bindmethod=simple",
01348                             NULL,
01349                             "mode=none",
01350                             "flags=non-prescriptive",
01351                             NULL
01352                      };
01353                      int    cargc = 5;
01354                      int    rc;
01355 
01356                      if ( BER_BVISNULL( &be->be_rootndn ) ) {
01357                             Debug( LDAP_DEBUG_ANY, "%s: line %d: \"pseudorootpw\": \"rootdn\" must be defined first.\n",
01358                                    fname, lineno, 0 );
01359                             return 1;
01360                      }
01361 
01362                      if ( sizeof( binddn ) <= (unsigned) snprintf( binddn,
01363                                    sizeof( binddn ), "binddn=%s", argv[ 1 ] ))
01364                      {
01365                             Debug( LDAP_DEBUG_ANY, "%s: line %d: \"pseudorootdn\" too long.\n",
01366                                    fname, lineno, 0 );
01367                             return 1;
01368                      }
01369                      cargv[ 2 ] = binddn;
01370 
01371                      rc = mi->mi_ldap_extra->idassert_parse_cf( fname, lineno, cargc, cargv, &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_idassert );
01372                      if ( rc == 0 ) {
01373                             struct berval bv;
01374 
01375                             if ( mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_idassert_authz != NULL ) {
01376                                    Debug( LDAP_DEBUG_ANY, "%s: line %d: \"idassert-authzFrom\" already defined (discarded).\n",
01377                                           fname, lineno, 0 );
01378                                    ber_bvarray_free( mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_idassert_authz );
01379                                    mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_idassert_authz = NULL;
01380                             }
01381 
01382                             assert( !BER_BVISNULL( &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_idassert_authcDN ) );
01383 
01384                             bv.bv_len = STRLENOF( "dn:" ) + be->be_rootndn.bv_len;
01385                             bv.bv_val = ber_memalloc( bv.bv_len + 1 );
01386                             AC_MEMCPY( bv.bv_val, "dn:", STRLENOF( "dn:" ) );
01387                             AC_MEMCPY( &bv.bv_val[ STRLENOF( "dn:" ) ], be->be_rootndn.bv_val, be->be_rootndn.bv_len + 1 );
01388 
01389                             ber_bvarray_add( &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_idassert_authz, &bv );
01390                      }
01391 
01392                      return rc;
01393               }
01394 
01395        /* password to use as pseudo-root */
01396        } else if ( strcasecmp( argv[ 0 ], "pseudorootpw" ) == 0 ) {
01397               int           i = mi->mi_ntargets - 1;
01398 
01399               if ( i < 0 ) {
01400                      Debug( LDAP_DEBUG_ANY,
01401        "%s: line %d: need \"uri\" directive first\n",
01402                             fname, lineno, 0 );
01403                      return 1;
01404               }
01405               
01406               if ( argc != 2 ) {
01407                      Debug( LDAP_DEBUG_ANY,
01408        "%s: line %d: missing password in \"pseudorootpw <password>\" line\n",
01409                          fname, lineno, 0 );
01410                      return 1;
01411               }
01412 
01413               Debug( LDAP_DEBUG_ANY,
01414                      "%s: line %d: \"pseudorootdn\", \"pseudorootpw\" are no longer supported; "
01415                      "use \"idassert-bind\" and \"idassert-authzFrom\" instead.\n",
01416                      fname, lineno, 0 );
01417 
01418               if ( BER_BVISNULL( &mi->mi_targets[ i ]->mt_idassert_authcDN ) ) {
01419                      Debug( LDAP_DEBUG_ANY, "%s: line %d: \"pseudorootpw\": \"pseudorootdn\" must be defined first.\n",
01420                             fname, lineno, 0 );
01421                      return 1;
01422               }
01423 
01424               if ( !BER_BVISNULL( &mi->mi_targets[ i ]->mt_idassert_passwd ) ) {
01425                      memset( mi->mi_targets[ i ]->mt_idassert_passwd.bv_val, 0,
01426                             mi->mi_targets[ i ]->mt_idassert_passwd.bv_len );
01427                      ber_memfree( mi->mi_targets[ i ]->mt_idassert_passwd.bv_val );
01428               }
01429               ber_str2bv( argv[ 1 ], 0, 1, &mi->mi_targets[ i ]->mt_idassert_passwd );
01430 
01431        /* idassert-bind */
01432        } else if ( strcasecmp( argv[ 0 ], "idassert-bind" ) == 0 ) {
01433               if ( mi->mi_ntargets == 0 ) {
01434                      Debug( LDAP_DEBUG_ANY,
01435                             "%s: line %d: \"idassert-bind\" "
01436                             "must appear inside a target specification.\n",
01437                             fname, lineno, 0 );
01438                      return 1;
01439               }
01440 
01441               return mi->mi_ldap_extra->idassert_parse_cf( fname, lineno, argc, argv, &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_idassert );
01442 
01443        /* idassert-authzFrom */
01444        } else if ( strcasecmp( argv[ 0 ], "idassert-authzFrom" ) == 0 ) {
01445               if ( mi->mi_ntargets == 0 ) {
01446                      Debug( LDAP_DEBUG_ANY,
01447                             "%s: line %d: \"idassert-bind\" "
01448                             "must appear inside a target specification.\n",
01449                             fname, lineno, 0 );
01450                      return 1;
01451               }
01452 
01453               switch ( argc ) {
01454               case 2:
01455                      break;
01456 
01457               case 1:
01458                      Debug( LDAP_DEBUG_ANY,
01459                             "%s: line %d: missing <id> in \"idassert-authzFrom <id>\".\n",
01460                             fname, lineno, 0 );
01461                      return 1;
01462 
01463               default:
01464                      Debug( LDAP_DEBUG_ANY,
01465                             "%s: line %d: extra cruft after <id> in \"idassert-authzFrom <id>\".\n",
01466                             fname, lineno, 0 );
01467                      return 1;
01468               }
01469 
01470               return mi->mi_ldap_extra->idassert_authzfrom_parse_cf( fname, lineno, argv[ 1 ], &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_idassert );
01471 
01472        /* quarantine */
01473        } else if ( strcasecmp( argv[ 0 ], "quarantine" ) == 0 ) {
01474               char                 buf[ SLAP_TEXT_BUFLEN ] = { '\0' };
01475               slap_retry_info_t    *ri = mi->mi_ntargets ?
01476                             &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_quarantine
01477                             : &mi->mi_quarantine;
01478 
01479               if ( ( mi->mi_ntargets == 0 && META_BACK_QUARANTINE( mi ) )
01480                      || ( mi->mi_ntargets > 0 && META_BACK_TGT_QUARANTINE( mi->mi_targets[ mi->mi_ntargets - 1 ] ) ) )
01481               {
01482                      Debug( LDAP_DEBUG_ANY,
01483                             "%s: line %d: quarantine already defined.\n",
01484                             fname, lineno, 0 );
01485                      return 1;
01486               }
01487 
01488               switch ( argc ) {
01489               case 2:
01490                      break;
01491 
01492               case 1:
01493                      Debug( LDAP_DEBUG_ANY,
01494                             "%s: line %d: missing arg in \"quarantine <pattern list>\".\n",
01495                             fname, lineno, 0 );
01496                      return 1;
01497 
01498               default:
01499                      Debug( LDAP_DEBUG_ANY,
01500                             "%s: line %d: extra cruft after \"quarantine <pattern list>\".\n",
01501                             fname, lineno, 0 );
01502                      return 1;
01503               }
01504 
01505               if ( ri != &mi->mi_quarantine ) {
01506                      ri->ri_interval = NULL;
01507                      ri->ri_num = NULL;
01508               }
01509 
01510               if ( mi->mi_ntargets > 0 && !META_BACK_QUARANTINE( mi ) ) {
01511                      ldap_pvt_thread_mutex_init( &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_quarantine_mutex );
01512               }
01513 
01514               if ( mi->mi_ldap_extra->retry_info_parse( argv[ 1 ], ri, buf, sizeof( buf ) ) ) {
01515                      Debug( LDAP_DEBUG_ANY,
01516                             "%s line %d: %s.\n",
01517                             fname, lineno, buf );
01518                      return 1;
01519               }
01520 
01521               if ( mi->mi_ntargets == 0 ) {
01522                      mi->mi_flags |= LDAP_BACK_F_QUARANTINE;
01523 
01524               } else {
01525                      mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags |= LDAP_BACK_F_QUARANTINE;
01526               }
01527 
01528 #ifdef SLAP_CONTROL_X_SESSION_TRACKING
01529        /* session tracking request */
01530        } else if ( strcasecmp( argv[ 0 ], "session-tracking-request" ) == 0 ) {
01531               unsigned      *flagsp = mi->mi_ntargets ?
01532                             &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags
01533                             : &mi->mi_flags;
01534 
01535               if ( argc != 2 ) {
01536                      Debug( LDAP_DEBUG_ANY,
01537        "%s: line %d: \"session-tracking-request {TRUE|false}\" needs 1 argument.\n",
01538                             fname, lineno, 0 );
01539                      return( 1 );
01540               }
01541 
01542               /* this is the default; we add it because the default might change... */
01543               switch ( check_true_false( argv[ 1 ] ) ) {
01544               case 1:
01545                      *flagsp |= LDAP_BACK_F_ST_REQUEST;
01546                      break;
01547 
01548               case 0:
01549                      *flagsp &= ~LDAP_BACK_F_ST_REQUEST;
01550                      break;
01551 
01552               default:
01553                      Debug( LDAP_DEBUG_ANY,
01554               "%s: line %d: \"session-tracking-request {TRUE|false}\": unknown argument \"%s\".\n",
01555                             fname, lineno, argv[ 1 ] );
01556                      return( 1 );
01557               }
01558 #endif /* SLAP_CONTROL_X_SESSION_TRACKING */
01559        
01560        /* dn massaging */
01561        } else if ( strcasecmp( argv[ 0 ], "suffixmassage" ) == 0 ) {
01562               BackendDB     *tmp_bd;
01563               int           i = mi->mi_ntargets - 1, c, rc;
01564               struct berval dn, nvnc, pvnc, nrnc, prnc;
01565 
01566               if ( i < 0 ) {
01567                      Debug( LDAP_DEBUG_ANY,
01568        "%s: line %d: need \"uri\" directive first\n",
01569                             fname, lineno, 0 );
01570                      return 1;
01571               }
01572               
01573               /*
01574                * syntax:
01575                * 
01576                *     suffixmassage <suffix> <massaged suffix>
01577                *
01578                * the <suffix> field must be defined as a valid suffix
01579                * (or suffixAlias?) for the current database;
01580                * the <massaged suffix> shouldn't have already been
01581                * defined as a valid suffix or suffixAlias for the 
01582                * current server
01583                */
01584               if ( argc != 3 ) {
01585                      Debug( LDAP_DEBUG_ANY,
01586        "%s: line %d: syntax is \"suffixMassage <suffix> <massaged suffix>\"\n",
01587                             fname, lineno, 0 );
01588                      return 1;
01589               }
01590 
01591               ber_str2bv( argv[ 1 ], 0, 0, &dn );
01592               if ( dnPrettyNormal( NULL, &dn, &pvnc, &nvnc, NULL ) != LDAP_SUCCESS ) {
01593                      Debug( LDAP_DEBUG_ANY, "%s: line %d: "
01594                                    "suffix \"%s\" is invalid\n",
01595                                    fname, lineno, argv[ 1 ] );
01596                      return 1;
01597               }
01598 
01599               for ( c = 0; !BER_BVISNULL( &be->be_nsuffix[ c ] ); c++ ) {
01600                      if ( dnIsSuffix( &nvnc, &be->be_nsuffix[ 0 ] ) ) {
01601                             break;
01602                      }
01603               }
01604 
01605               if ( BER_BVISNULL( &be->be_nsuffix[ c ] ) ) {
01606                      Debug( LDAP_DEBUG_ANY, "%s: line %d: "
01607        "<suffix> \"%s\" must be within the database naming context, in "
01608        "\"suffixMassage <suffix> <massaged suffix>\"\n",
01609                             fname, lineno, pvnc.bv_val );
01610                      free( pvnc.bv_val );
01611                      free( nvnc.bv_val );
01612                      return 1;                                        
01613               }
01614 
01615               ber_str2bv( argv[ 2 ], 0, 0, &dn );
01616               if ( dnPrettyNormal( NULL, &dn, &prnc, &nrnc, NULL ) != LDAP_SUCCESS ) {
01617                      Debug( LDAP_DEBUG_ANY, "%s: line %d: "
01618                             "massaged suffix \"%s\" is invalid\n",
01619                             fname, lineno, argv[ 2 ] );
01620                      free( pvnc.bv_val );
01621                      free( nvnc.bv_val );
01622                      return 1;
01623               }
01624        
01625               tmp_bd = select_backend( &nrnc, 0 );
01626               if ( tmp_bd != NULL && tmp_bd->be_private == be->be_private ) {
01627                      Debug( LDAP_DEBUG_ANY, 
01628        "%s: line %d: warning: <massaged suffix> \"%s\" resolves to this database, in "
01629        "\"suffixMassage <suffix> <massaged suffix>\"\n",
01630                             fname, lineno, prnc.bv_val );
01631               }
01632 
01633               /*
01634                * The suffix massaging is emulated by means of the
01635                * rewrite capabilities
01636                */
01637               rc = suffix_massage_config( mi->mi_targets[ i ]->mt_rwmap.rwm_rw,
01638                             &pvnc, &nvnc, &prnc, &nrnc );
01639 
01640               free( pvnc.bv_val );
01641               free( nvnc.bv_val );
01642               free( prnc.bv_val );
01643               free( nrnc.bv_val );
01644 
01645               return rc;
01646               
01647        /* rewrite stuff ... */
01648        } else if ( strncasecmp( argv[ 0 ], "rewrite", 7 ) == 0 ) {
01649               int           i = mi->mi_ntargets - 1;
01650 
01651               if ( i < 0 ) {
01652                      Debug( LDAP_DEBUG_ANY, "%s: line %d: \"rewrite\" "
01653                             "statement outside target definition.\n",
01654                             fname, lineno, 0 );
01655                      return 1;
01656               }
01657               
01658               return rewrite_parse( mi->mi_targets[ i ]->mt_rwmap.rwm_rw,
01659                             fname, lineno, argc, argv );
01660 
01661        /* objectclass/attribute mapping */
01662        } else if ( strcasecmp( argv[ 0 ], "map" ) == 0 ) {
01663               int           i = mi->mi_ntargets - 1;
01664 
01665               if ( i < 0 ) {
01666                      Debug( LDAP_DEBUG_ANY,
01667        "%s: line %d: need \"uri\" directive first\n",
01668                             fname, lineno, 0 );
01669                      return 1;
01670               }
01671 
01672               return ldap_back_map_config( &mi->mi_targets[ i ]->mt_rwmap.rwm_oc, 
01673                             &mi->mi_targets[ i ]->mt_rwmap.rwm_at,
01674                             fname, lineno, argc, argv );
01675 
01676        } else if ( strcasecmp( argv[ 0 ], "nretries" ) == 0 ) {
01677               int           i = mi->mi_ntargets - 1;
01678               int           nretries = META_RETRY_UNDEFINED;
01679 
01680               if ( argc != 2 ) {
01681                      Debug( LDAP_DEBUG_ANY,
01682        "%s: line %d: need value in \"nretries <value>\"\n",
01683                             fname, lineno, 0 );
01684                      return 1;
01685               }
01686 
01687               if ( strcasecmp( argv[ 1 ], "forever" ) == 0 ) {
01688                      nretries = META_RETRY_FOREVER;
01689 
01690               } else if ( strcasecmp( argv[ 1 ], "never" ) == 0 ) {
01691                      nretries = META_RETRY_NEVER;
01692 
01693               } else {
01694                      if ( lutil_atoi( &nretries, argv[ 1 ] ) != 0 ) {
01695                             Debug( LDAP_DEBUG_ANY,
01696        "%s: line %d: unable to parse value \"%s\" in \"nretries <value>\"\n",
01697                                    fname, lineno, argv[ 1 ] );
01698                             return 1;
01699                      }
01700               }
01701 
01702               if ( i < 0 ) {
01703                      mi->mi_nretries = nretries;
01704 
01705               } else {
01706                      mi->mi_targets[ i ]->mt_nretries = nretries;
01707               }
01708 
01709        } else if ( strcasecmp( argv[ 0 ], "protocol-version" ) == 0 ) {
01710               int    *version = mi->mi_ntargets ?
01711                             &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_version
01712                             : &mi->mi_version;
01713 
01714               if ( argc != 2 ) {
01715                      Debug( LDAP_DEBUG_ANY,
01716        "%s: line %d: need value in \"protocol-version <version>\"\n",
01717                             fname, lineno, 0 );
01718                      return 1;
01719               }
01720 
01721               if ( lutil_atoi( version, argv[ 1 ] ) != 0 ) {
01722                      Debug( LDAP_DEBUG_ANY,
01723        "%s: line %d: unable to parse version \"%s\" in \"protocol-version <version>\"\n",
01724                             fname, lineno, argv[ 1 ] );
01725                      return 1;
01726               }
01727 
01728               if ( *version != 0 && ( *version < LDAP_VERSION_MIN || *version > LDAP_VERSION_MAX ) ) {
01729                      Debug( LDAP_DEBUG_ANY,
01730        "%s: line %d: unsupported version \"%s\" in \"protocol-version <version>\"\n",
01731                             fname, lineno, argv[ 1 ] );
01732                      return 1;
01733               }
01734 
01735        /* do not return search references */
01736        } else if ( strcasecmp( argv[ 0 ], "norefs" ) == 0 ) {
01737               unsigned      *flagsp = mi->mi_ntargets ?
01738                             &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags
01739                             : &mi->mi_flags;
01740 
01741               if ( argc != 2 ) {
01742                      Debug( LDAP_DEBUG_ANY,
01743        "%s: line %d: \"norefs {TRUE|false}\" needs 1 argument.\n",
01744                             fname, lineno, 0 );
01745                      return( 1 );
01746               }
01747 
01748               /* this is the default; we add it because the default might change... */
01749               switch ( check_true_false( argv[ 1 ] ) ) {
01750               case 1:
01751                      *flagsp |= LDAP_BACK_F_NOREFS;
01752                      break;
01753 
01754               case 0:
01755                      *flagsp &= ~LDAP_BACK_F_NOREFS;
01756                      break;
01757 
01758               default:
01759                      Debug( LDAP_DEBUG_ANY,
01760               "%s: line %d: \"norefs {TRUE|false}\": unknown argument \"%s\".\n",
01761                             fname, lineno, argv[ 1 ] );
01762                      return( 1 );
01763               }
01764 
01765        /* do not propagate undefined search filters */
01766        } else if ( strcasecmp( argv[ 0 ], "noundeffilter" ) == 0 ) {
01767               unsigned      *flagsp = mi->mi_ntargets ?
01768                             &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags
01769                             : &mi->mi_flags;
01770 
01771               if ( argc != 2 ) {
01772                      Debug( LDAP_DEBUG_ANY,
01773        "%s: line %d: \"noundeffilter {TRUE|false}\" needs 1 argument.\n",
01774                             fname, lineno, 0 );
01775                      return( 1 );
01776               }
01777 
01778               /* this is the default; we add it because the default might change... */
01779               switch ( check_true_false( argv[ 1 ] ) ) {
01780               case 1:
01781                      *flagsp |= LDAP_BACK_F_NOUNDEFFILTER;
01782                      break;
01783 
01784               case 0:
01785                      *flagsp &= ~LDAP_BACK_F_NOUNDEFFILTER;
01786                      break;
01787 
01788               default:
01789                      Debug( LDAP_DEBUG_ANY,
01790               "%s: line %d: \"noundeffilter {TRUE|false}\": unknown argument \"%s\".\n",
01791                             fname, lineno, argv[ 1 ] );
01792                      return( 1 );
01793               }
01794 
01795 #ifdef SLAPD_META_CLIENT_PR
01796        } else if ( strcasecmp( argv[ 0 ], "client-pr" ) == 0 ) {
01797               int *ps = mi->mi_ntargets ?
01798                             &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_ps
01799                             : &mi->mi_ps;
01800 
01801               if ( argc != 2 ) {
01802                      Debug( LDAP_DEBUG_ANY,
01803        "%s: line %d: \"client-pr {accept-unsolicited|disable|<size>}\" needs 1 argument.\n",
01804                             fname, lineno, 0 );
01805                      return( 1 );
01806               }
01807 
01808               if ( strcasecmp( argv[ 1 ], "accept-unsolicited" ) == 0 ) {
01809                      *ps = META_CLIENT_PR_ACCEPT_UNSOLICITED;
01810 
01811               } else if ( strcasecmp( argv[ 1 ], "disable" ) == 0 ) {
01812                      *ps = META_CLIENT_PR_DISABLE;
01813 
01814               } else if ( lutil_atoi( ps, argv[ 1 ] ) || *ps < -1 ) {
01815                      Debug( LDAP_DEBUG_ANY,
01816        "%s: line %d: \"client-pr {accept-unsolicited|disable|<size>}\" invalid arg \"%s\".\n",
01817                             fname, lineno, argv[ 1 ] );
01818                      return( 1 );
01819               }
01820 #endif /* SLAPD_META_CLIENT_PR */
01821 
01822        /* anything else */
01823        } else {
01824               return SLAP_CONF_UNKNOWN;
01825        }
01826 
01827        return 0;
01828 }
01829 
01830 int
01831 ldap_back_map_config(
01832               struct ldapmap       *oc_map,
01833               struct ldapmap       *at_map,
01834               const char    *fname,
01835               int           lineno,
01836               int           argc,
01837               char          **argv )
01838 {
01839        struct ldapmap              *map;
01840        struct ldapmapping   *mapping;
01841        char                 *src, *dst;
01842        int                  is_oc = 0;
01843 
01844        if ( argc < 3 || argc > 4 ) {
01845               Debug( LDAP_DEBUG_ANY,
01846        "%s: line %d: syntax is \"map {objectclass | attribute} [<local> | *] {<foreign> | *}\"\n",
01847                      fname, lineno, 0 );
01848               return 1;
01849        }
01850 
01851        if ( strcasecmp( argv[ 1 ], "objectclass" ) == 0 ) {
01852               map = oc_map;
01853               is_oc = 1;
01854 
01855        } else if ( strcasecmp( argv[ 1 ], "attribute" ) == 0 ) {
01856               map = at_map;
01857 
01858        } else {
01859               Debug( LDAP_DEBUG_ANY, "%s: line %d: syntax is "
01860                      "\"map {objectclass | attribute} [<local> | *] "
01861                      "{<foreign> | *}\"\n",
01862                      fname, lineno, 0 );
01863               return 1;
01864        }
01865 
01866        if ( !is_oc && map->map == NULL ) {
01867               /* only init if required */
01868               ldap_back_map_init( map, &mapping );
01869        }
01870 
01871        if ( strcmp( argv[ 2 ], "*" ) == 0 ) {
01872               if ( argc < 4 || strcmp( argv[ 3 ], "*" ) == 0 ) {
01873                      map->drop_missing = ( argc < 4 );
01874                      goto success_return;
01875               }
01876               src = dst = argv[ 3 ];
01877 
01878        } else if ( argc < 4 ) {
01879               src = "";
01880               dst = argv[ 2 ];
01881 
01882        } else {
01883               src = argv[ 2 ];
01884               dst = ( strcmp( argv[ 3 ], "*" ) == 0 ? src : argv[ 3 ] );
01885        }
01886 
01887        if ( ( map == at_map )
01888               && ( strcasecmp( src, "objectclass" ) == 0
01889                      || strcasecmp( dst, "objectclass" ) == 0 ) )
01890        {
01891               Debug( LDAP_DEBUG_ANY,
01892                      "%s: line %d: objectclass attribute cannot be mapped\n",
01893                      fname, lineno, 0 );
01894        }
01895 
01896        mapping = (struct ldapmapping *)ch_calloc( 2,
01897               sizeof(struct ldapmapping) );
01898        if ( mapping == NULL ) {
01899               Debug( LDAP_DEBUG_ANY,
01900                      "%s: line %d: out of memory\n",
01901                      fname, lineno, 0 );
01902               return 1;
01903        }
01904        ber_str2bv( src, 0, 1, &mapping[ 0 ].src );
01905        ber_str2bv( dst, 0, 1, &mapping[ 0 ].dst );
01906        mapping[ 1 ].src = mapping[ 0 ].dst;
01907        mapping[ 1 ].dst = mapping[ 0 ].src;
01908 
01909        /*
01910         * schema check
01911         */
01912        if ( is_oc ) {
01913               if ( src[ 0 ] != '\0' ) {
01914                      if ( oc_bvfind( &mapping[ 0 ].src ) == NULL ) {
01915                             Debug( LDAP_DEBUG_ANY,
01916        "%s: line %d: warning, source objectClass '%s' "
01917        "should be defined in schema\n",
01918                                    fname, lineno, src );
01919 
01920                             /*
01921                              * FIXME: this should become an err
01922                              */
01923                             goto error_return;
01924                      }
01925               }
01926 
01927               if ( oc_bvfind( &mapping[ 0 ].dst ) == NULL ) {
01928                      Debug( LDAP_DEBUG_ANY,
01929        "%s: line %d: warning, destination objectClass '%s' "
01930        "is not defined in schema\n",
01931                             fname, lineno, dst );
01932               }
01933        } else {
01934               int                  rc;
01935               const char           *text = NULL;
01936               AttributeDescription *ad = NULL;
01937 
01938               if ( src[ 0 ] != '\0' ) {
01939                      rc = slap_bv2ad( &mapping[ 0 ].src, &ad, &text );
01940                      if ( rc != LDAP_SUCCESS ) {
01941                             Debug( LDAP_DEBUG_ANY,
01942        "%s: line %d: warning, source attributeType '%s' "
01943        "should be defined in schema\n",
01944                                    fname, lineno, src );
01945 
01946                             /*
01947                              * FIXME: this should become an err
01948                              */
01949                             /*
01950                              * we create a fake "proxied" ad 
01951                              * and add it here.
01952                              */
01953 
01954                             rc = slap_bv2undef_ad( &mapping[ 0 ].src,
01955                                           &ad, &text, SLAP_AD_PROXIED );
01956                             if ( rc != LDAP_SUCCESS ) {
01957                                    char   buf[ SLAP_TEXT_BUFLEN ];
01958 
01959                                    snprintf( buf, sizeof( buf ),
01960                                           "source attributeType \"%s\": %d (%s)",
01961                                           src, rc, text ? text : "" );
01962                                    Debug( LDAP_DEBUG_ANY,
01963                                           "%s: line %d: %s\n",
01964                                           fname, lineno, buf );
01965                                    goto error_return;
01966                             }
01967                      }
01968 
01969                      ad = NULL;
01970               }
01971 
01972               rc = slap_bv2ad( &mapping[ 0 ].dst, &ad, &text );
01973               if ( rc != LDAP_SUCCESS ) {
01974                      Debug( LDAP_DEBUG_ANY,
01975        "%s: line %d: warning, destination attributeType '%s' "
01976        "is not defined in schema\n",
01977                             fname, lineno, dst );
01978 
01979                      /*
01980                       * we create a fake "proxied" ad 
01981                       * and add it here.
01982                       */
01983 
01984                      rc = slap_bv2undef_ad( &mapping[ 0 ].dst,
01985                                    &ad, &text, SLAP_AD_PROXIED );
01986                      if ( rc != LDAP_SUCCESS ) {
01987                             char   buf[ SLAP_TEXT_BUFLEN ];
01988 
01989                             snprintf( buf, sizeof( buf ),
01990                                    "source attributeType \"%s\": %d (%s)\n",
01991                                    dst, rc, text ? text : "" );
01992                             Debug( LDAP_DEBUG_ANY,
01993                                    "%s: line %d: %s\n",
01994                                    fname, lineno, buf );
01995                             return 1;
01996                      }
01997               }
01998        }
01999 
02000        if ( (src[ 0 ] != '\0' && avl_find( map->map, (caddr_t)&mapping[ 0 ], mapping_cmp ) != NULL)
02001                      || avl_find( map->remap, (caddr_t)&mapping[ 1 ], mapping_cmp ) != NULL)
02002        {
02003               Debug( LDAP_DEBUG_ANY,
02004                      "%s: line %d: duplicate mapping found.\n",
02005                      fname, lineno, 0 );
02006               goto error_return;
02007        }
02008 
02009        if ( src[ 0 ] != '\0' ) {
02010               avl_insert( &map->map, (caddr_t)&mapping[ 0 ],
02011                                    mapping_cmp, mapping_dup );
02012        }
02013        avl_insert( &map->remap, (caddr_t)&mapping[ 1 ],
02014                             mapping_cmp, mapping_dup );
02015 
02016 success_return:;
02017        return 0;
02018 
02019 error_return:;
02020        if ( mapping ) {
02021               ch_free( mapping[ 0 ].src.bv_val );
02022               ch_free( mapping[ 0 ].dst.bv_val );
02023               ch_free( mapping );
02024        }
02025 
02026        return 1;
02027 }
02028 
02029 
02030 #ifdef ENABLE_REWRITE
02031 static char *
02032 suffix_massage_regexize( const char *s )
02033 {
02034        char *res, *ptr;
02035        const char *p, *r;
02036        int i;
02037 
02038        if ( s[ 0 ] == '\0' ) {
02039               return ch_strdup( "^(.+)$" );
02040        }
02041 
02042        for ( i = 0, p = s; 
02043                      ( r = strchr( p, ',' ) ) != NULL; 
02044                      p = r + 1, i++ )
02045               ;
02046 
02047        res = ch_calloc( sizeof( char ),
02048                      strlen( s )
02049                      + STRLENOF( "((.+),)?" )
02050                      + STRLENOF( "[ ]?" ) * i
02051                      + STRLENOF( "$" ) + 1 );
02052 
02053        ptr = lutil_strcopy( res, "((.+),)?" );
02054        for ( i = 0, p = s;
02055                      ( r = strchr( p, ',' ) ) != NULL;
02056                      p = r + 1 , i++ ) {
02057               ptr = lutil_strncopy( ptr, p, r - p + 1 );
02058               ptr = lutil_strcopy( ptr, "[ ]?" );
02059 
02060               if ( r[ 1 ] == ' ' ) {
02061                      r++;
02062               }
02063        }
02064        ptr = lutil_strcopy( ptr, p );
02065        ptr[ 0 ] = '$';
02066        ptr++;
02067        ptr[ 0 ] = '\0';
02068 
02069        return res;
02070 }
02071 
02072 static char *
02073 suffix_massage_patternize( const char *s, const char *p )
02074 {
02075        ber_len_t     len;
02076        char          *res, *ptr;
02077 
02078        len = strlen( p );
02079 
02080        if ( s[ 0 ] == '\0' ) {
02081               len++;
02082        }
02083 
02084        res = ch_calloc( sizeof( char ), len + STRLENOF( "%1" ) + 1 );
02085        if ( res == NULL ) {
02086               return NULL;
02087        }
02088 
02089        ptr = lutil_strcopy( res, ( p[ 0 ] == '\0' ? "%2" : "%1" ) );
02090        if ( s[ 0 ] == '\0' ) {
02091               ptr[ 0 ] = ',';
02092               ptr++;
02093        }
02094        lutil_strcopy( ptr, p );
02095 
02096        return res;
02097 }
02098 
02099 int
02100 suffix_massage_config( 
02101               struct rewrite_info *info,
02102               struct berval *pvnc,
02103               struct berval *nvnc,
02104               struct berval *prnc,
02105               struct berval *nrnc
02106 )
02107 {
02108        char *rargv[ 5 ];
02109        int line = 0;
02110 
02111        rargv[ 0 ] = "rewriteEngine";
02112        rargv[ 1 ] = "on";
02113        rargv[ 2 ] = NULL;
02114        rewrite_parse( info, "<suffix massage>", ++line, 2, rargv );
02115 
02116        rargv[ 0 ] = "rewriteContext";
02117        rargv[ 1 ] = "default";
02118        rargv[ 2 ] = NULL;
02119        rewrite_parse( info, "<suffix massage>", ++line, 2, rargv );
02120 
02121        rargv[ 0 ] = "rewriteRule";
02122        rargv[ 1 ] = suffix_massage_regexize( pvnc->bv_val );
02123        rargv[ 2 ] = suffix_massage_patternize( pvnc->bv_val, prnc->bv_val );
02124        rargv[ 3 ] = ":";
02125        rargv[ 4 ] = NULL;
02126        rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
02127        ch_free( rargv[ 1 ] );
02128        ch_free( rargv[ 2 ] );
02129 
02130        if ( BER_BVISEMPTY( pvnc ) ) {
02131               rargv[ 0 ] = "rewriteRule";
02132               rargv[ 1 ] = "^$";
02133               rargv[ 2 ] = prnc->bv_val;
02134               rargv[ 3 ] = ":";
02135               rargv[ 4 ] = NULL;
02136               rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
02137        }
02138        
02139        rargv[ 0 ] = "rewriteContext";
02140        rargv[ 1 ] = "searchEntryDN";
02141        rargv[ 2 ] = NULL;
02142        rewrite_parse( info, "<suffix massage>", ++line, 2, rargv );
02143 
02144        rargv[ 0 ] = "rewriteRule";
02145        rargv[ 1 ] = suffix_massage_regexize( prnc->bv_val );
02146        rargv[ 2 ] = suffix_massage_patternize( prnc->bv_val, pvnc->bv_val );
02147        rargv[ 3 ] = ":";
02148        rargv[ 4 ] = NULL;
02149        rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
02150        ch_free( rargv[ 1 ] );
02151        ch_free( rargv[ 2 ] );
02152 
02153        if ( BER_BVISEMPTY( prnc ) ) {
02154               rargv[ 0 ] = "rewriteRule";
02155               rargv[ 1 ] = "^$";
02156               rargv[ 2 ] = pvnc->bv_val;
02157               rargv[ 3 ] = ":";
02158               rargv[ 4 ] = NULL;
02159               rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
02160        }
02161        
02162        /* backward compatibility */
02163        rargv[ 0 ] = "rewriteContext";
02164        rargv[ 1 ] = "searchResult";
02165        rargv[ 2 ] = "alias";
02166        rargv[ 3 ] = "searchEntryDN";
02167        rargv[ 4 ] = NULL;
02168        rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
02169        
02170        rargv[ 0 ] = "rewriteContext";
02171        rargv[ 1 ] = "matchedDN";
02172        rargv[ 2 ] = "alias";
02173        rargv[ 3 ] = "searchEntryDN";
02174        rargv[ 4 ] = NULL;
02175        rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
02176 
02177        rargv[ 0 ] = "rewriteContext";
02178        rargv[ 1 ] = "searchAttrDN";
02179        rargv[ 2 ] = "alias";
02180        rargv[ 3 ] = "searchEntryDN";
02181        rargv[ 4 ] = NULL;
02182        rewrite_parse( info, "<suffix massage>", ++line, 4, rargv );
02183 
02184        /* NOTE: this corresponds to #undef'ining RWM_REFERRAL_REWRITE;
02185         * see servers/slapd/overlays/rwm.h for details */
02186         rargv[ 0 ] = "rewriteContext";
02187        rargv[ 1 ] = "referralAttrDN";
02188        rargv[ 2 ] = NULL;
02189        rewrite_parse( info, "<suffix massage>", ++line, 2, rargv );
02190 
02191        rargv[ 0 ] = "rewriteContext";
02192        rargv[ 1 ] = "referralDN";
02193        rargv[ 2 ] = NULL;
02194        rewrite_parse( info, "<suffix massage>", ++line, 2, rargv );
02195        
02196        return 0;
02197 }
02198 #endif /* ENABLE_REWRITE */
02199