Plan 9 from Bell Labs’s /usr/web/sources/contrib/lucio/pub/openldap/servers/slapd/back-meta/search.c

Copyright © 2021 Plan 9 Foundation.
Distributed under the MIT License.
Download the Plan 9 distribution.


/* $OpenLDAP: pkg/ldap/servers/slapd/back-meta/search.c,v 1.84.2.32 2007/03/14 00:07:56 ando Exp $ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
 *
 * Copyright 1999-2007 The OpenLDAP Foundation.
 * Portions Copyright 2001-2003 Pierangelo Masarati.
 * Portions Copyright 1999-2003 Howard Chu.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted only as authorized by the OpenLDAP
 * Public License.
 *
 * A copy of this license is available in the file LICENSE in the
 * top-level directory of the distribution or, alternatively, at
 * <http://www.OpenLDAP.org/license.html>.
 */
/* ACKNOWLEDGEMENTS:
 * This work was initially developed by the Howard Chu for inclusion
 * in OpenLDAP Software and subsequently enhanced by Pierangelo
 * Masarati.
 */

#include "portable.h"

#include <stdio.h>

#include <ac/socket.h>
#include <ac/string.h>
#include <ac/time.h>

#include "lutil.h"
#include "slap.h"
#include "../back-ldap/back-ldap.h"
#include "back-meta.h"
#undef ldap_debug	/* silence a warning in ldap-int.h */
#include "ldap_log.h"
#include "../../../libraries/libldap/ldap-int.h"

/* IGNORE means that target does not (no longer) participate
 * in the search;
 * NOTREADY means the search on that target has not been initialized yet
 */
#define	META_MSGID_IGNORE	(-1)
#define	META_MSGID_NEED_BIND	(-2)

static int
meta_send_entry(
	Operation 	*op,
	SlapReply	*rs,
	metaconn_t	*mc,
	int 		i,
	LDAPMessage 	*e );

typedef enum meta_search_candidate_t {
	META_SEARCH_UNDEFINED = -2,
	META_SEARCH_ERR = -1,
	META_SEARCH_NOT_CANDIDATE,
	META_SEARCH_CANDIDATE,
	META_SEARCH_BINDING,
	META_SEARCH_NEED_BIND
} meta_search_candidate_t;

/*
 * meta_search_dobind_init()
 *
 * initiates bind for a candidate target of a search.
 */
static meta_search_candidate_t
meta_search_dobind_init(
	Operation		*op,
	SlapReply		*rs,
	metaconn_t		**mcp,
	int			candidate,
	SlapReply		*candidates )
{
	metaconn_t		*mc = *mcp;
	metainfo_t		*mi = ( metainfo_t * )op->o_bd->be_private;
	metatarget_t		*mt = mi->mi_targets[ candidate ];
	metasingleconn_t	*msc = &mc->mc_conns[ candidate ];

	struct berval		binddn = msc->msc_bound_ndn,
				cred = msc->msc_cred;
	int			method;

	int			rc;

	meta_search_candidate_t	retcode;

	Debug( LDAP_DEBUG_TRACE, "%s >>> meta_search_dobind_init[%d]\n",
		op->o_log_prefix, candidate, 0 );

	/*
	 * all the targets are already bound as pseudoroot
	 */
	if ( mc->mc_authz_target == META_BOUND_ALL ) {
		return META_SEARCH_CANDIDATE;
	}

	retcode = META_SEARCH_BINDING;
	ldap_pvt_thread_mutex_lock( &mi->mi_conninfo.lai_mutex );
	if ( LDAP_BACK_CONN_ISBOUND( msc ) || LDAP_BACK_CONN_ISANON( msc ) ) {
		/* already bound (or anonymous) */

#ifdef DEBUG_205
		char	buf[ SLAP_TEXT_BUFLEN ] = { '\0' };
		int	bound = 0;

		if ( LDAP_BACK_CONN_ISBOUND( msc ) ) {
			bound = 1;
		}

		snprintf( buf, sizeof( buf ), " mc=%p ld=%p%s DN=\"%s\"",
			(void *)mc, (void *)msc->msc_ld,
			bound ? " bound" : " anonymous",
			bound == 0 ? "" : msc->msc_bound_ndn.bv_val );
		Debug( LDAP_DEBUG_ANY, "### %s meta_search_dobind_init[%d]%s\n",
			op->o_log_prefix, candidate, buf );
#endif /* DEBUG_205 */

		retcode = META_SEARCH_CANDIDATE;

	} else if ( META_BACK_CONN_CREATING( msc ) || LDAP_BACK_CONN_BINDING( msc ) ) {
		/* another thread is binding the target for this conn; wait */

#ifdef DEBUG_205
		char	buf[ SLAP_TEXT_BUFLEN ] = { '\0' };

		snprintf( buf, sizeof( buf ), " mc=%p ld=%p needbind",
			(void *)mc, (void *)msc->msc_ld );
		Debug( LDAP_DEBUG_ANY, "### %s meta_search_dobind_init[%d]%s\n",
			op->o_log_prefix, candidate, buf );
#endif /* DEBUG_205 */

		candidates[ candidate ].sr_msgid = META_MSGID_NEED_BIND;
		retcode = META_SEARCH_NEED_BIND;

	} else {
		/* we'll need to bind the target for this conn */

#ifdef DEBUG_205
		char buf[ SLAP_TEXT_BUFLEN ];

		snprintf( buf, sizeof( buf ), " mc=%p ld=%p binding",
			(void *)mc, (void *)msc->msc_ld );
		Debug( LDAP_DEBUG_ANY, "### %s meta_search_dobind_init[%d]%s\n",
			op->o_log_prefix, candidate, buf );
#endif /* DEBUG_205 */

		if ( msc->msc_ld == NULL ) {
			/* for some reason (e.g. because formerly in "binding"
			 * state, with eventual connection expiration or invalidation)
			 * it was not initialized as expected */

			Debug( LDAP_DEBUG_ANY, "%s meta_search_dobind_init[%d] mc=%p ld=NULL\n",
				op->o_log_prefix, candidate, (void *)mc );

			rc = meta_back_init_one_conn( op, rs, *mcp, candidate,
				LDAP_BACK_CONN_ISPRIV( *mcp ), LDAP_BACK_DONTSEND, 0 );
			switch ( rc ) {
			case LDAP_SUCCESS:
				assert( msc->msc_ld != NULL );
				break;

			case LDAP_SERVER_DOWN:
			case LDAP_UNAVAILABLE:
				ldap_pvt_thread_mutex_unlock( &mi->mi_conninfo.lai_mutex );
				goto down;
	
			default:
				ldap_pvt_thread_mutex_unlock( &mi->mi_conninfo.lai_mutex );
				goto other;
			}
		}

		LDAP_BACK_CONN_BINDING_SET( msc );
	}

	ldap_pvt_thread_mutex_unlock( &mi->mi_conninfo.lai_mutex );

	if ( retcode != META_SEARCH_BINDING ) {
		return retcode;
	}

	/* NOTE: this obsoletes pseudorootdn */
	if ( op->o_conn != NULL &&
		!op->o_do_not_cache &&
		( BER_BVISNULL( &msc->msc_bound_ndn ) ||
			BER_BVISEMPTY( &msc->msc_bound_ndn ) ||
			( mt->mt_idassert_flags & LDAP_BACK_AUTH_OVERRIDE ) ) )
	{
		rc = meta_back_proxy_authz_cred( mc, candidate, op, rs, LDAP_BACK_DONTSEND, &binddn, &cred, &method );
		if ( rc != LDAP_SUCCESS ) {
			goto down;
		}

		/* NOTE: we copy things here, even if bind didn't succeed yet,
		 * because the connection is not shared until bind is over */
		if ( !BER_BVISNULL( &binddn ) ) {
			ber_bvreplace( &msc->msc_bound_ndn, &binddn );
			if ( LDAP_BACK_SAVECRED( mi ) && !BER_BVISNULL( &cred ) ) {
				if ( !BER_BVISNULL( &msc->msc_cred ) ) {
					memset( msc->msc_cred.bv_val, 0,
						msc->msc_cred.bv_len );
				}
				ber_bvreplace( &msc->msc_cred, &cred );
			}
		}

		if ( LDAP_BACK_CONN_ISBOUND( msc ) ) {
			/* apparently, idassert was configured with SASL bind,
			 * so bind occurred inside meta_back_proxy_authz_cred() */
			ldap_pvt_thread_mutex_lock( &mi->mi_conninfo.lai_mutex );
			LDAP_BACK_CONN_BINDING_CLEAR( msc );
			ldap_pvt_thread_mutex_unlock( &mi->mi_conninfo.lai_mutex );
			return META_SEARCH_CANDIDATE;
		}

		/* paranoid */
		switch ( method ) {
		case LDAP_AUTH_NONE:
		case LDAP_AUTH_SIMPLE:
			/* do a simple bind with binddn, cred */
			break;

		default:
			assert( 0 );
			break;
		}
	}

	assert( msc->msc_ld != NULL );

retry:;
	rc = ldap_sasl_bind( msc->msc_ld, binddn.bv_val, LDAP_SASL_SIMPLE, &cred,
			NULL, NULL, &candidates[ candidate ].sr_msgid );

#ifdef DEBUG_205
	{
		char buf[ SLAP_TEXT_BUFLEN ];

		snprintf( buf, sizeof( buf ), "meta_search_dobind_init[%d] mc=%p ld=%p rc=%d",
			candidate, (void *)mc, (void *)mc->mc_conns[ candidate ].msc_ld, rc );
		Debug( LDAP_DEBUG_ANY, "### %s %s\n",
			op->o_log_prefix, buf, 0 );
	}
#endif /* DEBUG_205 */

	switch ( rc ) {
	case LDAP_SUCCESS:
		assert( candidates[ candidate ].sr_msgid >= 0 );
		META_BINDING_SET( &candidates[ candidate ] );
		return META_SEARCH_BINDING;

	case LDAP_SERVER_DOWN:
down:;
		/* This is the worst thing that could happen:
		 * the search will wait until the retry is over. */
		if ( !META_IS_RETRYING( &candidates[ candidate ] ) ) {
			META_RETRYING_SET( &candidates[ candidate ] );

			ldap_pvt_thread_mutex_lock( &mi->mi_conninfo.lai_mutex );

			assert( mc->mc_refcnt > 0 );
			if ( StatslogTest( LDAP_DEBUG_ANY ) ) {
				char	buf[ SLAP_TEXT_BUFLEN ];

				/* this lock is required; however,
				 * it's invoked only when logging is on */
				ldap_pvt_thread_mutex_lock( &mt->mt_uri_mutex );
				snprintf( buf, sizeof( buf ),
					"retrying URI=\"%s\" DN=\"%s\"",
					mt->mt_uri,
					BER_BVISNULL( &msc->msc_bound_ndn ) ?
						"" : msc->msc_bound_ndn.bv_val );
				ldap_pvt_thread_mutex_unlock( &mt->mt_uri_mutex );

				Debug( LDAP_DEBUG_ANY,
					"%s meta_search_dobind_init[%d]: %s.\n",
					op->o_log_prefix, candidate, buf );
			}

			meta_clear_one_candidate( op, mc, candidate );
			LDAP_BACK_CONN_ISBOUND_CLEAR( msc );

			( void )rewrite_session_delete( mt->mt_rwmap.rwm_rw, op->o_conn );

			/* mc here must be the regular mc, reset and ready for init */
			rc = meta_back_init_one_conn( op, rs, mc, candidate,
				LDAP_BACK_CONN_ISPRIV( mc ), LDAP_BACK_DONTSEND, 0 );

			if ( rc == LDAP_SUCCESS ) {
				LDAP_BACK_CONN_BINDING_SET( msc );
			}

			ldap_pvt_thread_mutex_unlock( &mi->mi_conninfo.lai_mutex );

			if ( rc == LDAP_SUCCESS ) {
				candidates[ candidate ].sr_msgid = META_MSGID_IGNORE;
				goto retry;
			}
		}

		if ( *mcp == NULL ) {
			retcode = META_SEARCH_ERR;
			rs->sr_err = LDAP_UNAVAILABLE;
			candidates[ candidate ].sr_msgid = META_MSGID_IGNORE;
			break;
		}
		/* fall thru */

	default:
other:;
		rs->sr_err = rc;
		rc = slap_map_api2result( rs );

		ldap_pvt_thread_mutex_lock( &mi->mi_conninfo.lai_mutex );
		meta_clear_one_candidate( op, mc, candidate );
		candidates[ candidate ].sr_err = rc;
		if ( META_BACK_ONERR_STOP( mi ) ) {
			LDAP_BACK_CONN_TAINTED_SET( mc );
			meta_back_release_conn_lock( mi, mc, 0 );
			*mcp = NULL;
			rs->sr_err = rc;

			retcode = META_SEARCH_ERR;

		} else {
			retcode = META_SEARCH_NOT_CANDIDATE;
		}
		candidates[ candidate ].sr_msgid = META_MSGID_IGNORE;
		ldap_pvt_thread_mutex_unlock( &mi->mi_conninfo.lai_mutex );
		break;
	}

	return retcode;
}

static meta_search_candidate_t
meta_search_dobind_result(
	Operation		*op,
	SlapReply		*rs,
	metaconn_t		**mcp,
	int			candidate,
	SlapReply		*candidates,
	LDAPMessage		*res )
{
	metainfo_t		*mi = ( metainfo_t * )op->o_bd->be_private;
	metaconn_t		*mc = *mcp;
	metasingleconn_t	*msc = &mc->mc_conns[ candidate ];

	meta_search_candidate_t	retcode = META_SEARCH_NOT_CANDIDATE;
	int			rc;

	assert( msc->msc_ld != NULL );

	/* FIXME: matched? referrals? response controls? */
	rc = ldap_parse_result( msc->msc_ld, res,
		&candidates[ candidate ].sr_err,
		NULL, NULL, NULL, NULL, 0 );
	if ( rc != LDAP_SUCCESS ) {
		candidates[ candidate ].sr_err = rc;

	} else {
		rc = slap_map_api2result( &candidates[ candidate ] );
	}

	ldap_pvt_thread_mutex_lock( &mi->mi_conninfo.lai_mutex );
	LDAP_BACK_CONN_BINDING_CLEAR( msc );
	if ( rc != LDAP_SUCCESS ) {
		meta_clear_one_candidate( op, mc, candidate );
		candidates[ candidate ].sr_err = rc;
		if ( META_BACK_ONERR_STOP( mi ) ) {
	        	LDAP_BACK_CONN_TAINTED_SET( mc );
			meta_back_release_conn_lock( mi, mc, 0 );
			*mcp = NULL;
			retcode = META_SEARCH_ERR;
			rs->sr_err = rc;
		}

	} else {
		/* FIXME: check if bound as idassert authcDN! */
		if ( BER_BVISNULL( &msc->msc_bound_ndn )
			|| BER_BVISEMPTY( &msc->msc_bound_ndn ) )
		{
			LDAP_BACK_CONN_ISANON_SET( msc );

		} else {
			LDAP_BACK_CONN_ISBOUND_SET( msc );
		}
		retcode = META_SEARCH_CANDIDATE;
	}

	candidates[ candidate ].sr_msgid = META_MSGID_IGNORE;
	META_BINDING_CLEAR( &candidates[ candidate ] );

	ldap_pvt_thread_mutex_unlock( &mi->mi_conninfo.lai_mutex );

	return retcode;
}

static meta_search_candidate_t
meta_back_search_start(
	Operation		*op,
	SlapReply		*rs,
	dncookie		*dc,
	metaconn_t		**mcp,
	int			candidate,
	SlapReply		*candidates )
{
	metainfo_t		*mi = ( metainfo_t * )op->o_bd->be_private;
	metatarget_t		*mt = mi->mi_targets[ candidate ];
	metasingleconn_t	*msc = &(*mcp)->mc_conns[ candidate ];
	struct berval		realbase = op->o_req_dn;
	int			realscope = op->ors_scope;
	struct berval		mbase = BER_BVNULL; 
	struct berval		mfilter = BER_BVNULL;
	char			**mapped_attrs = NULL;
	int			rc;
	meta_search_candidate_t	retcode;
	struct timeval		tv, *tvp = NULL;
	int			nretries = 1;
	LDAPControl		**ctrls = NULL;

	/* this should not happen; just in case... */
	if ( msc->msc_ld == NULL ) {
		Debug( LDAP_DEBUG_ANY,
			"%s: meta_back_search_start candidate=%d ld=NULL%s.\n",
			op->o_log_prefix, candidate,
			META_BACK_ONERR_STOP( mi ) ? "" : " (ignored)" );
		candidates[ candidate ].sr_err = LDAP_OTHER;
		if ( META_BACK_ONERR_STOP( mi ) ) {
			return META_SEARCH_ERR;
		}
		candidates[ candidate ].sr_msgid = META_MSGID_IGNORE;
		return META_SEARCH_NOT_CANDIDATE;
	}

	Debug( LDAP_DEBUG_TRACE, "%s >>> meta_back_search_start[%d]\n", op->o_log_prefix, candidate, 0 );

	/*
	 * modifies the base according to the scope, if required
	 */
	if ( mt->mt_nsuffix.bv_len > op->o_req_ndn.bv_len ) {
		switch ( op->ors_scope ) {
		case LDAP_SCOPE_SUBTREE:
			/*
			 * make the target suffix the new base
			 * FIXME: this is very forgiving, because
			 * "illegal" searchBases may be turned
			 * into the suffix of the target; however,
			 * the requested searchBase already passed
			 * thru the candidate analyzer...
			 */
			if ( dnIsSuffix( &mt->mt_nsuffix, &op->o_req_ndn ) ) {
				realbase = mt->mt_nsuffix;
				if ( mt->mt_scope == LDAP_SCOPE_SUBORDINATE ) {
					realscope = LDAP_SCOPE_SUBORDINATE;
				}

			} else {
				/*
				 * this target is no longer candidate
				 */
				retcode = META_SEARCH_NOT_CANDIDATE;
				goto doreturn;
			}
			break;

		case LDAP_SCOPE_SUBORDINATE:
		case LDAP_SCOPE_ONELEVEL:
		{
			struct berval	rdn = mt->mt_nsuffix;
			rdn.bv_len -= op->o_req_ndn.bv_len + STRLENOF( "," );
			if ( dnIsOneLevelRDN( &rdn )
					&& dnIsSuffix( &mt->mt_nsuffix, &op->o_req_ndn ) )
			{
				/*
				 * if there is exactly one level,
				 * make the target suffix the new
				 * base, and make scope "base"
				 */
				realbase = mt->mt_nsuffix;
				if ( op->ors_scope == LDAP_SCOPE_SUBORDINATE ) {
					if ( mt->mt_scope == LDAP_SCOPE_SUBORDINATE ) {
						realscope = LDAP_SCOPE_SUBORDINATE;
					} else {
						realscope = LDAP_SCOPE_SUBTREE;
					}
				} else {
					realscope = LDAP_SCOPE_BASE;
				}
				break;
			} /* else continue with the next case */
		}

		case LDAP_SCOPE_BASE:
			/*
			 * this target is no longer candidate
			 */
			retcode = META_SEARCH_NOT_CANDIDATE;
			goto doreturn;
		}
	}

	/* initiate dobind */
	retcode = meta_search_dobind_init( op, rs, mcp, candidate, candidates );

	Debug( LDAP_DEBUG_TRACE, "%s <<< meta_search_dobind_init[%d]=%d\n", op->o_log_prefix, candidate, retcode );

	if ( retcode != META_SEARCH_CANDIDATE ) {
		goto doreturn;
	}

	/*
	 * Rewrite the search base, if required
	 */
	dc->target = mt;
	dc->ctx = "searchBase";
	switch ( ldap_back_dn_massage( dc, &realbase, &mbase ) ) {
	case LDAP_SUCCESS:
		break;

	case LDAP_UNWILLING_TO_PERFORM:
		rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
		rs->sr_text = "Operation not allowed";
		send_ldap_result( op, rs );
		retcode = META_SEARCH_ERR;
		goto doreturn;

	default:

		/*
		 * this target is no longer candidate
		 */
		retcode = META_SEARCH_NOT_CANDIDATE;
		goto doreturn;
	}

	/*
	 * Maps filter
	 */
	rc = ldap_back_filter_map_rewrite( dc, op->ors_filter,
			&mfilter, BACKLDAP_MAP );
	switch ( rc ) {
	case LDAP_SUCCESS:
		break;

	case LDAP_COMPARE_FALSE:
	default:
		/*
		 * this target is no longer candidate
		 */
		retcode = META_SEARCH_NOT_CANDIDATE;
		goto done;
	}

	/*
	 * Maps required attributes
	 */
	rc = ldap_back_map_attrs( &mt->mt_rwmap.rwm_at,
			op->ors_attrs, BACKLDAP_MAP, &mapped_attrs );
	if ( rc != LDAP_SUCCESS ) {
		/*
		 * this target is no longer candidate
		 */
		retcode = META_SEARCH_NOT_CANDIDATE;
		goto done;
	}

	/* should we check return values? */
	if ( op->ors_deref != -1 ) {
		assert( msc->msc_ld != NULL );
		(void)ldap_set_option( msc->msc_ld, LDAP_OPT_DEREF,
				( void * )&op->ors_deref );
	}

	if ( op->ors_tlimit != SLAP_NO_LIMIT ) {
		tv.tv_sec = op->ors_tlimit > 0 ? op->ors_tlimit : 1;
		tv.tv_usec = 0;
		tvp = &tv;
	}

retry:;
	ctrls = op->o_ctrls;
	if ( ldap_back_proxy_authz_ctrl( &msc->msc_bound_ndn,
		mt->mt_version, &mt->mt_idassert, op, rs, &ctrls )
		!= LDAP_SUCCESS )
	{
		candidates[ candidate ].sr_msgid = META_MSGID_IGNORE;
		retcode = META_SEARCH_NOT_CANDIDATE;
		goto done;
	}

	/*
	 * Starts the search
	 */
	assert( msc->msc_ld != NULL );
	rc = ldap_search_ext( msc->msc_ld,
			mbase.bv_val, realscope, mfilter.bv_val,
			mapped_attrs, op->ors_attrsonly,
			ctrls, NULL, tvp, op->ors_slimit,
			&candidates[ candidate ].sr_msgid ); 
	switch ( rc ) {
	case LDAP_SUCCESS:
		retcode = META_SEARCH_CANDIDATE;
		break;
	
	case LDAP_SERVER_DOWN:
		if ( nretries && meta_back_retry( op, rs, mcp, candidate, LDAP_BACK_DONTSEND ) ) {
			nretries = 0;
			/* if the identity changed, there might be need to re-authz */
			(void)ldap_back_proxy_authz_ctrl_free( op, &ctrls );
			goto retry;
		}

		if ( *mcp == NULL ) {
			retcode = META_SEARCH_ERR;
			candidates[ candidate ].sr_msgid = META_MSGID_IGNORE;
			break;
		}
		/* fall thru */

	default:
		candidates[ candidate ].sr_msgid = META_MSGID_IGNORE;
		retcode = META_SEARCH_NOT_CANDIDATE;
	}

done:;
	(void)ldap_back_proxy_authz_ctrl_free( op, &ctrls );

	if ( mapped_attrs ) {
		free( mapped_attrs );
	}
	if ( mfilter.bv_val != op->ors_filterstr.bv_val ) {
		free( mfilter.bv_val );
	}
	if ( mbase.bv_val != realbase.bv_val ) {
		free( mbase.bv_val );
	}

doreturn:;
	Debug( LDAP_DEBUG_TRACE, "%s <<< meta_back_search_start[%d]=%d\n", op->o_log_prefix, candidate, retcode );

	return retcode;
}

int
meta_back_search( Operation *op, SlapReply *rs )
{
	metainfo_t	*mi = ( metainfo_t * )op->o_bd->be_private;
	metaconn_t	*mc;
	struct timeval	save_tv = { 0, 0 },
			tv;
	time_t		stoptime = (time_t)(-1),
			lastres_time = slap_get_time(),
			timeout = 0;
	int		rc = 0, sres = LDAP_SUCCESS;
	char		*matched = NULL;
	int		last = 0, ncandidates = 0,
			initial_candidates = 0, candidate_match = 0,
			needbind = 0;
	ldap_back_send_t	sendok = LDAP_BACK_SENDERR;
	long		i;
	dncookie	dc;
	int		is_ok = 0;
	void		*savepriv;
	SlapReply	*candidates = meta_back_candidates_get( op );

	/*
	 * controls are set in ldap_back_dobind()
	 * 
	 * FIXME: in case of values return filter, we might want
	 * to map attrs and maybe rewrite value
	 */
getconn:;
	mc = meta_back_getconn( op, rs, NULL, sendok );
	if ( !mc ) {
		return rs->sr_err;
	}

	dc.conn = op->o_conn;
	dc.rs = rs;

	/*
	 * Inits searches
	 */
	for ( i = 0; i < mi->mi_ntargets; i++ ) {
		/* reset sr_msgid; it is used in most loops
		 * to check if that target is still to be considered */
		candidates[ i ].sr_msgid = META_MSGID_IGNORE;

		/* a target is marked as candidate by meta_back_getconn();
		 * if for any reason (an error, it's over or so) it is
		 * no longer active, sr_msgid is set to META_MSGID_IGNORE
		 * but it remains candidate, which means it has been active
		 * at some point during the operation.  This allows to 
		 * use its response code and more to compute the final
		 * response */
		if ( !META_IS_CANDIDATE( &candidates[ i ] ) ) {
			continue;
		}

		candidates[ i ].sr_matched = NULL;
		candidates[ i ].sr_text = NULL;
		candidates[ i ].sr_ref = NULL;
		candidates[ i ].sr_ctrls = NULL;

		/* get largest timeout among candidates */
		if ( mi->mi_targets[ i ]->mt_timeout[ SLAP_OP_SEARCH ]
			&& mi->mi_targets[ i ]->mt_timeout[ SLAP_OP_SEARCH ] > timeout )
		{
			timeout = mi->mi_targets[ i ]->mt_timeout[ SLAP_OP_SEARCH ];
		}
	}

	for ( i = 0; i < mi->mi_ntargets; i++ ) {
		if ( !META_IS_CANDIDATE( &candidates[ i ] )
			|| candidates[ i ].sr_err != LDAP_SUCCESS )
		{
			continue;
		}

		switch ( meta_back_search_start( op, rs, &dc, &mc, i, candidates ) )
		{
		case META_SEARCH_NOT_CANDIDATE:
			candidates[ i ].sr_msgid = META_MSGID_IGNORE;
			break;

		case META_SEARCH_NEED_BIND:
			++needbind;
			/* fallthru */

		case META_SEARCH_CANDIDATE:
		case META_SEARCH_BINDING:
			candidates[ i ].sr_type = REP_INTERMEDIATE;
			++ncandidates;
			break;

		case META_SEARCH_ERR:
			savepriv = op->o_private;
			op->o_private = (void *)i;
			send_ldap_result( op, rs );
			op->o_private = savepriv;
			rc = -1;
			goto finish;

		default:
			assert( 0 );
			break;
		}
	}

	if ( ncandidates > 0 && needbind == ncandidates ) {
		/*
		 * give up the second time...
		 *
		 * NOTE: this should not occur the second time, since a fresh
		 * connection has ben created; however, targets may also
		 * need bind because the bind timed out or so.
		 */
		if ( sendok & LDAP_BACK_BINDING ) {
			Debug( LDAP_DEBUG_ANY,
				"%s meta_back_search: unable to initialize conn\n",
				op->o_log_prefix, 0, 0 );
			rs->sr_err = LDAP_UNAVAILABLE;
			rs->sr_text = "unable to initialize connection to remote targets";
			send_ldap_result( op, rs );
			rc = -1;
			goto finish;
		}

		/* FIXME: better create a separate connection? */
		sendok |= LDAP_BACK_BINDING;

#ifdef DEBUG_205
		Debug( LDAP_DEBUG_ANY, "*** %s drop mc=%p create new connection\n",
			op->o_log_prefix, (void *)mc, 0 );
#endif /* DEBUG_205 */

		meta_back_release_conn( mi, mc );
		mc = NULL;

		needbind = 0;
		ncandidates = 0;

		goto getconn;
	}

	initial_candidates = ncandidates;

	if ( StatslogTest( LDAP_DEBUG_TRACE ) ) {
		char	cnd[ SLAP_TEXT_BUFLEN ];
		int	c;

		for ( c = 0; c < mi->mi_ntargets; c++ ) {
			if ( META_IS_CANDIDATE( &candidates[ c ] ) ) {
				cnd[ c ] = '*';
			} else {
				cnd[ c ] = ' ';
			}
		}
		cnd[ c ] = '\0';

		Debug( LDAP_DEBUG_TRACE, "%s meta_back_search: ncandidates=%d "
			"cnd=\"%s\"\n", op->o_log_prefix, ncandidates, cnd );
	}

	if ( initial_candidates == 0 ) {
		/* NOTE: here we are not sending any matchedDN;
		 * this is intended, because if the back-meta
		 * is serving this search request, but no valid
		 * candidate could be looked up, it means that
		 * there is a hole in the mapping of the targets
		 * and thus no knowledge of any remote superior
		 * is available */
		Debug( LDAP_DEBUG_ANY, "%s meta_back_search: "
			"base=\"%s\" scope=%d: "
			"no candidate could be selected\n",
			op->o_log_prefix, op->o_req_dn.bv_val,
			op->ors_scope );

		/* FIXME: we're sending the first error we encounter;
		 * maybe we should pick the worst... */
		rc = LDAP_NO_SUCH_OBJECT;
		for ( i = 0; i < mi->mi_ntargets; i++ ) {
			if ( META_IS_CANDIDATE( &candidates[ i ] )
				&& candidates[ i ].sr_err != LDAP_SUCCESS )
			{
				rc = candidates[ i ].sr_err;
				break;
			}
		}

		send_ldap_error( op, rs, rc, NULL );

		goto finish;
	}

	/* We pull apart the ber result, stuff it into a slapd entry, and
	 * let send_search_entry stuff it back into ber format. Slow & ugly,
	 * but this is necessary for version matching, and for ACL processing.
	 */

	if ( op->ors_tlimit != SLAP_NO_LIMIT ) {
		stoptime = op->o_time + op->ors_tlimit;
	}

	/*
	 * In case there are no candidates, no cycle takes place...
	 *
	 * FIXME: we might use a queue, to better balance the load 
	 * among the candidates
	 */
	for ( rc = 0; ncandidates > 0; ) {
		int	gotit = 0,
			doabandon = 0,
			alreadybound = ncandidates;

		/* check timeout */
		if ( timeout && lastres_time > 0
			&& ( slap_get_time() - lastres_time ) > timeout )
		{
			doabandon = 1;
			rs->sr_text = "Operation timed out";
			rc = rs->sr_err = op->o_protocol >= LDAP_VERSION3 ?
				LDAP_ADMINLIMIT_EXCEEDED : LDAP_OTHER;
			savepriv = op->o_private;
			op->o_private = (void *)i;
			send_ldap_result( op, rs );
			op->o_private = savepriv;
			goto finish;
		}

		/* check time limit */
		if ( op->ors_tlimit != SLAP_NO_LIMIT
				&& slap_get_time() > stoptime )
		{
			doabandon = 1;
			rc = rs->sr_err = LDAP_TIMELIMIT_EXCEEDED;
			savepriv = op->o_private;
			op->o_private = (void *)i;
			send_ldap_result( op, rs );
			op->o_private = savepriv;
			goto finish;
		}

		for ( i = 0; i < mi->mi_ntargets; i++ ) {
			meta_search_candidate_t	retcode = META_SEARCH_UNDEFINED;
			metasingleconn_t	*msc = &mc->mc_conns[ i ];
			LDAPMessage		*res = NULL, *msg;

			/* if msgid is invalid, don't ldap_result() */
			if ( candidates[ i ].sr_msgid == META_MSGID_IGNORE ) {
				continue;
			}

			/* if target still needs bind, retry */
			if ( candidates[ i ].sr_msgid == META_MSGID_NEED_BIND ) {
				/* initiate dobind */
				retcode = meta_search_dobind_init( op, rs, &mc, i, candidates );

				Debug( LDAP_DEBUG_TRACE, "%s <<< meta_search_dobind_init[%ld]=%d\n",
					op->o_log_prefix, i, retcode );

				switch ( retcode ) {
				case META_SEARCH_NEED_BIND:
					alreadybound--;
					/* fallthru */

				case META_SEARCH_BINDING:
					break;

				case META_SEARCH_ERR:
					candidates[ i ].sr_err = rs->sr_err;
					if ( META_BACK_ONERR_STOP( mi ) ) {
						savepriv = op->o_private;
						op->o_private = (void *)i;
						send_ldap_result( op, rs );
						op->o_private = savepriv;
						goto finish;
					}
					/* fallthru */

				case META_SEARCH_NOT_CANDIDATE:
					/*
					 * When no candidates are left,
					 * the outer cycle finishes
					 */
					candidates[ i ].sr_msgid = META_MSGID_IGNORE;
					assert( ncandidates > 0 );
					--ncandidates;
					break;

				case META_SEARCH_CANDIDATE:
					candidates[ i ].sr_msgid = META_MSGID_IGNORE;
					switch ( meta_back_search_start( op, rs, &dc, &mc, i, candidates ) )
					{
					case META_SEARCH_CANDIDATE:
						assert( candidates[ i ].sr_msgid >= 0 );
						break;

					case META_SEARCH_ERR:
						candidates[ i ].sr_err = rs->sr_err;
						if ( META_BACK_ONERR_STOP( mi ) ) {
							savepriv = op->o_private;
							op->o_private = (void *)i;
							send_ldap_result( op, rs );
							op->o_private = savepriv;
							goto finish;
						}
						/* fallthru */

					case META_SEARCH_NOT_CANDIDATE:
						/* means that meta_back_search_start()
						 * failed but onerr == continue */
						candidates[ i ].sr_msgid = META_MSGID_IGNORE;
						assert( ncandidates > 0 );
						--ncandidates;
						break;

					default:
						/* impossible */
						assert( 0 );
						break;
					}
					break;

				default:
					/* impossible */
					assert( 0 );
					break;
				}
				continue;
			}

			/* check for abandon */
			if ( op->o_abandon || LDAP_BACK_CONN_ABANDON( mc ) ) {
				break;
			}

#ifdef DEBUG_205
			if ( msc->msc_ld == NULL ) {
				char	buf[ SLAP_TEXT_BUFLEN ];

				ldap_pvt_thread_mutex_lock( &mi->mi_conninfo.lai_mutex );
				snprintf( buf, sizeof( buf ),
					"%s meta_back_search[%ld] mc=%p msgid=%d%s%s%s\n",
					op->o_log_prefix, (long)i, (void *)mc,
					candidates[ i ].sr_msgid,
					META_IS_BINDING( &candidates[ i ] ) ? " binding" : "",
					LDAP_BACK_CONN_BINDING( &mc->mc_conns[ i ] ) ? " connbinding" : "",
					META_BACK_CONN_CREATING( &mc->mc_conns[ i ] ) ? " conncreating" : "" );
				ldap_pvt_thread_mutex_unlock( &mi->mi_conninfo.lai_mutex );
					
				Debug( LDAP_DEBUG_ANY, "!!! %s\n", buf, 0, 0 );
			}
#endif /* DEBUG_205 */
			
			/*
			 * FIXME: handle time limit as well?
			 * Note that target servers are likely 
			 * to handle it, so at some time we'll
			 * get a LDAP_TIMELIMIT_EXCEEDED from
			 * one of them ...
			 */
			tv = save_tv;
			rc = ldap_result( msc->msc_ld, candidates[ i ].sr_msgid,
					LDAP_MSG_RECEIVED, &tv, &res );
			switch ( rc ) {
			case 0:
				/* FIXME: res should not need to be freed */
				assert( res == NULL );
				continue;

			case -1:
really_bad:;
				/* something REALLY bad happened! */
				if ( candidates[ i ].sr_type == REP_INTERMEDIATE ) {
					candidates[ i ].sr_type = REP_RESULT;

					if ( meta_back_retry( op, rs, &mc, i, LDAP_BACK_DONTSEND ) ) {
						candidates[ i ].sr_msgid = META_MSGID_IGNORE;
						switch ( meta_back_search_start( op, rs, &dc, &mc, i, candidates ) )
						{
							/* means that failed but onerr == continue */
						case META_SEARCH_NOT_CANDIDATE:
							candidates[ i ].sr_msgid = META_MSGID_IGNORE;

							assert( ncandidates > 0 );
							--ncandidates;

							candidates[ i ].sr_err = rs->sr_err;
							if ( META_BACK_ONERR_STOP( mi ) ) {
								savepriv = op->o_private;
								op->o_private = (void *)i;
								send_ldap_result( op, rs );
								op->o_private = savepriv;
								goto finish;
							}
							/* fall thru */

						case META_SEARCH_CANDIDATE:
							/* get back into business... */
							continue;

						case META_SEARCH_BINDING:
						case META_SEARCH_NEED_BIND:
						case META_SEARCH_UNDEFINED:
							assert( 0 );

						default:
							/* unrecoverable error */
							candidates[ i ].sr_msgid = META_MSGID_IGNORE;
							rc = rs->sr_err = LDAP_OTHER;
							goto finish;
						}
					}

					candidates[ i ].sr_err = rs->sr_err;
					if ( META_BACK_ONERR_STOP( mi ) ) {
						savepriv = op->o_private;
						op->o_private = (void *)i;
						send_ldap_result( op, rs );
						op->o_private = savepriv;
						goto finish;
					}
				}

				/*
				 * When no candidates are left,
				 * the outer cycle finishes
				 */
				candidates[ i ].sr_msgid = META_MSGID_IGNORE;
				assert( ncandidates > 0 );
				--ncandidates;
				rs->sr_err = candidates[ i ].sr_err;
				continue;

			default:
				lastres_time = slap_get_time();

				/* only touch when activity actually took place... */
				if ( mi->mi_idle_timeout != 0 && msc->msc_time < lastres_time ) {
					msc->msc_time = lastres_time;
				}
				break;
			}

			for ( msg = ldap_first_message( msc->msc_ld, res );
				msg != NULL;
				msg = ldap_next_message( msc->msc_ld, msg ) )
			{
				rc = ldap_msgtype( msg );
				if ( rc == LDAP_RES_SEARCH_ENTRY ) {
					LDAPMessage	*e;

					if ( candidates[ i ].sr_type == REP_INTERMEDIATE ) {
						/* don't retry any more... */
						candidates[ i ].sr_type = REP_RESULT;
					}

					is_ok++;

					e = ldap_first_entry( msc->msc_ld, msg );
					savepriv = op->o_private;
					op->o_private = (void *)i;
					rs->sr_err = meta_send_entry( op, rs, mc, i, e );

					switch ( rs->sr_err ) {
					case LDAP_SIZELIMIT_EXCEEDED:
						savepriv = op->o_private;
						op->o_private = (void *)i;
						send_ldap_result( op, rs );
						op->o_private = savepriv;
						rs->sr_err = LDAP_SUCCESS;
						ldap_msgfree( res );
						res = NULL;
						goto finish;

					case LDAP_UNAVAILABLE:
						rs->sr_err = LDAP_OTHER;
						ldap_msgfree( res );
						res = NULL;
						goto finish;
					}
					op->o_private = savepriv;

					/* don't wait any longer... */
					gotit = 1;
					save_tv.tv_sec = 0;
					save_tv.tv_usec = 0;

				} else if ( rc == LDAP_RES_SEARCH_REFERENCE ) {
					char		**references = NULL;
					int		cnt;

					if ( candidates[ i ].sr_type == REP_INTERMEDIATE ) {
						/* don't retry any more... */
						candidates[ i ].sr_type = REP_RESULT;
					}
	
					is_ok++;
	
					rc = ldap_parse_reference( msc->msc_ld, msg,
							&references, &rs->sr_ctrls, 0 );
	
					if ( rc != LDAP_SUCCESS ) {
						continue;
					}
	
					if ( references == NULL ) {
						continue;
					}

#ifdef ENABLE_REWRITE
					dc.ctx = "referralDN";
#else /* ! ENABLE_REWRITE */
					dc.tofrom = 0;
					dc.normalized = 0;
#endif /* ! ENABLE_REWRITE */

					/* FIXME: merge all and return at the end */
	
					for ( cnt = 0; references[ cnt ]; cnt++ )
						;
	
					rs->sr_ref = ch_calloc( sizeof( struct berval ), cnt + 1 );
	
					for ( cnt = 0; references[ cnt ]; cnt++ ) {
						ber_str2bv( references[ cnt ], 0, 1, &rs->sr_ref[ cnt ] );
					}
					BER_BVZERO( &rs->sr_ref[ cnt ] );
	
					( void )ldap_back_referral_result_rewrite( &dc, rs->sr_ref );

					if ( rs->sr_ref != NULL && !BER_BVISNULL( &rs->sr_ref[ 0 ] ) ) {
						/* ignore return value by now */
						savepriv = op->o_private;
						op->o_private = (void *)i;
						( void )send_search_reference( op, rs );
						op->o_private = savepriv;
	
						ber_bvarray_free( rs->sr_ref );
						rs->sr_ref = NULL;
					}

					/* cleanup */
					if ( references ) {
						ber_memvfree( (void **)references );
					}

					if ( rs->sr_ctrls ) {
						ldap_controls_free( rs->sr_ctrls );
						rs->sr_ctrls = NULL;
					}

				} else if ( rc == LDAP_RES_SEARCH_RESULT ) {
					char		buf[ SLAP_TEXT_BUFLEN ];
					char		**references = NULL;

					if ( candidates[ i ].sr_type == REP_INTERMEDIATE ) {
						/* don't retry any more... */
						candidates[ i ].sr_type = REP_RESULT;
					}
	
					/* NOTE: ignores response controls
					 * (and intermediate response controls
					 * as well, except for those with search
					 * references); this may not be correct,
					 * but if they're not ignored then
					 * back-meta would need to merge them
					 * consistently (think of pagedResults...)
					 */
					/* FIXME: response controls? */
					rs->sr_err = ldap_parse_result( msc->msc_ld,
						msg,
						&candidates[ i ].sr_err,
						(char **)&candidates[ i ].sr_matched,
						NULL /* (char **)&candidates[ i ].sr_text */ ,
						&references,
						NULL /* &candidates[ i ].sr_ctrls (unused) */ ,
						0 );
					if ( rs->sr_err != LDAP_SUCCESS ) {
						sres = slap_map_api2result( &candidates[ i ] );
						candidates[ i ].sr_type = REP_RESULT;
						ldap_msgfree( res );
						res = NULL;
						goto really_bad;
					}

					rs->sr_err = candidates[ i ].sr_err;

					/* massage matchedDN if need be */
					if ( candidates[ i ].sr_matched != NULL ) {
						struct berval	match, mmatch;

						ber_str2bv( candidates[ i ].sr_matched,
							0, 0, &match );
						candidates[ i ].sr_matched = NULL;

						dc.ctx = "matchedDN";
						dc.target = mi->mi_targets[ i ];
						if ( !ldap_back_dn_massage( &dc, &match, &mmatch ) ) {
							if ( mmatch.bv_val == match.bv_val ) {
								candidates[ i ].sr_matched
									= ch_strdup( mmatch.bv_val );

							} else {
								candidates[ i ].sr_matched = mmatch.bv_val;
							}

							candidate_match++;
						} 
						ldap_memfree( match.bv_val );
					}

					/* add references to array */
					/* RFC 4511: referrals can only appear
					 * if result code is LDAP_REFERRAL */
					if ( references != NULL
						&& references[ 0 ] != NULL
						&& references[ 0 ][ 0 ] != '\0' )
					{
						if ( rs->sr_err != LDAP_REFERRAL ) {
							Debug( LDAP_DEBUG_ANY,
								"%s meta_back_search[%ld]: "
								"got referrals with err=%d\n",
								op->o_log_prefix,
								i, rs->sr_err );

						} else {
							BerVarray	sr_ref;
							int		cnt;
	
							for ( cnt = 0; references[ cnt ]; cnt++ )
								;
	
							sr_ref = ch_calloc( sizeof( struct berval ), cnt + 1 );
	
							for ( cnt = 0; references[ cnt ]; cnt++ ) {
								ber_str2bv( references[ cnt ], 0, 1, &sr_ref[ cnt ] );
							}
							BER_BVZERO( &sr_ref[ cnt ] );
	
							( void )ldap_back_referral_result_rewrite( &dc, sr_ref );
					
							if ( rs->sr_v2ref == NULL ) {
								rs->sr_v2ref = sr_ref;

							} else {
								for ( cnt = 0; !BER_BVISNULL( &sr_ref[ cnt ] ); cnt++ ) {
									ber_bvarray_add( &rs->sr_v2ref, &sr_ref[ cnt ] );
								}
								ber_memfree( sr_ref );
							}
						}

					} else if ( rs->sr_err == LDAP_REFERRAL ) {
						Debug( LDAP_DEBUG_ANY,
							"%s meta_back_search[%ld]: "
							"got err=%d with null "
							"or empty referrals\n",
							op->o_log_prefix,
							i, rs->sr_err );

						rs->sr_err = LDAP_NO_SUCH_OBJECT;
					}

					/* cleanup */
					ber_memvfree( (void **)references );
	
					sres = slap_map_api2result( rs );
	
					if ( StatslogTest( LDAP_DEBUG_TRACE | LDAP_DEBUG_ANY ) ) {
						snprintf( buf, sizeof( buf ),
							"%s meta_back_search[%ld] "
							"match=\"%s\" err=%ld",
							op->o_log_prefix, i,
							candidates[ i ].sr_matched ? candidates[ i ].sr_matched : "",
							(long) candidates[ i ].sr_err );
						if ( candidates[ i ].sr_err == LDAP_SUCCESS ) {
							Debug( LDAP_DEBUG_TRACE, "%s.\n", buf, 0, 0 );
	
						} else {
							Debug( LDAP_DEBUG_ANY, "%s (%s).\n",
								buf, ldap_err2string( candidates[ i ].sr_err ), 0 );
						}
					}
	
					switch ( sres ) {
					case LDAP_NO_SUCH_OBJECT:
						/* is_ok is touched any time a valid
						 * (even intermediate) result is
						 * returned; as a consequence, if
						 * a candidate returns noSuchObject
						 * it is ignored and the candidate
						 * is simply demoted. */
						if ( is_ok ) {
							sres = LDAP_SUCCESS;
						}
						break;
	
					case LDAP_SUCCESS:
					case LDAP_REFERRAL:
						is_ok++;
						break;
	
					case LDAP_SIZELIMIT_EXCEEDED:
						/* if a target returned sizelimitExceeded
						 * and the entry count is equal to the
						 * proxy's limit, the target would have
						 * returned more, and the error must be
						 * propagated to the client; otherwise,
						 * the target enforced a limit lower
						 * than what requested by the proxy;
						 * ignore it */
						candidates[ i ].sr_err = rs->sr_err;
						if ( rs->sr_nentries == op->ors_slimit
							|| META_BACK_ONERR_STOP( mi ) )
						{
							savepriv = op->o_private;
							op->o_private = (void *)i;
							send_ldap_result( op, rs );
							op->o_private = savepriv;
							ldap_msgfree( res );
							res = NULL;
							goto finish;
						}
						break;
	
					default:
						candidates[ i ].sr_err = rs->sr_err;
						if ( META_BACK_ONERR_STOP( mi ) ) {
							savepriv = op->o_private;
							op->o_private = (void *)i;
							send_ldap_result( op, rs );
							op->o_private = savepriv;
							ldap_msgfree( res );
							res = NULL;
							goto finish;
						}
						break;
					}
	
					last = i;
					rc = 0;
	
					/*
					 * When no candidates are left,
					 * the outer cycle finishes
					 */
					candidates[ i ].sr_msgid = META_MSGID_IGNORE;
					assert( ncandidates > 0 );
					--ncandidates;
	
				} else if ( rc == LDAP_RES_BIND ) {
					meta_search_candidate_t	retcode;
	
					retcode = meta_search_dobind_result( op, rs, &mc, i, candidates, msg );
					if ( retcode == META_SEARCH_CANDIDATE ) {
						candidates[ i ].sr_msgid = META_MSGID_IGNORE;
						retcode = meta_back_search_start( op, rs, &dc, &mc, i, candidates );
					}
	
					switch ( retcode ) {
					case META_SEARCH_CANDIDATE:
						break;
	
						/* means that failed but onerr == continue */
					case META_SEARCH_NOT_CANDIDATE:
					case META_SEARCH_ERR:
						candidates[ i ].sr_msgid = META_MSGID_IGNORE;
						assert( ncandidates > 0 );
						--ncandidates;
	
						candidates[ i ].sr_err = rs->sr_err;
						if ( META_BACK_ONERR_STOP( mi ) ) {
							savepriv = op->o_private;
							op->o_private = (void *)i;
							send_ldap_result( op, rs );
							op->o_private = savepriv;
							ldap_msgfree( res );
							res = NULL;
							goto finish;
						}
						goto free_message;
	
					default:
						assert( 0 );
						break;
					}
	
				} else {
					assert( 0 );
					ldap_msgfree( res );
					res = NULL;
					goto really_bad;
				}
			}

free_message:;
			ldap_msgfree( res );
			res = NULL;
		}

		/* check for abandon */
		if ( op->o_abandon || LDAP_BACK_CONN_ABANDON( mc ) ) {
			for ( i = 0; i < mi->mi_ntargets; i++ ) {
				if ( candidates[ i ].sr_msgid >= 0 ) {
					if ( META_IS_BINDING( &candidates[ i ] ) ) {
						ldap_pvt_thread_mutex_lock( &mi->mi_conninfo.lai_mutex );
						if ( LDAP_BACK_CONN_BINDING( &mc->mc_conns[ i ] ) ) {
							/* if still binding, destroy */

#ifdef DEBUG_205
							char buf[ SLAP_TEXT_BUFLEN ];

							snprintf( buf, sizeof( buf), "%s meta_back_search(abandon) "
								"ldap_unbind_ext[%ld] mc=%p ld=%p",
								op->o_log_prefix, i, (void *)mc,
								(void *)mc->mc_conns[i].msc_ld );

							Debug( LDAP_DEBUG_ANY, "### %s\n", buf, 0, 0 );
#endif /* DEBUG_205 */

							meta_clear_one_candidate( op, mc, i );
						}
						ldap_pvt_thread_mutex_unlock( &mi->mi_conninfo.lai_mutex );
						META_BINDING_CLEAR( &candidates[ i ] );
						
					} else {
						(void)meta_back_cancel( mc, op, rs,
							candidates[ i ].sr_msgid, i,
							LDAP_BACK_DONTSEND );
					}

					candidates[ i ].sr_msgid = META_MSGID_IGNORE;
					assert( ncandidates > 0 );
					--ncandidates;
				}
			}

			if ( op->o_abandon ) {
				rc = SLAPD_ABANDON;
			}

			/* let send_ldap_result play cleanup handlers (ITS#4645) */
			break;
		}

		/* if no entry was found during this loop,
		 * set a minimal timeout */
		if ( ncandidates > 0 && gotit == 0 ) {
			if ( save_tv.tv_sec == 0 && save_tv.tv_usec == 0 ) {
				save_tv.tv_usec = LDAP_BACK_RESULT_UTIMEOUT/initial_candidates;

				/* arbitrarily limit to something between 1 and 2 minutes */
			} else if ( ( stoptime == -1 && save_tv.tv_sec < 60 )
				|| save_tv.tv_sec < ( stoptime - slap_get_time() ) / ( 2 * ncandidates ) )
			{
				/* double the timeout */
				lutil_timermul( &save_tv, 2, &save_tv );
			}

			if ( alreadybound == 0 ) {
				tv = save_tv;
				(void)select( 0, NULL, NULL, NULL, &tv );

			} else {
				ldap_pvt_thread_yield();
			}
		}
	}

	if ( rc == -1 ) {
		/*
		 * FIXME: need a better strategy to handle errors
		 */
		if ( mc ) {
			rc = meta_back_op_result( mc, op, rs, META_TARGET_NONE,
				-1, stoptime != -1 ? (stoptime - slap_get_time()) : 0,
				LDAP_BACK_SENDERR );
		} else {
			rc = rs->sr_err;
		}
		goto finish;
	}

	/*
	 * Rewrite the matched portion of the search base, if required
	 * 
	 * FIXME: only the last one gets caught!
	 */
	savepriv = op->o_private;
	op->o_private = (void *)(long)mi->mi_ntargets;
	if ( candidate_match > 0 ) {
		struct berval	pmatched = BER_BVNULL;

		/* we use the first one */
		for ( i = 0; i < mi->mi_ntargets; i++ ) {
			if ( META_IS_CANDIDATE( &candidates[ i ] )
					&& candidates[ i ].sr_matched != NULL )
			{
				struct berval	bv, pbv;
				int		rc;

				/* if we got success, and this target
				 * returned noSuchObject, and its suffix
				 * is a superior of the searchBase,
				 * ignore the matchedDN */
				if ( sres == LDAP_SUCCESS
					&& candidates[ i ].sr_err == LDAP_NO_SUCH_OBJECT
					&& op->o_req_ndn.bv_len > mi->mi_targets[ i ]->mt_nsuffix.bv_len )
				{
					free( (char *)candidates[ i ].sr_matched );
					candidates[ i ].sr_matched = NULL;
					continue;
				}

				ber_str2bv( candidates[ i ].sr_matched, 0, 0, &bv );
				rc = dnPretty( NULL, &bv, &pbv, op->o_tmpmemctx );

				if ( rc == LDAP_SUCCESS ) {

					/* NOTE: if they all are superiors
					 * of the baseDN, the shorter is also 
					 * superior of the longer... */
					if ( pbv.bv_len > pmatched.bv_len ) {
						if ( !BER_BVISNULL( &pmatched ) ) {
							op->o_tmpfree( pmatched.bv_val, op->o_tmpmemctx );
						}
						pmatched = pbv;
						op->o_private = (void *)i;

					} else {
						op->o_tmpfree( pbv.bv_val, op->o_tmpmemctx );
					}
				}

				if ( candidates[ i ].sr_matched != NULL ) {
					free( (char *)candidates[ i ].sr_matched );
					candidates[ i ].sr_matched = NULL;
				}
			}
		}

		if ( !BER_BVISNULL( &pmatched ) ) {
			matched = pmatched.bv_val;
		}

	} else if ( sres == LDAP_NO_SUCH_OBJECT ) {
		matched = op->o_bd->be_suffix[ 0 ].bv_val;
	}

	/*
	 * In case we returned at least one entry, we return LDAP_SUCCESS
	 * otherwise, the latter error code we got
	 */

	if ( sres == LDAP_SUCCESS ) {
		if ( rs->sr_v2ref ) {
			sres = LDAP_REFERRAL;
		}

		if ( META_BACK_ONERR_REPORT( mi ) ) {
			/*
			 * Report errors, if any
			 *
			 * FIXME: we should handle error codes and return the more 
			 * important/reasonable
			 */
			for ( i = 0; i < mi->mi_ntargets; i++ ) {
				if ( !META_IS_CANDIDATE( &candidates[ i ] ) ) {
					continue;
				}

				if ( candidates[ i ].sr_err != LDAP_SUCCESS
					&& candidates[ i ].sr_err != LDAP_NO_SUCH_OBJECT )
				{
					sres = candidates[ i ].sr_err;
					break;
				}
			}
		}
	}

	rs->sr_err = sres;
	rs->sr_matched = matched;
	rs->sr_ref = ( sres == LDAP_REFERRAL ? rs->sr_v2ref : NULL );
	send_ldap_result( op, rs );
	op->o_private = savepriv;
	rs->sr_matched = NULL;
	rs->sr_ref = NULL;

finish:;
	if ( matched && matched != op->o_bd->be_suffix[ 0 ].bv_val ) {
		op->o_tmpfree( matched, op->o_tmpmemctx );
	}

	if ( rs->sr_v2ref ) {
		ber_bvarray_free( rs->sr_v2ref );
	}

	for ( i = 0; i < mi->mi_ntargets; i++ ) {
		if ( !META_IS_CANDIDATE( &candidates[ i ] ) ) {
			continue;
		}

		if ( mc && META_IS_BINDING( &candidates[ i ] ) ) {
			ldap_pvt_thread_mutex_lock( &mi->mi_conninfo.lai_mutex );
			if ( LDAP_BACK_CONN_BINDING( &mc->mc_conns[ i ] ) ) {
				assert( candidates[ i ].sr_msgid >= 0 );
				assert( mc->mc_conns[ i ].msc_ld != NULL );

#ifdef DEBUG_205
				Debug( LDAP_DEBUG_ANY, "### %s meta_back_search(cleanup) "
					"ldap_unbind_ext[%ld] ld=%p\n",
					op->o_log_prefix, i, (void *)mc->mc_conns[i].msc_ld );
#endif /* DEBUG_205 */

				/* if still binding, destroy */
				meta_clear_one_candidate( op, mc, i );
			}
			ldap_pvt_thread_mutex_unlock( &mi->mi_conninfo.lai_mutex );
			META_BINDING_CLEAR( &candidates[ i ] );
		}

		if ( candidates[ i ].sr_matched ) {
			free( (char *)candidates[ i ].sr_matched );
			candidates[ i ].sr_matched = NULL;
		}

		if ( candidates[ i ].sr_text ) {
			ldap_memfree( (char *)candidates[ i ].sr_text );
			candidates[ i ].sr_text = NULL;
		}

		if ( candidates[ i ].sr_ref ) {
			ber_bvarray_free( candidates[ i ].sr_ref );
			candidates[ i ].sr_ref = NULL;
		}

		if ( candidates[ i ].sr_ctrls ) {
			ldap_controls_free( candidates[ i ].sr_ctrls );
			candidates[ i ].sr_ctrls = NULL;
		}

		if ( META_BACK_TGT_QUARANTINE( mi->mi_targets[ i ] ) ) {
			meta_back_quarantine( op, &candidates[ i ], i );
		}

		/* only in case of timelimit exceeded, if the timelimit exceeded because
		 * one contacted target never responded, invalidate the connection
		 * NOTE: should we quarantine the target as well?  right now, the connection
		 * is invalidated; the next time it will be recreated and the target
		 * will be quarantined if it cannot be contacted */
		if ( mi->mi_idle_timeout != 0
			&& rs->sr_err == LDAP_TIMELIMIT_EXCEEDED
			&& op->o_time > mc->mc_conns[ i ].msc_time )
		{
			/* don't let anyone else use this expired connection */
			LDAP_BACK_CONN_TAINTED_SET( mc );
		}
	}

	if ( mc ) {
		meta_back_release_conn( mi, mc );
	}

	return rs->sr_err;
}

static int
meta_send_entry(
	Operation 	*op,
	SlapReply	*rs,
	metaconn_t	*mc,
	int 		target,
	LDAPMessage 	*e )
{
	metainfo_t 		*mi = ( metainfo_t * )op->o_bd->be_private;
	struct berval		a, mapped;
	Entry 			ent = { 0 };
	BerElement 		ber = *e->lm_ber;
	Attribute 		*attr, **attrp;
	struct berval 		bdn,
				dn = BER_BVNULL;
	const char 		*text;
	dncookie		dc;
	int			rc;

	if ( ber_scanf( &ber, "{m{", &bdn ) == LBER_ERROR ) {
		return LDAP_DECODING_ERROR;
	}

	/*
	 * Rewrite the dn of the result, if needed
	 */
	dc.target = mi->mi_targets[ target ];
	dc.conn = op->o_conn;
	dc.rs = rs;
	dc.ctx = "searchResult";

	rs->sr_err = ldap_back_dn_massage( &dc, &bdn, &dn );
	if ( rs->sr_err != LDAP_SUCCESS) {
		return rs->sr_err;
	}

	/*
	 * Note: this may fail if the target host(s) schema differs
	 * from the one known to the meta, and a DN with unknown
	 * attributes is returned.
	 * 
	 * FIXME: should we log anything, or delegate to dnNormalize?
	 */
	rc = dnPrettyNormal( NULL, &dn, &ent.e_name, &ent.e_nname,
		op->o_tmpmemctx );
	if ( dn.bv_val != bdn.bv_val ) {
		free( dn.bv_val );
	}
	BER_BVZERO( &dn );

	if ( rc != LDAP_SUCCESS ) {
		return LDAP_INVALID_DN_SYNTAX;
	}

	/*
	 * cache dn
	 */
	if ( mi->mi_cache.ttl != META_DNCACHE_DISABLED ) {
		( void )meta_dncache_update_entry( &mi->mi_cache,
				&ent.e_nname, target );
	}

	attrp = &ent.e_attrs;

	dc.ctx = "searchAttrDN";
	while ( ber_scanf( &ber, "{m", &a ) != LBER_ERROR ) {
		int				last = 0;
		slap_syntax_validate_func	*validate;
		slap_syntax_transform_func	*pretty;

		ldap_back_map( &mi->mi_targets[ target ]->mt_rwmap.rwm_at, 
				&a, &mapped, BACKLDAP_REMAP );
		if ( BER_BVISNULL( &mapped ) || mapped.bv_val[0] == '\0' ) {
			( void )ber_scanf( &ber, "x" /* [W] */ );
			continue;
		}
		attr = ( Attribute * )ch_calloc( 1, sizeof( Attribute ) );
		if ( attr == NULL ) {
			continue;
		}
		if ( slap_bv2ad( &mapped, &attr->a_desc, &text )
				!= LDAP_SUCCESS) {
			if ( slap_bv2undef_ad( &mapped, &attr->a_desc, &text,
				SLAP_AD_PROXIED ) != LDAP_SUCCESS )
			{
				char	buf[ SLAP_TEXT_BUFLEN ];

				snprintf( buf, sizeof( buf ),
					"%s meta_send_entry(\"%s\"): "
					"slap_bv2undef_ad(%s): %s\n",
					op->o_log_prefix, ent.e_name.bv_val,
					mapped.bv_val, text );

				Debug( LDAP_DEBUG_ANY, "%s", buf, 0, 0 );
				ch_free( attr );
				continue;
			}
		}

		/* no subschemaSubentry */
		if ( attr->a_desc == slap_schema.si_ad_subschemaSubentry
			|| attr->a_desc == slap_schema.si_ad_entryDN )
		{

			/* 
			 * We eat target's subschemaSubentry because
			 * a search for this value is likely not
			 * to resolve to the appropriate backend;
			 * later, the local subschemaSubentry is
			 * added.
			 *
			 * We also eat entryDN because the frontend
			 * will reattach it without checking if already
			 * present...
			 */
			( void )ber_scanf( &ber, "x" /* [W] */ );

			ch_free(attr);
			continue;
		}

		if ( ber_scanf( &ber, "[W]", &attr->a_vals ) == LBER_ERROR 
				|| attr->a_vals == NULL )
		{
			attr->a_vals = (struct berval *)&slap_dummy_bv;

		} else {
			for ( last = 0; !BER_BVISNULL( &attr->a_vals[ last ] ); ++last )
				;
		}

		validate = attr->a_desc->ad_type->sat_syntax->ssyn_validate;
		pretty = attr->a_desc->ad_type->sat_syntax->ssyn_pretty;

		if ( !validate && !pretty ) {
			attr_free( attr );
			goto next_attr;
		}

		if ( attr->a_desc == slap_schema.si_ad_objectClass
				|| attr->a_desc == slap_schema.si_ad_structuralObjectClass )
		{
			struct berval 	*bv;

			for ( bv = attr->a_vals; !BER_BVISNULL( bv ); bv++ ) {
				ldap_back_map( &mi->mi_targets[ target ]->mt_rwmap.rwm_oc,
						bv, &mapped, BACKLDAP_REMAP );
				if ( BER_BVISNULL( &mapped ) || mapped.bv_val[0] == '\0') {
					free( bv->bv_val );
					BER_BVZERO( bv );
					if ( --last < 0 ) {
						break;
					}
					*bv = attr->a_vals[ last ];
					BER_BVZERO( &attr->a_vals[ last ] );
					bv--;

				} else if ( mapped.bv_val != bv->bv_val ) {
					free( bv->bv_val );
					ber_dupbv( bv, &mapped );
				}
			}
		/*
		 * It is necessary to try to rewrite attributes with
		 * dn syntax because they might be used in ACLs as
		 * members of groups; since ACLs are applied to the
		 * rewritten stuff, no dn-based subecj clause could
		 * be used at the ldap backend side (see
		 * http://www.OpenLDAP.org/faq/data/cache/452.html)
		 * The problem can be overcome by moving the dn-based
		 * ACLs to the target directory server, and letting
		 * everything pass thru the ldap backend.
		 */
		} else {
			int	i;

			if ( attr->a_desc->ad_type->sat_syntax ==
				slap_schema.si_syn_distinguishedName )
			{
				ldap_dnattr_result_rewrite( &dc, attr->a_vals );

			} else if ( attr->a_desc == slap_schema.si_ad_ref ) {
				ldap_back_referral_result_rewrite( &dc, attr->a_vals );

			}

			for ( i = 0; i < last; i++ ) {
				struct berval	pval;
				int		rc;

				if ( pretty ) {
					rc = pretty( attr->a_desc->ad_type->sat_syntax,
						&attr->a_vals[i], &pval, NULL );

				} else {
					rc = validate( attr->a_desc->ad_type->sat_syntax,
						&attr->a_vals[i] );
				}

				if ( rc ) {
					LBER_FREE( attr->a_vals[i].bv_val );
					if ( --last == i ) {
						BER_BVZERO( &attr->a_vals[ i ] );
						break;
					}
					attr->a_vals[i] = attr->a_vals[last];
					BER_BVZERO( &attr->a_vals[last] );
					i--;
					continue;
				}

				if ( pretty ) {
					LBER_FREE( attr->a_vals[i].bv_val );
					attr->a_vals[i] = pval;
				}
			}

			if ( last == 0 && attr->a_vals != &slap_dummy_bv ) {
				attr_free( attr );
				goto next_attr;
			}
		}

		if ( last && attr->a_desc->ad_type->sat_equality &&
			attr->a_desc->ad_type->sat_equality->smr_normalize )
		{
			int i;

			attr->a_nvals = ch_malloc( ( last + 1 ) * sizeof( struct berval ) );
			for ( i = 0; i<last; i++ ) {
				attr->a_desc->ad_type->sat_equality->smr_normalize(
					SLAP_MR_VALUE_OF_ATTRIBUTE_SYNTAX,
					attr->a_desc->ad_type->sat_syntax,
					attr->a_desc->ad_type->sat_equality,
					&attr->a_vals[i], &attr->a_nvals[i],
					NULL );
			}
			BER_BVZERO( &attr->a_nvals[i] );

		} else {
			attr->a_nvals = attr->a_vals;
		}

		*attrp = attr;
		attrp = &attr->a_next;
next_attr:;
	}
	rs->sr_entry = &ent;
	rs->sr_attrs = op->ors_attrs;
	rs->sr_flags = 0;
	rs->sr_err = LDAP_SUCCESS;
	rc = send_search_entry( op, rs );
	switch ( rc ) {
	case LDAP_UNAVAILABLE:
		rc = LDAP_OTHER;
		break;
	}
	rs->sr_entry = NULL;
	rs->sr_attrs = NULL;
	
	if ( !BER_BVISNULL( &ent.e_name ) ) {
		free( ent.e_name.bv_val );
		BER_BVZERO( &ent.e_name );
	}
	if ( !BER_BVISNULL( &ent.e_nname ) ) {
		free( ent.e_nname.bv_val );
		BER_BVZERO( &ent.e_nname );
	}
	entry_clean( &ent );

	return rc;
}


Bell Labs OSI certified Powered by Plan 9

(Return to Plan 9 Home Page)

Copyright © 2021 Plan 9 Foundation. All Rights Reserved.
Comments to [email protected].