diff options
| -rw-r--r-- | src/back-sch-idview.c | 11 | ||||
| -rw-r--r-- | src/back-sch.c | 81 |
2 files changed, 81 insertions, 11 deletions
diff --git a/src/back-sch-idview.c b/src/back-sch-idview.c index 5a2b450..a56a9e9 100644 --- a/src/back-sch-idview.c +++ b/src/back-sch-idview.c @@ -334,6 +334,10 @@ idview_process_filter_cb(Slapi_Filter *filter, const char *filter_type, struct b slapi_ber_bvdone(bval); slapi_ber_bvcpy(bval, slapi_value_get_berval(anchor_val)); config->override_found = TRUE; + slapi_log_error(SLAPI_LOG_PLUGIN, cbdata->state->plugin_desc->spd_id, + "Overriding the filter %s with %s=%*s from the override %s\n.", + filter_type, filter_type, bval->bv_len, bval->bv_val, + slapi_entry_get_dn_const(cbdata->overrides[i])); break; } } @@ -346,6 +350,11 @@ idview_process_filter_cb(Slapi_Filter *filter, const char *filter_type, struct b slapi_ber_bvdone(bval); slapi_ber_bvcpy(bval, slapi_value_get_berval(anchor_val)); config->override_found = TRUE; + slapi_log_error(SLAPI_LOG_PLUGIN, cbdata->state->plugin_desc->spd_id, + "Overriding the filter %s with %s=%*s from the override %s\n.", + filter_type, IPA_IDVIEWS_ATTR_ANCHORUUID, + bval->bv_len, bval->bv_val, + slapi_entry_get_dn_const(cbdata->overrides[i])); break; } @@ -366,8 +375,6 @@ idview_process_filter_cb(Slapi_Filter *filter, const char *filter_type, struct b * * Note that in reality we don't use original value of the uid/cn attribue. Instead, we use ipaAnchorUUID * to refer to the original entry. */ -extern char * -slapi_filter_to_string( const struct slapi_filter *f, char *buf, size_t bufsize ); void idview_replace_filter(struct backend_search_cbdata *cbdata) { diff --git a/src/back-sch.c b/src/back-sch.c index 27d5101..27ac24f 100644 --- a/src/back-sch.c +++ b/src/back-sch.c @@ -1166,6 +1166,44 @@ backend_search_set_cb(const char *group, const char *set, bool_t flag, return TRUE; } +/* Routines to search if a target DN is within any of the sets we handle */ +static bool_t +backend_search_find_set_dn_in_group_cb(const char *group, const char *set, bool_t flag, + void *backend_data, void *cb_data) +{ + struct backend_search_cbdata *cbdata; + struct backend_set_data *set_data; + + cbdata = cb_data; + set_data = backend_data; + + if (slapi_sdn_scope_test(cbdata->target_dn, + set_data->container_sdn, + cbdata->scope) == 1) { + cbdata->answer = TRUE; + } + + if (slapi_sdn_compare(set_data->container_sdn, + cbdata->target_dn) == 0) { + cbdata->answer = TRUE; + } + + return TRUE; + +} + +static bool_t +backend_search_find_set_dn_cb(const char *group, void *cb_data) +{ + struct backend_search_cbdata *cbdata; + + cbdata = cb_data; + map_data_foreach_map(cbdata->state, group, + backend_search_find_set_dn_in_group_cb, cb_data); + return TRUE; +} + +/* Routines to find out the set that has the same group as requested */ static bool_t backend_search_find_set_data_in_group_cb(const char *group, const char *set, bool_t flag, void *backend_data, void *cb_data) @@ -1340,9 +1378,6 @@ backend_search_cb(Slapi_PBlock *pb) "searching from \"%s\" for \"%s\" with scope %d%s\n", cbdata.target, cbdata.strfilter, cbdata.scope, backend_sch_scope_as_string(cbdata.scope)); -#ifdef USE_IPA_IDVIEWS - idview_replace_target_dn(&cbdata.target, &cbdata.idview); -#endif cbdata.target_dn = slapi_sdn_new_dn_byval(cbdata.target); /* Check if there's a backend handling this search. */ if (!slapi_be_exist(cbdata.target_dn)) { @@ -1351,19 +1386,47 @@ backend_search_cb(Slapi_PBlock *pb) "slapi_be_exists(\"%s\") = 0, " "ignoring search\n", cbdata.target); slapi_sdn_free(&cbdata.target_dn); + return 0; + } + +#ifdef USE_IPA_IDVIEWS + /* We may have multiple disjoint trees in the sets, search if the target matches any of them + * as in general there don't have to be a single subtree (cn=compat,$SUFFIX) for all trees to easily + * detect the ID view use. Unless the ID view is within the set we control, don't consider the override */ + map_data_foreach_domain(cbdata.state, backend_search_find_set_dn_cb, &cbdata); + if (cbdata.answer == FALSE) { + idview_replace_target_dn(&cbdata.target, &cbdata.idview); if (cbdata.idview != NULL) { - slapi_ch_free_string(&cbdata.target); + slapi_sdn_free(&cbdata.target_dn); + /* Perform another check, now for rewritten DN */ + cbdata.target_dn = slapi_sdn_new_dn_byval(cbdata.target); + map_data_foreach_domain(cbdata.state, backend_search_find_set_dn_cb, &cbdata); + /* Rewritten DN might still be outside of our trees */ + if (cbdata.answer == TRUE) { + slapi_log_error(SLAPI_LOG_PLUGIN, cbdata.state->plugin_desc->spd_id, + "Use of ID view '%s' is detected, searching from \"%s\" " + "for \"%s\" with scope %d%s. Filter may get overridden later.\n", + cbdata.idview, cbdata.target, cbdata.strfilter, cbdata.scope, + backend_sch_scope_as_string(cbdata.scope)); + } else { + slapi_sdn_free(&cbdata.target_dn); + slapi_ch_free_string(&cbdata.target); + slapi_ch_free_string(&cbdata.idview); + slapi_log_error(SLAPI_LOG_PLUGIN, + cbdata.state->plugin_desc->spd_id, + "The search base didn't match any of the containers, " + "ignoring search\n"); + return 0; + } } - slapi_ch_free_string(&cbdata.idview); -#ifdef USE_IPA_IDVIEWS - idview_free_overrides(&cbdata); -#endif - return 0; } + cbdata.answer = FALSE; +#endif /* Walk the list of groups. */ wrap_inc_call_level(); #ifdef USE_IPA_IDVIEWS + /* Filter replacement requires increased call level as we may fetch overrides and thus come back here */ idview_replace_filter(&cbdata); #endif if (map_rdlock() == 0) { |