Home Explore Help
Register Sign In
Apq
/
389-ds-base
mirror of https://github.com/389ds/389-ds-base.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: 81c6e66514
Branches Tags
389-ds-base
/
ldap
/
servers
/
plugins
/
addn
/
addn.c

addn.c 17 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506 
  1. /** BEGIN COPYRIGHT BLOCK
    2. 

  2.  * Copyright (C) 2016 Red Hat, Inc.
    3. 

  3.  * All rights reserved.
    4. 

  4.  *
    5. 

  5.  * License: GPL (version 3 or any later version).
    6. 

  6.  * See LICENSE for details. 
    7. 

  7.  * END COPYRIGHT BLOCK **/
    8. 

  8. 

  9. #ifdef HAVE_CONFIG_H
    10. 

  10. #  include <config.h>
    11. 

  11. #endif
    12. 

  12. 

  13. /*
    14. 

  14.  * AD DN bind plugin
    15. 

  15.  *
    16. 

  16.  * This plugin allows violation of the LDAP v3 standard for binds to occur
    17. 

  17.  * as "uid" or "[email protected]". This plugin re-maps those terms to a real
    18. 

  18.  * dn such as uid=user,ou=People,dc=example,dc=com.
    19. 

  19.  */
    20. 

  20. 

  21. #include "addn.h"
    22. 

  22. 

  23. /* is there a better type we can use here? */
    24. 

  24. #define ADDN_FAILURE 1
    25. 

  25. 

  26. static void* plugin_identity = NULL;
    27. 

  27. static char *plugin_name = "addn_plugin";
    28. 

  28. 

  29. static Slapi_PluginDesc addn_description = {
    30. 

  30.     "addn",
    31. 

  31.     VENDOR,
    32. 

  32.     DS_PACKAGE_VERSION,
    33. 

  33.     "Allow AD DN style bind names to LDAP"
    34. 

  34. };
    35. 

  35. 

  36. int
    37. 

  37. addn_filter_validate(char *config_filter)
    38. 

  38. {
    39. 

  39.     if (config_filter == NULL) {
    40. 

  40.         return 1;
    41. 

  41.     }
    42. 

  42. 

  43.     char *lptr = NULL;
    44. 

  44.     char *rptr = NULL;
    45. 

  45. 

  46.     lptr = PL_strstr(config_filter, "%s");
    47. 

  47.     rptr = PL_strrstr(config_filter, "%s");
    48. 

  48. 

  49.     /* There is one instance, and one only! */
    50. 

  50.     if (lptr == rptr) {
    51. 

  51.         return LDAP_SUCCESS;
    52. 

  52.     }
    53. 

  53. 

  54.     /* Is there a way to now compile and check the filter syntax? */
    55. 

  55. 

  56.     return 1;
    57. 

  57. }
    58. 

  58. 

  59. 

  60. /* These will probably move to slapi_ hopefully, they make plugin writing easier ... */
    61. 

  61. /* Get all the configs under cn=<name>,cn=plugins,cn=config */
    62. 

  62. 

  63. /* Slapi_Entry **
    64. 

  64. addn_get_all_subconfigs(Slapi_PBlock *pb) */
    65. 

  65. 

  66. /* Filter configs? */
    67. 

  67. /* Slapi_Entry **
    68. 

  68. addn_filter_subconfigs(Slapi_PBlock *pb, Slapi_Entry * (*func)(Slapi_PBlock *, Slapi_Entry *) ) */
    69. 

  69. 

  70. /* Map on the configs? */
    71. 

  71. /* Slapi_Entry **
    72. 

  72. add_filter_subconfigs(Slapi_PBlock *pb, Slapi_Entry * (*func)(Slapi_PBlock *, Slapi_Entry *)) */
    73. 

  73. 

  74. /* Get a specific config under cn=<name>,cn=plugins,cn=config */
    75. 

  75. Slapi_Entry *
    76. 

  76. addn_get_subconfig(Slapi_PBlock *pb, char *identifier)
    77. 

  77. {
    78. 

  78.     char *config_dn = NULL;
    79. 

  79.     char *filter = NULL;
    80. 

  80.     int search_result = 0;
    81. 

  81.     int entry_count = 0;
    82. 

  82.     Slapi_DN *config_sdn = NULL;
    83. 

  83.     Slapi_PBlock *search_pblock = NULL;
    84. 

  84.     Slapi_Entry *result = NULL;
    85. 

  85.     Slapi_Entry **entries = NULL;
    86. 

  86. 

  87.     /* Get our config DN base. */
    88. 

  88.     slapi_pblock_get(pb, SLAPI_PLUGIN_CONFIG_DN, &config_dn);
    89. 

  89.     slapi_log_err(SLAPI_LOG_PLUGIN, plugin_name, "addn_get_subconfig: Getting config for %s\n", config_dn);
    90. 

  90.     config_sdn = slapi_sdn_new_dn_byval(config_dn);
    91. 

  91. 

  92.     filter = slapi_ch_smprintf("(cn=%s)", identifier);
    93. 

  93.     slapi_log_err(SLAPI_LOG_PLUGIN, plugin_name, "addn_get_subconfig: Searching with filter %s\n", filter);
    94. 

  94. 

  95.     /* Search the backend, and apply our filter given the username */
    96. 

  96.     search_pblock = slapi_pblock_new();
    97. 

  97. 

  98.     if (search_pblock == NULL) {
    99. 

  99.         slapi_log_err(SLAPI_LOG_ERR, plugin_name, "addn_get_subconfig: CRITICAL: Unable to allocate search_pblock!!!\n");
    100. 

  100.         goto out;
    101. 

  101.     }
    102. 

  102. 

  103.     slapi_search_internal_set_pb_ext(search_pblock, config_sdn, LDAP_SCOPE_ONELEVEL,
    104. 

  104.                                      filter, NULL, 0 /* attrs only */,
    105. 

  105.                                      NULL /* controls */, NULL /* uniqueid */, 
    106. 

  106.                                      plugin_identity, 0 /* actions */);
    107. 

  107.     slapi_search_internal_pb(search_pblock);
    108. 

  108. 

  109.     search_result = slapi_pblock_get(search_pblock, SLAPI_PLUGIN_INTOP_RESULT, &search_result);
    110. 

  110.     if (search_result != LDAP_SUCCESS) {
    111. 

  111.         slapi_log_err(SLAPI_LOG_ERR, plugin_name, "addn_get_subconfig: CRITICAL: Internal search pblock get failed!!!\n");
    112. 

  112.         goto out;
    113. 

  113.     }
    114. 

  114. 

  115.     if (search_result == LDAP_NO_SUCH_OBJECT) {
    116. 

  116.         slapi_log_err(SLAPI_LOG_PLUGIN, plugin_name, "addn_get_subconfig: LDAP_NO_SUCH_OBJECT \n");
    117. 

  117.         goto out;
    118. 

  118.     }
    119. 

  119. 

  120.     /* On all other errors, just fail out. */
    121. 

  121.     if (search_result != LDAP_SUCCESS) {
    122. 

  122.         slapi_log_err(SLAPI_LOG_PLUGIN, plugin_name, "addn_get_subconfig: CRITICAL: Internal search error occured %d \n", search_result);
    123. 

  123.         goto out;
    124. 

  124.     }
    125. 

  125. 

  126. 

  127.     search_result = slapi_pblock_get(search_pblock, SLAPI_NENTRIES, &entry_count);
    128. 

  128. 

  129.     if (search_result != LDAP_SUCCESS) {
    130. 

  130.         slapi_log_err(SLAPI_LOG_ERR, plugin_name, "addn_get_subconfig: CRITICAL: Unable to retrieve number of entries from pblock!\n");
    131. 

  131.         goto out;
    132. 

  132.     }
    133. 

  133.     /* If there are multiple results, we should also fail as we cannot */
    134. 

  134.     /* be sure of the real configuration we are about to use */
    135. 

  135. 

  136.     if (entry_count != 1) {
    137. 

  137.         /*  Is there a better log level for this? */
    138. 

  138.         slapi_log_err(SLAPI_LOG_ERR, plugin_name, "addn_get_subconfig: WARNING, multiple or no results returned. Failing to auth ...\n");
    139. 

  139.         goto out;
    140. 

  140.     }
    141. 

  141. 

  142.     search_result = slapi_pblock_get(search_pblock, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &entries);
    143. 

  143.     if (search_result != LDAP_SUCCESS) {
    144. 

  144.         slapi_log_err(SLAPI_LOG_ERR, plugin_name, "addn_get_subconfig: CRITICAL: Unable to retrieve entries from pblock!\n");
    145. 

  145.         goto out;
    146. 

  146.     }
    147. 

  147. 

  148.     result = slapi_entry_dup(entries[0]);
    149. 

  149. 

  150. out:
    151. 

  151.     if (search_pblock != NULL) {
    152. 

  152.         slapi_free_search_results_internal(search_pblock);
    153. 

  153.         slapi_pblock_destroy(search_pblock);
    154. 

  154.     }
    155. 

  155.     slapi_sdn_free(&config_sdn);
    156. 

  156.     slapi_ch_free_string(&filter);
    157. 

  157.     return result;
    158. 

  158. }
    159. 

  159. 

  160. int
    161. 

  161. addn_prebind(Slapi_PBlock *pb)
    162. 

  162. {
    163. 

  163.     struct addn_config *config = NULL;
    164. 

  164.     Slapi_Entry *domain_config = NULL;
    165. 

  165.     Slapi_DN *pb_sdn_target = NULL;
    166. 

  166.     Slapi_DN *pb_sdn_mapped = NULL;
    167. 

  167.     char *dn = NULL;
    168. 

  168. 

  169.     char *dn_bind = NULL;
    170. 

  170.     int dn_bind_len = 0;
    171. 

  171.     char *dn_bind_escaped = NULL;
    172. 

  172. 

  173.     char *dn_domain = NULL;
    174. 

  174.     int dn_domain_len = 0;
    175. 

  175.     char *dn_domain_escaped = NULL;
    176. 

  176. 

  177.     char *be_suffix = NULL;
    178. 

  178.     Slapi_DN *be_suffix_dn = NULL;
    179. 

  179.     char *config_filter = NULL;
    180. 

  180.     char *filter = NULL;
    181. 

  181.     int result = 0;
    182. 

  182.     static char *attrs[] = { "dn", NULL };
    183. 

  183. 

  184.     Slapi_PBlock *search_pblock = NULL;
    185. 

  185.     int search_result = 0;
    186. 

  186.     Slapi_Entry **entries = NULL;
    187. 

  187.     int entry_count = 0;
    188. 

  188. 

  189.     slapi_log_err(SLAPI_LOG_PLUGIN, plugin_name, "addn_prebind: --> begin\n");
    190. 

  190.     slapi_pblock_get(pb, SLAPI_BIND_TARGET_SDN, &pb_sdn_target);
    191. 

  191.     /* We need to discard the const because later functions require char * only */
    192. 

  192.     dn = (char *)slapi_sdn_get_dn(pb_sdn_target);
    193. 

  193.     if (dn == NULL) {
    194. 

  194.         result = ADDN_FAILURE;
    195. 

  195.         goto out;
    196. 

  196.     }
    197. 

  197.     slapi_log_err(SLAPI_LOG_PLUGIN, plugin_name, "addn_prebind: Recieved %s\n", dn);
    198. 

  198. 

  199.     result = slapi_dn_syntax_check(NULL, dn, 0);
    200. 

  200.     slapi_log_err(SLAPI_LOG_PLUGIN, plugin_name, "addn_prebind: Dn validation %d\n", result);
    201. 

  201. 

  202.     if (result == LDAP_SUCCESS) {
    203. 

  203.         slapi_log_err(SLAPI_LOG_PLUGIN, plugin_name, "addn_prebind: Dn syntax is correct, do not alter\n");
    204. 

  204.         /* This is a syntax correct bind dn. Leave it alone! */
    205. 

  205.         goto out;
    206. 

  206.     }
    207. 

  207.     slapi_log_err(SLAPI_LOG_PLUGIN, plugin_name, "addn_prebind: Dn syntax is incorrect, it may need ADDN mangaling\n");
    208. 

  208. 

  209. 

  210.     result = slapi_pblock_get(pb, SLAPI_PLUGIN_PRIVATE, &config);
    211. 

  211.     if (result != LDAP_SUCCESS || config == NULL) {
    212. 

  212.         slapi_log_err(SLAPI_LOG_ERR, plugin_name, "addn_prebind: CRITICAL: Unable to retrieve plugin configuration!\n");
    213. 

  213.         result = ADDN_FAILURE;
    214. 

  214.         goto out;
    215. 

  215.     }
    216. 

  216. 

  217.     /* Right, the dn is invalid! This means it *could* be addn syntax */
    218. 

  218.     /* Do we have any other validation to run here? */
    219. 

  219.     /* Split the @domain component (if any) */
    220. 

  220. 

  221.     dn_bind = strtok(dn, "@");
    222. 

  222. 

  223.     /* Filter escape the name, and the domain parts */
    224. 

  224.     if (dn_bind != NULL) {
    225. 

  225.         dn_bind_len = strlen(dn_bind);
    226. 

  226.         dn_bind_escaped = slapi_escape_filter_value(dn_bind, dn_bind_len);
    227. 

  227.         dn_bind_len = strlen(dn_bind_escaped);
    228. 

  228.     }
    229. 

  229. 

  230.     dn_domain = strtok(NULL, "@");
    231. 

  231. 

  232.     /* You have a domain! Lets use it. */
    233. 

  233.     if (dn_domain != NULL) {
    234. 

  234.         dn_domain_len = strlen(dn_domain);
    235. 

  235.         dn_domain_escaped = slapi_escape_filter_value(dn_domain, dn_domain_len);
    236. 

  236.         dn_domain_len = strlen(dn_domain_escaped);
    237. 

  237.         slapi_log_err(SLAPI_LOG_PLUGIN, plugin_name, "addn_prebind: Selected bind submitted domain %s\n", dn_domain_escaped);
    238. 

  238.     } else {
    239. 

  239.         /* Or we could do the escape earlier. */
    240. 

  240.         dn_domain_escaped = slapi_ch_strdup(config->default_domain);
    241. 

  241.         dn_domain_len = config->default_domain_len;
    242. 

  242.         slapi_log_err(SLAPI_LOG_PLUGIN, plugin_name, "addn_prebind: Selected default domain %s\n", dn_domain_escaped);
    243. 

  243.     }
    244. 

  244. 

  245.     /* If we don't have the @domain. get a default from config */
    246. 

  246.     if (dn_domain_escaped == NULL) {
    247. 

  247.         /* This could alternately be domain, then we do the same domain -> suffix conversion .... */
    248. 

  248.         /* Select the correct backend. If no backend, bail. */
    249. 

  249.     }
    250. 

  250. 

  251.     /* Now get the config that matches. */
    252. 

  252. 

  253.     domain_config = addn_get_subconfig(pb, dn_domain_escaped);
    254. 

  254. 

  255.     if (domain_config == NULL) {
    256. 

  256.         slapi_log_err(SLAPI_LOG_PLUGIN, plugin_name, "addn_prebind: no matching domain configuration for %s\n", dn_domain_escaped);
    257. 

  257.         result = ADDN_FAILURE;
    258. 

  258.         goto out;
    259. 

  259.     }
    260. 

  260. 

  261.     /* Now we can get our suffix. */
    262. 

  262.     be_suffix = slapi_entry_attr_get_charptr(domain_config, "addn_base");
    263. 

  263.     be_suffix_dn = slapi_sdn_new_dn_byval(be_suffix);
    264. 

  264. 

  265.     /* Get our filter. From the config */
    266. 

  266.     config_filter = slapi_entry_attr_get_charptr(domain_config, "addn_filter");
    267. 

  267. 

  268.     /* Validate the filter_template only has one %s */
    269. 

  269.     if (addn_filter_validate(config_filter) != LDAP_SUCCESS) {
    270. 

  270.         slapi_log_err(SLAPI_LOG_ERR, plugin_name, "addn_prebind: CRITICAL: Failed to validate addn_filter %s for domain %s\n", config_filter, dn_domain_escaped);
    271. 

  271.         result = ADDN_FAILURE;
    272. 

  272.         goto out;
    273. 

  273.     }
    274. 

  274. 

  275.     /* Put the search term into the filter. */
    276. 

  276.     /* Current design relies on there only being a single search term! */
    277. 

  277.     filter = slapi_ch_smprintf(config_filter, dn_bind_escaped);
    278. 

  278.     slapi_log_err(SLAPI_LOG_PLUGIN, plugin_name, "addn_prebind: Searching with filter %s\n", filter);
    279. 

  279. 

  280.     /* Search the backend, and apply our filter given the username */
    281. 

  281.     search_pblock = slapi_pblock_new();
    282. 

  282. 

  283.     if (search_pblock == NULL) {
    284. 

  284.         slapi_log_err(SLAPI_LOG_ERR, plugin_name, "addn_prebind: CRITICAL: Unable to allocate search_pblock!!!\n");
    285. 

  285.         result = ADDN_FAILURE;
    286. 

  286.         goto out;
    287. 

  287.     }
    288. 

  288. 

  289.     slapi_search_internal_set_pb_ext(search_pblock, be_suffix_dn, LDAP_SCOPE_SUBTREE,
    290. 

  290.                                      filter, attrs, 0 /* attrs only */,
    291. 

  291.                                      NULL /* controls */, NULL /* uniqueid */, 
    292. 

  292.                                      plugin_identity, 0 /* actions */);
    293. 

  293.     slapi_search_internal_pb(search_pblock);
    294. 

  294. 

  295.     result = slapi_pblock_get(search_pblock, SLAPI_PLUGIN_INTOP_RESULT, &search_result);
    296. 

  296.     if (result != LDAP_SUCCESS) {
    297. 

  297.         slapi_log_err(SLAPI_LOG_ERR, plugin_name, "addn_prebind: CRITICAL: Internal search pblock get failed!!!\n");
    298. 

  298.         result = ADDN_FAILURE;
    299. 

  299.         goto out;
    300. 

  300.     }
    301. 

  301. 

  302.     /* No results are an error: Allow the plugin to continue, because */
    303. 

  303.     /* the bind will fail anyway ....? */
    304. 

  304. 

  305.     /* Do we want to return a fail here? Or pass, and allow the auth code
    306. 

  306.      * to fail us. That will prevent some attacks I feel as this could be a
    307. 

  307.      * disclosure attack ....
    308. 

  308.      */
    309. 

  309.     if (search_result == LDAP_NO_SUCH_OBJECT) {
    310. 

  310.         slapi_log_err(SLAPI_LOG_PLUGIN, plugin_name, "addn_prebind: LDAP_NO_SUCH_OBJECT \n");
    311. 

  311.         result = LDAP_SUCCESS;
    312. 

  312.         goto out;
    313. 

  313.     }
    314. 

  314. 

  315.     /* On all other errors, just fail out. */
    316. 

  316.     if (search_result != LDAP_SUCCESS) {
    317. 

  317.         slapi_log_err(SLAPI_LOG_PLUGIN, plugin_name, "addn_prebind: CRITICAL: Internal search error occured %d \n", search_result);
    318. 

  318.         result = ADDN_FAILURE;
    319. 

  319.         goto out;
    320. 

  320.     }
    321. 

  321. 

  322. 

  323.     result = slapi_pblock_get(search_pblock, SLAPI_NENTRIES, &entry_count);
    324. 

  324. 

  325.     if (result != LDAP_SUCCESS) {
    326. 

  326.         slapi_log_err(SLAPI_LOG_ERR, plugin_name, "addn_prebind: CRITICAL: Unable to retrieve number of entries from pblock!\n");
    327. 

  327.         result = ADDN_FAILURE;
    328. 

  328.         goto out;
    329. 

  329.     }
    330. 

  330.     /* If there are multiple results, we should also fail as we cannot */
    331. 

  331.     /* be sure of the real object we want to bind to */
    332. 

  332. 

  333.     if (entry_count > 1) {
    334. 

  334.         /*  Is there a better log level for this? */
    335. 

  335.         slapi_log_err(SLAPI_LOG_ERR, plugin_name, "addn_prebind: WARNING, multiple results returned. Failing to auth ...\n");
    336. 

  336.         result = ADDN_FAILURE;
    337. 

  337.         goto out;
    338. 

  338.     }
    339. 

  339. 

  340.     result = slapi_pblock_get(search_pblock, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &entries);
    341. 

  341.     if (result != LDAP_SUCCESS) {
    342. 

  342.         slapi_log_err(SLAPI_LOG_ERR, plugin_name, "addn_prebind: CRITICAL: Unable to retrieve entries from pblock!\n");
    343. 

  343.         result = ADDN_FAILURE;
    344. 

  344.         goto out;
    345. 

  345.     }
    346. 

  346. 

  347.     /* We should only have one entry here! */
    348. 

  348. 

  349.     pb_sdn_mapped = slapi_sdn_dup(slapi_entry_get_sdn(*entries));
    350. 

  350. 

  351.     slapi_log_err(SLAPI_LOG_PLUGIN, plugin_name, "addn_prebind: SEARCH entry dn=%s is mapped from addn=%s\n", slapi_sdn_get_dn(pb_sdn_mapped), dn);
    352. 

  352. 

  353. 

  354.     /* If there is a result, take the DN and make the SDN for PB */
    355. 

  355. 

  356.     /* Free the original SDN */
    357. 

  357.     result = slapi_pblock_set(pb, SLAPI_TARGET_SDN, pb_sdn_mapped);
    358. 

  358.     if (result != LDAP_SUCCESS) {
    359. 

  359.         slapi_log_err(SLAPI_LOG_ERR, plugin_name, "addn_prebind: CRITICAL: Unable to set new mapped DN to pblock!\n");
    360. 

  360.         /* We have to free the mapped SDN here */
    361. 

  361.         slapi_sdn_free(&pb_sdn_mapped);
    362. 

  362.         result = ADDN_FAILURE;
    363. 

  363.         goto out;
    364. 

  364.     }
    365. 

  365. 

  366.     slapi_sdn_free(&pb_sdn_target);
    367. 

  367. 

  368.     slapi_log_err(SLAPI_LOG_PLUGIN, plugin_name, "addn_prebind: <-- complete\n");
    369. 

  369. 

  370.     result = LDAP_SUCCESS;
    371. 

  371. 

  372. out:
    373. 

  373.     if (search_pblock != NULL) {
    374. 

  374.         slapi_free_search_results_internal(search_pblock);
    375. 

  375.         slapi_pblock_destroy(search_pblock);
    376. 

  376.     }
    377. 

  377.     slapi_entry_free(domain_config);
    378. 

  378.     slapi_sdn_free(&be_suffix_dn);
    379. 

  379.     slapi_ch_free_string(&be_suffix);
    380. 

  380.     slapi_ch_free_string(&dn_bind_escaped);
    381. 

  381.     slapi_ch_free_string(&dn_domain_escaped);
    382. 

  382.     slapi_ch_free_string(&filter);
    383. 

  383. 

  384.     return result;
    385. 

  385. }
    386. 

  386. 

  387. 

  388. /*
    389. 

  389.  * addn_start
    390. 

  390.  *
    391. 

  391.  * This is called when the plugin is started. It allows a configuration change
    392. 

  392.  * To be made while the directory server is live.
    393. 

  393.  */
    394. 

  394. int
    395. 

  395. addn_start(Slapi_PBlock *pb)
    396. 

  396. {
    397. 

  397.     Slapi_Entry *plugin_entry = NULL;
    398. 

  398.     struct addn_config *config = NULL;
    399. 

  399.     char *domain = NULL;
    400. 

  400.     int result = LDAP_SUCCESS;
    401. 

  401. 

  402.     slapi_log_err(SLAPI_LOG_PLUGIN, plugin_name, "addn_start: starting ...\n");
    403. 

  403. 

  404.     /* It looks like we mis-use the SLAPI_ADD_ENTRY space in PB during plugin startup  */
    405. 

  405.     result = slapi_pblock_get(pb, SLAPI_ADD_ENTRY, &plugin_entry);
    406. 

  406.     if (result != LDAP_SUCCESS || plugin_entry == NULL) {
    407. 

  407.         slapi_log_err(SLAPI_LOG_ERR, plugin_name, "addn_start: CRITICAL: Failed to retrieve config entry!\n");
    408. 

  408.         return SLAPI_PLUGIN_FAILURE;
    409. 

  409.     }
    410. 

  410. 

  411.     /* Now set the values into the config */
    412. 

  412.     /* Probably need to get the config DN we are using too. */
    413. 

  413.     /* Are there some error cases here we should be checking? */
    414. 

  414.     config = (struct addn_config *)slapi_ch_malloc(sizeof(struct addn_config));
    415. 

  415.     domain = slapi_entry_attr_get_charptr(plugin_entry, "addn_default_domain");
    416. 

  416. 

  417.     if (domain == NULL) {
    418. 

  418.         slapi_log_err(SLAPI_LOG_ERR, plugin_name, "addn_start: CRITICAL: No default domain in configuration, you must set addn_default_domain!\n");
    419. 

  419.         return SLAPI_PLUGIN_FAILURE;
    420. 

  420.     }
    421. 

  421. 

  422.     config->default_domain = slapi_escape_filter_value(domain, strlen(domain));
    423. 

  423.     config->default_domain_len = strlen(config->default_domain);
    424. 

  424. 

  425.     /* Set into the pblock */
    426. 

  426.     slapi_pblock_set(pb, SLAPI_PLUGIN_PRIVATE, (void *) config);
    427. 

  427. 

  428.     slapi_log_err(SLAPI_LOG_PLUGIN, plugin_name, "addn_start: startup complete\n");
    429. 

  429. 

  430.     return LDAP_SUCCESS;
    431. 

  431. }
    432. 

  432. 

  433. /*
    434. 

  434.  * addn_close
    435. 

  435.  *
    436. 

  436.  * Called when the plugin is stopped. Frees the configs as needed
    437. 

  437.  */
    438. 

  438. int
    439. 

  439. addn_close(Slapi_PBlock *pb)
    440. 

  440. {
    441. 

  441.     struct addn_config *config = NULL;
    442. 

  442. 

  443.     slapi_log_err(SLAPI_LOG_PLUGIN, plugin_name, "addn_close: stopping ...\n");
    444. 

  444. 

  445.     slapi_pblock_get(pb, SLAPI_PLUGIN_PRIVATE, &config);
    446. 

  446.     if (config != NULL) {
    447. 

  447.         slapi_ch_free_string(&config->default_domain);
    448. 

  448.         slapi_ch_free((void **) &config);
    449. 

  449.         slapi_pblock_set(pb, SLAPI_PLUGIN_PRIVATE, NULL);
    450. 

  450.     }
    451. 

  451. 

  452.     slapi_log_err(SLAPI_LOG_PLUGIN, plugin_name, "addn_close: stop complete\n");
    453. 

  453. 

  454.     return LDAP_SUCCESS;
    455. 

  455. }
    456. 

  456. 

  457. 

  458. /*
    459. 

  459.  * addn_init
    460. 

  460.  *
    461. 

  461.  * Initialise and register the addn plugin to the directory server.
    462. 

  462.  */
    463. 

  463. int
    464. 

  464. addn_init(Slapi_PBlock *pb)
    465. 

  465. {
    466. 

  466.     int result = 0;
    467. 

  467. 

  468.     result = slapi_pblock_set(pb, SLAPI_PLUGIN_VERSION, SLAPI_PLUGIN_VERSION_03);
    469. 

  469.     if (result != LDAP_SUCCESS) {
    470. 

  470.         goto out;
    471. 

  471.     }
    472. 

  472. 

  473.     /* Get and stash our plugin identity */
    474. 

  474.     slapi_pblock_get (pb, SLAPI_PLUGIN_IDENTITY, &plugin_identity);
    475. 

  475. 

  476.     result = slapi_pblock_set(pb, SLAPI_PLUGIN_DESCRIPTION, (void*)&addn_description);
    477. 

  477.     if (result != LDAP_SUCCESS) {
    478. 

  478.         goto out;
    479. 

  479.     }
    480. 

  480. 

  481.     result = slapi_pblock_set(pb, SLAPI_PLUGIN_START_FN, (void*)addn_start);
    482. 

  482.     if (result != LDAP_SUCCESS) {
    483. 

  483.         goto out;
    484. 

  484.     }
    485. 

  485. 

  486.     result = slapi_pblock_set(pb, SLAPI_PLUGIN_CLOSE_FN, (void*)addn_close);
    487. 

  487.     if (result != LDAP_SUCCESS) {
    488. 

  488.         goto out;
    489. 

  489.     }
    490. 

  490. 

  491.     result = slapi_pblock_set(pb, SLAPI_PLUGIN_PRE_BIND_FN, (void*)addn_prebind);
    492. 

  492.     if (result != LDAP_SUCCESS) {
    493. 

  493.         goto out;
    494. 

  494.     }
    495. 

  495. 

  496. out:
    497. 

  497.     if (result == LDAP_SUCCESS) {
    498. 

  498.         slapi_log_err(SLAPI_LOG_PLUGIN, plugin_name, "addn_init: Success: plugin loaded.\n");
    499. 

  499.         slapi_log_err(SLAPI_LOG_WARNING, plugin_name, "addn_init: WARNING: The use of this plugin violates the LDAPv3 specification RFC4511 section 4.2 BindDN specification. You have been warned ...\n");
    500. 

  500.     } else {
    501. 

  501.         slapi_log_err(SLAPI_LOG_PLUGIN, plugin_name, "addn_init: Error: %d. \n", result);
    502. 

  502.     }
    503. 

  503.     return result;
    504. 

  504. }
    505. 

  505. 

  506.