自学教程：C++ BER_BVISEMPTY函数代码示例

static intpguid_db_init(	BackendDB	*be,	ConfigReply	*cr){	if ( SLAP_ISGLOBALOVERLAY( be ) ) {		Log0( LDAP_DEBUG_ANY, LDAP_LEVEL_ERR,			"pguid_db_init: pguid cannot be used as global overlay./n" );		return 1;	}	if ( be->be_nsuffix == NULL ) {		Log0( LDAP_DEBUG_ANY, LDAP_LEVEL_ERR,			"pguid_db_init: database must have suffix/n" );		return 1;	}	if ( BER_BVISNULL( &be->be_rootndn ) || BER_BVISEMPTY( &be->be_rootndn ) ) {		Log1( LDAP_DEBUG_ANY, LDAP_LEVEL_ERR,			"pguid_db_init: missing rootdn for database DN=/"%s/", YMMV/n",			be->be_suffix[ 0 ].bv_val );	}	return 0;}

intslapi_modify_internal_pb( Slapi_PBlock *pb ){	SlapReply		*rs;	if ( pb == NULL ) {		return -1;	}	PBLOCK_ASSERT_INTOP( pb, LDAP_REQ_MODIFY );	rs = pb->pb_rs;	if ( pb->pb_op->orm_modlist == NULL ) {		rs->sr_err = LDAP_PARAM_ERROR;		goto cleanup;	}	if ( BER_BVISEMPTY( &pb->pb_op->o_req_ndn ) ) {		rs->sr_err = LDAP_UNWILLING_TO_PERFORM;		goto cleanup;	}	rs->sr_err = slap_mods_check( pb->pb_op, pb->pb_op->orm_modlist,		&rs->sr_text, pb->pb_textbuf, sizeof( pb->pb_textbuf ), NULL );	if ( rs->sr_err != LDAP_SUCCESS ) {                goto cleanup;        }	slapi_int_func_internal_pb( pb, op_modify );cleanup:	return 0;}

voidrwm_mapping_dst_free( void *v_mapping ){	struct ldapmapping *mapping = v_mapping;	if ( BER_BVISEMPTY( &mapping[0].m_dst ) ) {		rwm_mapping_free( &mapping[ -1 ] );	}}

static voidmapping_dst_free(	void		*v_mapping ){	struct ldapmapping *mapping = v_mapping;	if ( BER_BVISEMPTY( &mapping->dst ) ) {		mapping_free( &mapping[ -1 ] );	}}

intfe_op_bind_success( Operation *op, SlapReply *rs ){	ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex );	if( op->o_conn->c_authz_backend == NULL ) {		op->o_conn->c_authz_backend = op->o_bd;	}	/* be_bind returns regular/global edn */	if( !BER_BVISEMPTY( &op->orb_edn ) ) {		op->o_conn->c_dn = op->orb_edn;	} else {		ber_dupbv(&op->o_conn->c_dn, &op->o_req_dn);	}	ber_dupbv( &op->o_conn->c_ndn, &op->o_req_ndn );	/* op->o_conn->c_sb may be 0 for internal operations */	if( !BER_BVISEMPTY( &op->o_conn->c_dn ) && op->o_conn->c_sb != 0 ) {		ber_len_t max = sockbuf_max_incoming_auth;		ber_sockbuf_ctrl( op->o_conn->c_sb,			LBER_SB_OPT_SET_MAX_INCOMING, &max );	}	/* log authorization identity */	Statslog( LDAP_DEBUG_STATS,		"%s BIND dn=/"%s/" mech=%s ssf=0/n",		op->o_log_prefix,		op->o_conn->c_dn.bv_val, op->orb_mech.bv_val );	Debug( LDAP_DEBUG_TRACE,		"do_bind: v%d bind: /"%s/" to /"%s/"/n",		op->o_protocol, op->o_req_dn.bv_val, op->o_conn->c_dn.bv_val );	ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex );	/* send this here to avoid a race condition */	send_ldap_result( op, rs );	return LDAP_SUCCESS;}

intslapi_search_internal_callback_pb( Slapi_PBlock *pb,	void *callback_data,	plugin_result_callback prc,	plugin_search_entry_callback psec,	plugin_referral_entry_callback prec ){	int			free_filter = 0;	SlapReply		*rs;	if ( pb == NULL ) {		return -1;	}	PBLOCK_ASSERT_INTOP( pb, LDAP_REQ_SEARCH );	rs = pb->pb_rs;	/* search callback and arguments */	slapi_pblock_set( pb, SLAPI_X_INTOP_RESULT_CALLBACK,         (void *)prc );	slapi_pblock_set( pb, SLAPI_X_INTOP_SEARCH_ENTRY_CALLBACK,   (void *)psec );	slapi_pblock_set( pb, SLAPI_X_INTOP_REFERRAL_ENTRY_CALLBACK, (void *)prec );	slapi_pblock_set( pb, SLAPI_X_INTOP_CALLBACK_DATA,           (void *)callback_data );	if ( BER_BVISEMPTY( &pb->pb_op->ors_filterstr )) {		rs->sr_err = LDAP_PARAM_ERROR;		goto cleanup;	}	if ( pb->pb_op->ors_filter == NULL ) {		pb->pb_op->ors_filter = slapi_str2filter( pb->pb_op->ors_filterstr.bv_val );		if ( pb->pb_op->ors_filter == NULL ) {			rs->sr_err = LDAP_PROTOCOL_ERROR;			goto cleanup;		}		free_filter = 1;	}	slapi_int_func_internal_pb( pb, op_search );cleanup:	if ( free_filter ) {		slapi_filter_free( pb->pb_op->ors_filter, 1 );		pb->pb_op->ors_filter = NULL;	}	slapi_pblock_delete_param( pb, SLAPI_X_INTOP_RESULT_CALLBACK );	slapi_pblock_delete_param( pb, SLAPI_X_INTOP_SEARCH_ENTRY_CALLBACK );	slapi_pblock_delete_param( pb, SLAPI_X_INTOP_REFERRAL_ENTRY_CALLBACK );	slapi_pblock_delete_param( pb, SLAPI_X_INTOP_CALLBACK_DATA );	return 0;}

static int pam_uid2dn(nssov_info *ni, Operation *op,	struct paminfo *pi){	struct berval sdn;	BER_BVZERO(&pi->dn);	if (!isvalidusername(&pi->uid)) {		Debug(LDAP_DEBUG_ANY,"nssov_pam_uid2dn(%s): invalid user name/n",			pi->uid.bv_val,0,0);		return NSLCD_PAM_USER_UNKNOWN;	}	if (ni->ni_pam_opts & NI_PAM_SASL2DN) {		int hlen = global_host_bv.bv_len;		/* cn=<service>+uid=<user>,cn=<host>,cn=pam,cn=auth */		sdn.bv_len = pi->uid.bv_len + pi->svc.bv_len + hlen +			STRLENOF( "cn=+uid=,cn=,cn=pam,cn=auth" );		sdn.bv_val = op->o_tmpalloc( sdn.bv_len + 1, op->o_tmpmemctx );		sprintf(sdn.bv_val, "cn=%s+uid=%s,cn=%s,cn=pam,cn=auth",			pi->svc.bv_val, pi->uid.bv_val, global_host_bv.bv_val);		slap_sasl2dn(op, &sdn, &pi->dn, 0);		op->o_tmpfree( sdn.bv_val, op->o_tmpmemctx );	}	/* If no luck, do a basic uid search */	if (BER_BVISEMPTY(&pi->dn) && (ni->ni_pam_opts & NI_PAM_UID2DN)) {		nssov_uid2dn(op, ni, &pi->uid, &pi->dn);		if (!BER_BVISEMPTY(&pi->dn)) {			sdn = pi->dn;			dnNormalize( 0, NULL, NULL, &sdn, &pi->dn, op->o_tmpmemctx );		}	}	if (BER_BVISEMPTY(&pi->dn)) {		return NSLCD_PAM_USER_UNKNOWN;	}	return 0;}

/* Conforms to RFC4510 re: Criticality, original RFC2891 spec is broken * Also see ITS#7253 for discussion */static int sss_parseCtrl(	Operation		*op,	SlapReply		*rs,	LDAPControl		*ctrl ){	BerElementBuffer	berbuf;	BerElement			*ber;	ber_tag_t		tag;	ber_len_t		len;	int					i;	sort_ctrl	*sc;	rs->sr_err = LDAP_PROTOCOL_ERROR;	if ( op->o_ctrlflag[sss_cid] > SLAP_CONTROL_IGNORED ) {		rs->sr_text = "sorted results control specified multiple times";	} else if ( BER_BVISNULL( &ctrl->ldctl_value ) ) {		rs->sr_text = "sorted results control value is absent";	} else if ( BER_BVISEMPTY( &ctrl->ldctl_value ) ) {		rs->sr_text = "sorted results control value is empty";	} else {		rs->sr_err = LDAP_SUCCESS;	}	if ( rs->sr_err != LDAP_SUCCESS )		return rs->sr_err;	op->o_ctrlflag[sss_cid] = ctrl->ldctl_iscritical ?		SLAP_CONTROL_CRITICAL : SLAP_CONTROL_NONCRITICAL;	ber = (BerElement *)&berbuf;	ber_init2( ber, &ctrl->ldctl_value, 0 );	i = count_key( ber );	sc = op->o_tmpalloc( sizeof(sort_ctrl) +		(i-1) * sizeof(sort_key), op->o_tmpmemctx );	sc->sc_nkeys = i;	op->o_controls[sss_cid] = sc;	/* peel off initial sequence */	ber_scanf( ber, "{" );	i = 0;	do {		if ( build_key( ber, rs, &sc->sc_keys[i] ) != LDAP_SUCCESS )			break;		i++;		tag = ber_peek_tag( ber, &len );	} while ( tag != LBER_DEFAULT );	return rs->sr_err;}

ID ndb_tool_dn2id_get(	Backend *be,	struct berval *dn){	struct ndb_info *ni = (struct ndb_info *) be->be_private;	NdbArgs NA;	NdbRdns rdns;	Entry e;	char text[1024];	Operation op = {0};	Opheader ohdr = {0};	int rc;	if ( BER_BVISEMPTY(dn) )		return 0;	NA.ndb = myNdb;	NA.txn = myNdb->startTransaction();	if ( !NA.txn ) {		snprintf( text, sizeof(text),			"startTransaction failed: %s (%d)",			myNdb->getNdbError().message, myNdb->getNdbError().code );		Debug( LDAP_DEBUG_ANY,			"=> " LDAP_XSTRING(ndb_tool_dn2id_get) ": %s/n",			 text, 0, 0 );		return NOID;	}	if ( myOcList ) {		ber_bvarray_free( myOcList );		myOcList = NULL;	}	op.o_hdr = &ohdr;	op.o_bd = be;	op.o_tmpmemctx = NULL;	op.o_tmpmfuncs = &ch_mfuncs;	NA.e = &e;	e.e_name = *dn;	NA.rdns = &rdns;	NA.ocs = NULL;	rc = ndb_entry_get_info( &op, &NA, 0, NULL );	myOcList = NA.ocs;	NA.txn->close();	if ( rc )		return NOID;	myDn = *dn;	return e.e_id;}

intunload_extop(	const struct berval *ext_oid,	SLAP_EXTOP_MAIN_FN *ext_main,	unsigned flags ){	struct berval		oidm = BER_BVNULL;	struct extop_list	*ext, **extp;	/* oid must be given */	if ( ext_oid == NULL || BER_BVISNULL( ext_oid ) ||		BER_BVISEMPTY( ext_oid ) )	{		return -1; 	}	/* if it's not an oid, check if it's a macto */	if ( numericoidValidate( NULL, (struct berval *)ext_oid ) !=		LDAP_SUCCESS )	{		oidm.bv_val = oidm_find( ext_oid->bv_val );		if ( oidm.bv_val == NULL ) {			return -1;		}		oidm.bv_len = strlen( oidm.bv_val );		ext_oid = &oidm;	}	/* lookup the oid */	for ( extp = &supp_ext_list; *extp; extp = &(*extp)->next ) {		if ( bvmatch( ext_oid, &(*extp)->oid ) ) {			/* if ext_main is given, only remove if it matches */			if ( ext_main != NULL && (*extp)->ext_main != ext_main ) {				return -1;			}			break;		}	}	if ( *extp == NULL ) {		return -1;	}	ext = *extp;	*extp = (*extp)->next;	ch_free( ext );	return 0;}

static intslapi_op_bind_callback( Operation *op, SlapReply *rs, int prc ){	switch ( prc ) {	case SLAPI_BIND_SUCCESS:		/* Continue with backend processing */		break;	case SLAPI_BIND_FAIL:		/* Failure, frontend (that's us) sends result */		rs->sr_err = LDAP_INVALID_CREDENTIALS;		send_ldap_result( op, rs );		return rs->sr_err;		break;	case SLAPI_BIND_ANONYMOUS: /* undocumented */	default: /* plugin sent result or no plugins called */		BER_BVZERO( &op->orb_edn );		if ( rs->sr_err == LDAP_SUCCESS ) {			/*			 * Plugin will have called slapi_pblock_set(LDAP_CONN_DN) which			 * will have set conn->c_dn and conn->c_ndn			 */			if ( BER_BVISNULL( &op->o_conn->c_ndn ) && prc == 1 ) {				/* No plugins were called; continue processing */				return LDAP_SUCCESS;			}			ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex );			if ( !BER_BVISEMPTY( &op->o_conn->c_ndn ) ) {				ber_len_t max = sockbuf_max_incoming_auth;				ber_sockbuf_ctrl( op->o_conn->c_sb,					LBER_SB_OPT_SET_MAX_INCOMING, &max );			}			ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex );			/* log authorization identity */			Statslog( LDAP_DEBUG_STATS,				"%s BIND dn=/"%s/" mech=%s (SLAPI) ssf=0/n",				op->o_log_prefix,				BER_BVISNULL( &op->o_conn->c_dn )					? "<empty>" : op->o_conn->c_dn.bv_val,				BER_BVISNULL( &op->orb_mech )					? "<empty>" : op->orb_mech.bv_val, 0, 0 );			return -1;		}		break;	}	return rs->sr_err;}

static intrdnval_is_valid( AttributeDescription *desc, struct berval *value ){	if ( desc->ad_type->sat_syntax == slap_schema.si_syn_directoryString ) {		return 1;	}	if ( desc->ad_type->sat_syntax == syn_IA5String		&& !BER_BVISEMPTY( value ) )	{		return 1;	}	return 0;}

static intaci_list_get_rights(	struct berval	*list,	struct berval	*attr,	struct berval	*val,	slap_access_t	*grant,	slap_access_t	*deny ){	struct berval	perm, actn, baseattr;	slap_access_t	*mask;	int		i, found;	if ( attr == NULL || BER_BVISEMPTY( attr ) ) {		attr = (struct berval *)&aci_bv[ ACI_BV_ENTRY ];	} else if ( acl_get_part( attr, 0, ';', &baseattr ) > 0 ) {		attr = &baseattr;	}	found = 0;	ACL_INIT(*grant);	ACL_INIT(*deny);	/* loop through each permissions clause */	for ( i = 0; acl_get_part( list, i, '$', &perm ) >= 0; i++ ) {		if ( acl_get_part( &perm, 0, ';', &actn ) < 0 ) {			continue;		}		if ( ber_bvstrcasecmp( &aci_bv[ ACI_BV_GRANT ], &actn ) == 0 ) {			mask = grant;		} else if ( ber_bvstrcasecmp( &aci_bv[ ACI_BV_DENY ], &actn ) == 0 ) {			mask = deny;		} else {			continue;		}		*mask |= aci_list_get_attr_rights( &perm, attr, val );		*mask |= aci_list_get_attr_rights( &perm, &aci_bv[ ACI_BV_BR_ALL ], NULL );		if ( *mask != ACL_PRIV_NONE ) {			found = 1;		}	}	return found;}

intdnssrv_back_bind(	Operation	*op,	SlapReply	*rs ){	Debug( LDAP_DEBUG_TRACE, "DNSSRV: bind dn=/"%s/" (%d)/n",		BER_BVISNULL( &op->o_req_dn ) ? "" : op->o_req_dn.bv_val, 		op->orb_method, 0 );	/* allow rootdn as a means to auth without the need to actually 	 * contact the proxied DSA */	switch ( be_rootdn_bind( op, NULL ) ) {	case LDAP_SUCCESS:		/* frontend will send result */		return rs->sr_err;	default:		/* treat failure and like any other bind, otherwise		 * it could reveal the DN of the rootdn */		break;	}	if ( !BER_BVISNULL( &op->orb_cred ) &&		!BER_BVISEMPTY( &op->orb_cred ) )	{		/* simple bind */		Statslog( LDAP_DEBUG_STATS,		   	"%s DNSSRV BIND dn=/"%s/" provided cleartext passwd/n",	   		op->o_log_prefix,			BER_BVISNULL( &op->o_req_dn ) ? "" : op->o_req_dn.bv_val , 0, 0, 0 );		send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,			"you shouldn't send strangers your password" );	} else {		/* unauthenticated bind */		/* NOTE: we're not going to get here anyway:		 * unauthenticated bind is dealt with by the frontend */		Debug( LDAP_DEBUG_TRACE, "DNSSRV: BIND dn=/"%s/"/n",			BER_BVISNULL( &op->o_req_dn ) ? "" : op->o_req_dn.bv_val, 0, 0 );		send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,			"anonymous bind expected" );	}	return 1;}

/* * Matches given berval to array of bervals * Returns: *      >=0 if one if the array elements equals to this berval *       -1 if string was not found in array */static intbv_getcaseidx(	struct berval *bv,	const struct berval *arr[] ){	int i;	if ( BER_BVISEMPTY( bv ) ) {		return -1;	}	for ( i = 0; arr[ i ] != NULL ; i++ ) {		if ( ber_bvstrcasecmp( bv, arr[ i ] ) == 0 ) { 			return i;		}	}  	return -1;}

intslapi_modrdn_internal_pb( Slapi_PBlock *pb ){	if ( pb == NULL ) {		return -1;	}	PBLOCK_ASSERT_INTOP( pb, LDAP_REQ_MODRDN );	if ( BER_BVISEMPTY( &pb->pb_op->o_req_ndn ) ) {		pb->pb_rs->sr_err = LDAP_UNWILLING_TO_PERFORM;		goto cleanup;	}	slapi_int_func_internal_pb( pb, op_modrdn );cleanup:	return 0;}

intldap_back_map_attrs(		struct ldapmap *at_map,		AttributeName *an,		int remap,		char ***mapped_attrs,		void *memctx ){	int i, j;	char **na;	struct berval mapped;	if ( an == NULL ) {		*mapped_attrs = NULL;		return LDAP_SUCCESS;	}	for ( i = 0; !BER_BVISNULL( &an[i].an_name ); i++ )		/*  */ ;	na = (char **)ber_memcalloc_x( i + 1, sizeof(char *), memctx );	if ( na == NULL ) {		*mapped_attrs = NULL;		return LDAP_NO_MEMORY;	}	for ( i = j = 0; !BER_BVISNULL( &an[i].an_name ); i++ ) {		ldap_back_map( at_map, &an[i].an_name, &mapped, remap );		if ( !BER_BVISNULL( &mapped ) && !BER_BVISEMPTY( &mapped ) ) {			na[j++] = mapped.bv_val;		}	}	if ( j == 0 && i != 0 ) {		na[j++] = LDAP_NO_ATTRS;	}	na[j] = NULL;	*mapped_attrs = na;	return LDAP_SUCCESS;}

static intrdnval_op_add( Operation *op, SlapReply *rs ){	Attribute *a, **ap;	int numvals = 0;	BerVarray vals = NULL, nvals = NULL;	int rc;	/* NOTE: should we accept an entry still in mods format? */	assert( op->ora_e != NULL );	if ( BER_BVISEMPTY( &op->ora_e->e_nname ) ) {		return SLAP_CB_CONTINUE;	}	a = attr_find( op->ora_e->e_attrs, ad_rdnValue );	if ( a != NULL ) {		/* TODO: check consistency? */		return SLAP_CB_CONTINUE;	}	rc = rdnval_rdn2vals( op, rs, &op->ora_e->e_name, &op->ora_e->e_nname,		&vals, &nvals, &numvals );	if ( rc != LDAP_SUCCESS ) {		send_ldap_result( op, rs );	}	a = attr_alloc( ad_rdnValue );	a->a_vals = vals;	a->a_nvals = nvals;	a->a_numvals = numvals;	for ( ap = &op->ora_e->e_attrs; *ap != NULL; ap = &(*ap)->a_next )		/* goto tail */ ;	*ap = a;	return SLAP_CB_CONTINUE;}

static intvernum_op_add( Operation *op, SlapReply *rs ){	slap_overinst	*on = (slap_overinst *) op->o_bd->bd_info;	vernum_t	*vn = (vernum_t *)on->on_bi.bi_private;	Attribute *a, **ap;	int rc;	/* NOTE: should we accept an entry still in mods format? */	assert( op->ora_e != NULL );	if ( BER_BVISEMPTY( &op->ora_e->e_nname ) ) {		return SLAP_CB_CONTINUE;	}	a = attr_find( op->ora_e->e_attrs, vn->vn_attr );	if ( a == NULL ) {		return SLAP_CB_CONTINUE;	}	if ( attr_find( op->ora_e->e_attrs, vn->vn_vernum ) != NULL ) {		/* already present - leave it alone */		return SLAP_CB_CONTINUE;	}	a = attr_alloc( vn->vn_vernum );	value_add_one( &a->a_vals, &val_init );	a->a_nvals = a->a_vals;	a->a_numvals = 1;	for ( ap = &op->ora_e->e_attrs; *ap != NULL; ap = &(*ap)->a_next )		/* goto tail */ ;	*ap = a;	return SLAP_CB_CONTINUE;}

static intdynlist_make_filter( Operation *op, Entry *e, const char *url, struct berval *oldf, struct berval *newf ){	slap_overinst	*on = (slap_overinst *)op->o_bd->bd_info;	dynlist_info_t	*dli = (dynlist_info_t *)on->on_bi.bi_private;	char		*ptr;	int		needBrackets = 0;	assert( oldf != NULL );	assert( newf != NULL );	assert( !BER_BVISNULL( oldf ) );	assert( !BER_BVISEMPTY( oldf ) );	if ( oldf->bv_val[0] != '(' ) {		Debug( LDAP_DEBUG_ANY, "%s: dynlist, DN=/"%s/": missing brackets in URI=/"%s/" filter/n",			op->o_log_prefix, e->e_name.bv_val, url );		needBrackets = 2;	}	newf->bv_len = STRLENOF( "(&(!(objectClass=" "))" ")" )		+ dli->dli_oc->soc_cname.bv_len + oldf->bv_len + needBrackets;	newf->bv_val = op->o_tmpalloc( newf->bv_len + 1, op->o_tmpmemctx );	if ( newf->bv_val == NULL ) {		return -1;	}	ptr = lutil_strcopy( newf->bv_val, "(&(!(objectClass=" );	ptr = lutil_strcopy( ptr, dli->dli_oc->soc_cname.bv_val );	ptr = lutil_strcopy( ptr, "))" );	if ( needBrackets ) *ptr++ = '(';	ptr = lutil_strcopy( ptr, oldf->bv_val );	if ( needBrackets ) *ptr++ = ')';	ptr = lutil_strcopy( ptr, ")" );	newf->bv_len = ptr - newf->bv_val;	return 0;}

intmeta_back_modify( Operation *op, SlapReply *rs ){	metainfo_t	*mi = ( metainfo_t * )op->o_bd->be_private;	metatarget_t	*mt;	metaconn_t	*mc;	int		rc = 0;	LDAPMod		**modv = NULL;	LDAPMod		*mods = NULL;	Modifications	*ml;	int		candidate = -1, i;	int		isupdate;	struct berval	mdn = BER_BVNULL;	struct berval	mapped;	dncookie	dc;	int		msgid;	ldap_back_send_t	retrying = LDAP_BACK_RETRYING;	LDAPControl	**ctrls = NULL;	mc = meta_back_getconn( op, rs, &candidate, LDAP_BACK_SENDERR );	if ( !mc || !meta_back_dobind( op, rs, mc, LDAP_BACK_SENDERR ) ) {		return rs->sr_err;	}	assert( mc->mc_conns[ candidate ].msc_ld != NULL );	/*	 * Rewrite the modify dn, if needed	 */	mt = mi->mi_targets[ candidate ];	dc.target = mt;	dc.conn = op->o_conn;	dc.rs = rs;	dc.ctx = "modifyDN";	if ( ldap_back_dn_massage( &dc, &op->o_req_dn, &mdn ) ) {		send_ldap_result( op, rs );		goto cleanup;	}	for ( i = 0, ml = op->orm_modlist; ml; i++ ,ml = ml->sml_next )		;	mods = ch_malloc( sizeof( LDAPMod )*i );	if ( mods == NULL ) {		rs->sr_err = LDAP_OTHER;		send_ldap_result( op, rs );		goto cleanup;	}	modv = ( LDAPMod ** )ch_malloc( ( i + 1 )*sizeof( LDAPMod * ) );	if ( modv == NULL ) {		rs->sr_err = LDAP_OTHER;		send_ldap_result( op, rs );		goto cleanup;	}	dc.ctx = "modifyAttrDN";	isupdate = be_shadow_update( op );	for ( i = 0, ml = op->orm_modlist; ml; ml = ml->sml_next ) {		int	j, is_oc = 0;		if ( !isupdate && !get_relax( op ) && ml->sml_desc->ad_type->sat_no_user_mod  )		{			continue;		}		if ( ml->sml_desc == slap_schema.si_ad_objectClass 				|| ml->sml_desc == slap_schema.si_ad_structuralObjectClass )		{			is_oc = 1;			mapped = ml->sml_desc->ad_cname;		} else {			ldap_back_map( &mt->mt_rwmap.rwm_at,					&ml->sml_desc->ad_cname, &mapped,					BACKLDAP_MAP );			if ( BER_BVISNULL( &mapped ) || BER_BVISEMPTY( &mapped ) ) {				continue;			}		}		modv[ i ] = &mods[ i ];		mods[ i ].mod_op = ml->sml_op | LDAP_MOD_BVALUES;		mods[ i ].mod_type = mapped.bv_val;		/*		 * FIXME: dn-valued attrs should be rewritten		 * to allow their use in ACLs at the back-ldap		 * level.		 */		if ( ml->sml_values != NULL ) {			if ( is_oc ) {				for ( j = 0; !BER_BVISNULL( &ml->sml_values[ j ] ); j++ )					;				mods[ i ].mod_bvalues =					(struct berval **)ch_malloc( ( j + 1 ) *					sizeof( struct berval * ) );				for ( j = 0; !BER_BVISNULL( &ml->sml_values[ j ] ); ) {					struct ldapmapping	*mapping;//.........这里部分代码省略.........

static intdynacl_aci_mask(	void			*priv,	Operation		*op,	Entry			*e,	AttributeDescription	*desc,	struct berval		*val,	int			nmatch,	regmatch_t		*matches,	slap_access_t		*grantp,	slap_access_t		*denyp ){	AttributeDescription	*ad = ( AttributeDescription * )priv;	Attribute		*at;	slap_access_t		tgrant, tdeny, grant, deny;#ifdef LDAP_DEBUG	char			accessmaskbuf[ACCESSMASK_MAXLEN];	char			accessmaskbuf1[ACCESSMASK_MAXLEN];#endif /* LDAP_DEBUG */	if ( BER_BVISEMPTY( &e->e_nname ) ) {		/* no ACIs in the root DSE */		return -1;	}	/* start out with nothing granted, nothing denied */	ACL_INIT(tgrant);	ACL_INIT(tdeny);	/* get the aci attribute */	at = attr_find( e->e_attrs, ad );	if ( at != NULL ) {		int		i;		/* the aci is an multi-valued attribute.  The		 * rights are determined by OR'ing the individual		 * rights given by the acis.		 */		for ( i = 0; !BER_BVISNULL( &at->a_nvals[i] ); i++ ) {			if ( aci_mask( op, e, desc, val, &at->a_nvals[i],					nmatch, matches, &grant, &deny,					SLAP_ACI_SCOPE_ENTRY ) != 0 )			{				tgrant |= grant;				tdeny |= deny;			}		}		Debug( LDAP_DEBUG_ACL, "        <= aci_mask grant %s deny %s/n",			  accessmask2str( tgrant, accessmaskbuf, 1 ),			  accessmask2str( tdeny, accessmaskbuf1, 1 ) );	}	/* If the entry level aci didn't contain anything valid for the	 * current operation, climb up the tree and evaluate the	 * acis with scope set to subtree	 */	if ( tgrant == ACL_PRIV_NONE && tdeny == ACL_PRIV_NONE ) {		struct berval	parent_ndn;		dnParent( &e->e_nname, &parent_ndn );		while ( !BER_BVISEMPTY( &parent_ndn ) ){			int		i;			BerVarray	bvals = NULL;			int		ret, stop;			/* to solve the chicken'n'egg problem of accessing			 * the OpenLDAPaci attribute, the direct access			 * to the entry's attribute is unchecked; however,			 * further accesses to OpenLDAPaci values in the			 * ancestors occur through backend_attribute(), i.e.			 * with the identity of the operation, requiring			 * further access checking.  For uniformity, this			 * makes further requests occur as the rootdn, if			 * any, i.e. searching for the OpenLDAPaci attribute			 * is considered an internal search.  If this is not			 * acceptable, then the same check needs be performed			 * when accessing the entry's attribute. */			struct berval	save_o_dn = {0}, save_o_ndn = {0};			if ( !BER_BVISNULL( &op->o_bd->be_rootndn ) ) {				save_o_dn = op->o_dn;				save_o_ndn = op->o_ndn;				op->o_dn = op->o_bd->be_rootdn;				op->o_ndn = op->o_bd->be_rootndn;			}			Debug( LDAP_DEBUG_ACL, "        checking ACI of /"%s/"/n", parent_ndn.bv_val );			ret = backend_attribute( op, NULL, &parent_ndn, ad, &bvals, ACL_AUTH );			if ( !BER_BVISNULL( &op->o_bd->be_rootndn ) ) {				op->o_dn = save_o_dn;				op->o_ndn = save_o_ndn;			}			switch ( ret ) {			case LDAP_SUCCESS :				stop = 0;				if ( !bvals ) {//.........这里部分代码省略.........

//.........这里部分代码省略.........		{			return 0;		}		break;	case SLAP_ACI_SCOPE_SUBTREE:		/* TODO: add assertion? */		return 0;	}	/* get the list of permissions clauses, bail if empty */	if ( acl_get_part( aci, 2, '#', &perms ) <= 0 ) {		LDAP_BUG();		return 0;	}	/* check if any permissions allow desired access */	if ( aci_list_get_rights( &perms, &desc->ad_cname, val, grant, deny ) == 0 ) {		return 0;	}	/* see if we have a DN match */	if ( acl_get_part( aci, 3, '#', &type ) < 0 ) {		LDAP_BUG();		return 0;	}	/* see if we have a public (i.e. anonymous) access */	if ( ber_bvcmp( &aci_bv[ ACI_BV_PUBLIC ], &type ) == 0 ) {		return 1;	}	/* otherwise require an identity */	if ( BER_BVISNULL( &op->o_ndn ) || BER_BVISEMPTY( &op->o_ndn ) ) {		return 0;	}	/* see if we have a users access */	if ( ber_bvcmp( &aci_bv[ ACI_BV_USERS ], &type ) == 0 ) {		return 1;	}	/* NOTE: this may fail if a DN contains a valid '#' (unescaped);	 * just grab all the berval up to its end (ITS#3303).	 * NOTE: the problem could be solved by providing the DN with	 * the embedded '#' encoded as hexpairs: "cn=Foo#Bar" would	 * become "cn=Foo/23Bar" and be safely used by aci_mask(). */#if 0	if ( acl_get_part( aci, 4, '#', &sdn ) < 0 ) {		return 0;	}#endif	sdn.bv_val = type.bv_val + type.bv_len + STRLENOF( "#" );	sdn.bv_len = aci->bv_len - ( sdn.bv_val - aci->bv_val );	/* get the type options, if any */	if ( acl_get_part( &type, 1, '/', &opts ) > 0 ) {		opts.bv_len = type.bv_len - ( opts.bv_val - type.bv_val );		type.bv_len = opts.bv_val - type.bv_val - 1;	} else {		BER_BVZERO( &opts );	}	if ( ber_bvcmp( &aci_bv[ ACI_BV_ACCESS_ID ], &type ) == 0 ) {		return dn_match( &op->o_ndn, &sdn );

static intOpenLDAPaciPrettyNormal(	struct berval	*val,	struct berval	*out,	void		*ctx,	int		normalize ){	struct berval	oid = BER_BVNULL,			scope = BER_BVNULL,			rights = BER_BVNULL,			nrights = BER_BVNULL,			type = BER_BVNULL,			ntype = BER_BVNULL,			subject = BER_BVNULL,			nsubject = BER_BVNULL;	int		idx,			rc = LDAP_SUCCESS,			freesubject = 0,			freetype = 0;	char		*ptr;	BER_BVZERO( out );	if ( BER_BVISEMPTY( val ) ) {		Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: value is empty/n" );		return LDAP_INVALID_SYNTAX;	}	/* oid: if valid, it's already normalized */	if ( acl_get_part( val, 0, '#', &oid ) < 0 ||		numericoidValidate( NULL, &oid ) != LDAP_SUCCESS )	{		Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: invalid oid '%s'/n", oid.bv_val );		return LDAP_INVALID_SYNTAX;	}	/* scope: normalize by replacing with OpenLDAPaciscopes */	if ( acl_get_part( val, 1, '#', &scope ) < 0 ) {		Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: missing scope in '%s'/n", val->bv_val );		return LDAP_INVALID_SYNTAX;	}	idx = bv_getcaseidx( &scope, OpenLDAPaciscopes );	if ( idx == -1 ) {		Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: invalid scope '%s'/n", scope.bv_val );		return LDAP_INVALID_SYNTAX;	}	scope = *OpenLDAPaciscopes[ idx ];	/* rights */	if ( acl_get_part( val, 2, '#', &rights ) < 0 ) {		Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: missing rights in '%s'/n", val->bv_val );		return LDAP_INVALID_SYNTAX;	}	if ( OpenLDAPaciNormalizeRights( &rights, &nrights, ctx )		!= LDAP_SUCCESS )	{		return LDAP_INVALID_SYNTAX;	}	/* type */	if ( acl_get_part( val, 3, '#', &type ) < 0 ) {		Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: missing type in '%s'/n", val->bv_val );		rc = LDAP_INVALID_SYNTAX;		goto cleanup;	}	idx = bv_getcaseidx( &type, OpenLDAPacitypes );	if ( idx == -1 ) {		struct berval	isgr;		if ( acl_get_part( &type, 0, '/', &isgr ) < 0 ) {		        Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: invalid type '%s'/n", type.bv_val );			rc = LDAP_INVALID_SYNTAX;			goto cleanup;		}		idx = bv_getcaseidx( &isgr, OpenLDAPacitypes );		if ( idx == -1 || idx >= LAST_OPTIONAL ) {		        Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: invalid type '%s'/n", isgr.bv_val );			rc = LDAP_INVALID_SYNTAX;			goto cleanup;		}	}	ntype = *OpenLDAPacitypes[ idx ];	/* subject */	bv_get_tail( val, &type, &subject );	if ( BER_BVISEMPTY( &subject ) || subject.bv_val[ 0 ] != '#' ) {	        Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: missing subject in '%s'/n", val->bv_val );		rc = LDAP_INVALID_SYNTAX;		goto cleanup;	}	subject.bv_val++;	subject.bv_len--;	if ( idx < LAST_DNVALUED ) {		/* FIXME: pass DN syntax? */		if ( normalize ) {			rc = dnNormalize( 0, NULL, NULL,//.........这里部分代码省略.........

//.........这里部分代码省略.........#endif /* LIBERAL_CHANGETYPE_MODOP */			expect_modop = 0;			expect_sep = 1;			if ( BV_CASEMATCH( btype+i, &BV_MODOPADD )) {				modop = LDAP_MOD_ADD;				mops[i] = M_SEP;				nmods--;			} else if ( BV_CASEMATCH( btype+i, &BV_MODOPREPLACE )) {			/* defer handling these since they might have no values.			 * Use the BVALUES flag to signal that these were			 * deferred. If values are provided later, this			 * flag will be switched off.			 */				modop = LDAP_MOD_REPLACE;				mops[i] = modop | LDAP_MOD_BVALUES;				btype[i] = vals[i];			} else if ( BV_CASEMATCH( btype+i, &BV_MODOPDELETE )) {				modop = LDAP_MOD_DELETE;				mops[i] = modop | LDAP_MOD_BVALUES;				btype[i] = vals[i];			} else if ( BV_CASEMATCH( btype+i, &BV_MODOPINCREMENT )) {				modop = LDAP_MOD_INCREMENT;				mops[i] = M_SEP;				nmods--;			} else {	/* no modify op: invalid LDIF */				fprintf( stderr, _("%s: modify operation type is missing at"					" line %d, entry /"%s/"/n"),					prog, linenum+i, dn );				rc = LDAP_PARAM_ERROR;				goto leave;			}			bv = vals[i];		} else if ( expect_sep && BER_BVISEMPTY( btype+i )) {			mops[i] = M_SEP;			expect_sep = 0;			expect_modop = 1;			nmods--;		} else {			if ( !BV_CASEMATCH( btype+i, &bv )) {				fprintf( stderr, _("%s: wrong attributeType at"					" line %d, entry /"%s/"/n"),					prog, linenum+i, dn );				rc = LDAP_PARAM_ERROR;				goto leave;			}			mops[i] = modop;			/* If prev op was deferred and matches this type,			 * clear the flag			 */			if ( (mops[i-1] & LDAP_MOD_BVALUES)				&& BV_CASEMATCH( btype+i, btype+i-1 ))			{				mops[i-1] = M_SEP;				nmods--;			}		}	}#if 0	/* we should faithfully encode the LDIF, not combine */	/* Make sure all modops with multiple values are contiguous */	for (i=idn; i<lines; i++) {		if ( mops[i] == M_SEP )			continue;		for (j=i+1; j<lines; j++) {			if ( mops[j] == M_SEP || mops[i] != mops[j] )

intdnssrv_back_referrals(    Operation	*op,    SlapReply	*rs ){	int i;	int rc = LDAP_OTHER;	char *domain = NULL;	char *hostlist = NULL;	char **hosts = NULL;	BerVarray urls = NULL;	if ( BER_BVISEMPTY( &op->o_req_dn ) ) {		/* FIXME: need some means to determine whether the database		 * is a glue instance */		if ( SLAP_GLUE_INSTANCE( op->o_bd ) ) {			return LDAP_SUCCESS;		}		rs->sr_text = "DNS SRV operation upon null (empty) DN disallowed";		return LDAP_UNWILLING_TO_PERFORM;	}	if( get_manageDSAit( op ) ) {		if( op->o_tag == LDAP_REQ_SEARCH ) {			return LDAP_SUCCESS;		}		rs->sr_text = "DNS SRV problem processing manageDSAit control";		return LDAP_OTHER;	} 	if( ldap_dn2domain( op->o_req_dn.bv_val, &domain ) || domain == NULL ) {		rs->sr_err = LDAP_REFERRAL;		rs->sr_ref = default_referral;		send_ldap_result( op, rs );		rs->sr_ref = NULL;		return LDAP_REFERRAL;	}	Debug( LDAP_DEBUG_TRACE, "DNSSRV: dn=/"%s/" -> domain=/"%s/"/n",		op->o_req_dn.bv_val, domain, 0 );	i = ldap_domain2hostlist( domain, &hostlist );	if ( i ) {		Debug( LDAP_DEBUG_TRACE,			"DNSSRV: domain2hostlist(%s) returned %d/n",			domain, i, 0 );		rs->sr_text = "no DNS SRV RR available for DN";		rc = LDAP_NO_SUCH_OBJECT;		goto done;	}	hosts = ldap_str2charray( hostlist, " " );	if( hosts == NULL ) {		Debug( LDAP_DEBUG_TRACE, "DNSSRV: str2charrary error/n", 0, 0, 0 );		rs->sr_text = "problem processing DNS SRV records for DN";		goto done;	}	for( i=0; hosts[i] != NULL; i++) {		struct berval url;		url.bv_len = STRLENOF( "ldap://" ) + strlen( hosts[i] );		url.bv_val = ch_malloc( url.bv_len + 1 );		strcpy( url.bv_val, "ldap://" );		strcpy( &url.bv_val[STRLENOF( "ldap://" )], hosts[i] );		if ( ber_bvarray_add( &urls, &url ) < 0 ) {			free( url.bv_val );			rs->sr_text = "problem processing DNS SRV records for DN";			goto done;		}	}	Statslog( LDAP_DEBUG_STATS,	    "%s DNSSRV p=%d dn=/"%s/" url=/"%s/"/n",	    op->o_log_prefix, op->o_protocol,		op->o_req_dn.bv_val, urls[0].bv_val, 0 );	Debug( LDAP_DEBUG_TRACE, "DNSSRV: dn=/"%s/" -> url=/"%s/"/n",		op->o_req_dn.bv_val, urls[0].bv_val, 0 );	rs->sr_ref = urls;	send_ldap_error( op, rs, LDAP_REFERRAL,		"DNS SRV generated referrals" );	rs->sr_ref = NULL;	rc = LDAP_REFERRAL;done:	if( domain != NULL ) ch_free( domain );	if( hostlist != NULL ) ch_free( hostlist );	if( hosts != NULL ) ldap_charray_free( hosts );	ber_bvarray_free( urls );	return rc;}

static intcreate_baseObject(	BackendDB	*be,	const char	*fname,	int		lineno ){	backsql_info 	*bi = (backsql_info *)be->be_private;	LDAPRDN		rdn;	char		*p;	int		rc, iAVA;	char		buf[1024];	snprintf( buf, sizeof(buf),			"dn: %s/n"			"objectClass: extensibleObject/n"			"description: builtin baseObject for back-sql/n"			"description: all entries mapped "				"in table /"ldap_entries/" "				"must have "				"/"" BACKSQL_BASEOBJECT_IDSTR "/" "				"in the /"parent/" column",			be->be_suffix[0].bv_val );	bi->sql_baseObject = str2entry( buf );	if ( bi->sql_baseObject == NULL ) {		Debug( LDAP_DEBUG_TRACE,			"<==backsql_db_config (%s line %d): "			"unable to parse baseObject entry/n",			fname, lineno, 0 );		return 1;	}	if ( BER_BVISEMPTY( &be->be_suffix[ 0 ] ) ) {		return 0;	}	rc = ldap_bv2rdn( &be->be_suffix[ 0 ], &rdn, (char **)&p,			LDAP_DN_FORMAT_LDAP );	if ( rc != LDAP_SUCCESS ) {		snprintf( buf, sizeof(buf),			"unable to extract RDN "			"from baseObject DN /"%s/" (%d: %s)",			be->be_suffix[ 0 ].bv_val,			rc, ldap_err2string( rc ) );		Debug( LDAP_DEBUG_TRACE,			"<==backsql_db_config (%s line %d): %s/n",			fname, lineno, buf );		return 1;	}	for ( iAVA = 0; rdn[ iAVA ]; iAVA++ ) {		LDAPAVA				*ava = rdn[ iAVA ];		AttributeDescription		*ad = NULL;		slap_syntax_transform_func	*transf = NULL;		struct berval			bv = BER_BVNULL;		const char			*text = NULL;		assert( ava != NULL );		rc = slap_bv2ad( &ava->la_attr, &ad, &text );		if ( rc != LDAP_SUCCESS ) {			snprintf( buf, sizeof(buf),				"AttributeDescription of naming "				"attribute #%d from baseObject "				"DN /"%s/": %d: %s",				iAVA, be->be_suffix[ 0 ].bv_val,				rc, ldap_err2string( rc ) );			Debug( LDAP_DEBUG_TRACE,				"<==backsql_db_config (%s line %d): %s/n",				fname, lineno, buf );			return 1;		}				transf = ad->ad_type->sat_syntax->ssyn_pretty;		if ( transf ) {			/*	 		 * transform value by pretty function			 *	if value is empty, use empty_bv			 */			rc = ( *transf )( ad->ad_type->sat_syntax,				ava->la_value.bv_len					? &ava->la_value					: (struct berval *) &slap_empty_bv,				&bv, NULL );				if ( rc != LDAP_SUCCESS ) {				snprintf( buf, sizeof(buf),					"prettying of attribute #%d "					"from baseObject "					"DN /"%s/" failed: %d: %s",					iAVA, be->be_suffix[ 0 ].bv_val,					rc, ldap_err2string( rc ) );				Debug( LDAP_DEBUG_TRACE,					"<==backsql_db_config (%s line %d): "					"%s/n",					fname, lineno, buf );				return 1;			}		}//.........这里部分代码省略.........

static intOpenLDAPaciNormalizeRight(	struct berval	*action,	struct berval	*naction,	void		*ctx ){	struct berval	grantdeny,			perms = BER_BVNULL,			bv = BER_BVNULL;	int		idx,			i;	/* grant|deny */	if ( acl_get_part( action, 0, ';', &grantdeny ) < 0 ) {	        Debug( LDAP_DEBUG_ACL, "aciNormalizeRight: missing ';' in '%s'/n", action->bv_val );		return LDAP_INVALID_SYNTAX;	}	idx = bv_getcaseidx( &grantdeny, ACIgrantdeny );	if ( idx == -1 ) {	        Debug( LDAP_DEBUG_ACL, "aciNormalizeRight: '%s' must be grant or deny/n", grantdeny.bv_val );		return LDAP_INVALID_SYNTAX;	}	ber_dupbv_x( naction, (struct berval *)ACIgrantdeny[ idx ], ctx );	for ( i = 1; acl_get_part( action, i, ';', &bv ) >= 0; i++ ) {		struct berval	nattrs = BER_BVNULL;		int		freenattrs = 1;		if ( i & 1 ) {			/* perms */			if ( OpenLDAPaciValidatePerms( &bv ) != LDAP_SUCCESS )			{				return LDAP_INVALID_SYNTAX;			}			perms = bv;		} else {			/* attr */			char		*ptr;			/* could be "[all]" or an attribute description */			if ( ber_bvstrcasecmp( &bv, &aci_bv[ ACI_BV_BR_ALL ] ) == 0 ) {				nattrs = aci_bv[ ACI_BV_BR_ALL ];				freenattrs = 0;			} else {				AttributeDescription	*ad = NULL;				AttributeDescription	adstatic= { 0 };				const char		*text = NULL;				struct berval		attr, left, right;				int			j;				int			len;				for ( j = 0; acl_get_part( &bv, j, ',', &attr ) >= 0; j++ )				{					ad = NULL;					text = NULL;					/* openldap 2.1 aci compabitibility [entry] -> entry */					if ( ber_bvstrcasecmp( &attr, &aci_bv[ ACI_BV_BR_ENTRY ] ) == 0 ) {						ad = &adstatic;						adstatic.ad_cname = aci_bv[ ACI_BV_ENTRY ];					/* openldap 2.1 aci compabitibility [children] -> children */					} else if ( ber_bvstrcasecmp( &attr, &aci_bv[ ACI_BV_BR_CHILDREN ] ) == 0 ) {						ad = &adstatic;						adstatic.ad_cname = aci_bv[ ACI_BV_CHILDREN ];					/* openldap 2.1 aci compabitibility [all] -> only [all] */					} else if ( ber_bvstrcasecmp( &attr, &aci_bv[ ACI_BV_BR_ALL ] ) == 0 ) {						ber_memfree_x( nattrs.bv_val, ctx );						nattrs = aci_bv[ ACI_BV_BR_ALL ];						freenattrs = 0;						break;					} else if ( acl_get_part( &attr, 0, '=', &left ) < 0				     		|| acl_get_part( &attr, 1, '=', &right ) < 0 )					{						if ( slap_bv2ad( &attr, &ad, &text ) != LDAP_SUCCESS )						{							ber_memfree_x( nattrs.bv_val, ctx );							Debug( LDAP_DEBUG_ACL, "aciNormalizeRight: unknown attribute: '%s'/n", attr.bv_val );							return LDAP_INVALID_SYNTAX;						}					} else {						if ( slap_bv2ad( &left, &ad, &text ) != LDAP_SUCCESS )						{							ber_memfree_x( nattrs.bv_val, ctx );							Debug( LDAP_DEBUG_ACL, "aciNormalizeRight: unknown attribute: '%s'/n", left.bv_val );							return LDAP_INVALID_SYNTAX;						}					}					len = nattrs.bv_len + ( !BER_BVISEMPTY( &nattrs ) ? STRLENOF( "," ) : 0 )				      		+ ad->ad_cname.bv_len;					nattrs.bv_val = ber_memrealloc_x( nattrs.bv_val, len + 1, ctx );	                        	ptr = &nattrs.bv_val[ nattrs.bv_len ];					if ( !BER_BVISEMPTY( &nattrs ) ) {						*ptr++ = ',';//.........这里部分代码省略.........

intdnssrv_back_search(    Operation	*op,    SlapReply	*rs ){	int i;	int rc;	char *domain = NULL;	char *hostlist = NULL;	char **hosts = NULL;	char *refdn;	struct berval nrefdn = BER_BVNULL;	BerVarray urls = NULL;	int manageDSAit;	rs->sr_ref = NULL;	if ( BER_BVISEMPTY( &op->o_req_ndn ) ) {		/* FIXME: need some means to determine whether the database		 * is a glue instance; if we got here with empty DN, then		 * we passed this same test in dnssrv_back_referrals() */		if ( !SLAP_GLUE_INSTANCE( op->o_bd ) ) {			rs->sr_err = LDAP_UNWILLING_TO_PERFORM;			rs->sr_text = "DNS SRV operation upon null (empty) DN disallowed";		} else {			rs->sr_err = LDAP_SUCCESS;		}		goto done;	}	manageDSAit = get_manageDSAit( op );	/*	 * FIXME: we may return a referral if manageDSAit is not set	 */	if ( !manageDSAit ) {		send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,				"manageDSAit must be set" );		goto done;	}	if( ldap_dn2domain( op->o_req_dn.bv_val, &domain ) || domain == NULL ) {		rs->sr_err = LDAP_REFERRAL;		rs->sr_ref = default_referral;		send_ldap_result( op, rs );		rs->sr_ref = NULL;		goto done;	}	Debug( LDAP_DEBUG_TRACE, "DNSSRV: dn=/"%s/" -> domain=/"%s/"/n",		op->o_req_dn.bv_len ? op->o_req_dn.bv_val : "", domain );	if( ( rc = ldap_domain2hostlist( domain, &hostlist ) ) ) {		Debug( LDAP_DEBUG_TRACE, "DNSSRV: domain2hostlist returned %d/n",			rc );		send_ldap_error( op, rs, LDAP_NO_SUCH_OBJECT,			"no DNS SRV RR available for DN" );		goto done;	}	hosts = ldap_str2charray( hostlist, " " );	if( hosts == NULL ) {		Debug( LDAP_DEBUG_TRACE, "DNSSRV: str2charray error/n" );		send_ldap_error( op, rs, LDAP_OTHER,			"problem processing DNS SRV records for DN" );		goto done;	}	for( i=0; hosts[i] != NULL; i++) {		struct berval url;		url.bv_len = STRLENOF( "ldap://" ) + strlen(hosts[i]);		url.bv_val = ch_malloc( url.bv_len + 1 );		strcpy( url.bv_val, "ldap://" );		strcpy( &url.bv_val[STRLENOF( "ldap://" )], hosts[i] );		if( ber_bvarray_add( &urls, &url ) < 0 ) {			free( url.bv_val );			send_ldap_error( op, rs, LDAP_OTHER,			"problem processing DNS SRV records for DN" );			goto done;		}	}	Debug( LDAP_DEBUG_STATS,	    "%s DNSSRV p=%d dn=/"%s/" url=/"%s/"/n",	    op->o_log_prefix, op->o_protocol,		op->o_req_dn.bv_len ? op->o_req_dn.bv_val : "", urls[0].bv_val );	Debug( LDAP_DEBUG_TRACE,		"DNSSRV: ManageDSAit scope=%d dn=/"%s/" -> url=/"%s/"/n",		op->oq_search.rs_scope,		op->o_req_dn.bv_len ? op->o_req_dn.bv_val : "",		urls[0].bv_val );	rc = ldap_domain2dn(domain, &refdn);	if( rc != LDAP_SUCCESS ) {//.........这里部分代码省略.........

static intOpenLDAPaciValidate(	Syntax		*syntax,	struct berval	*val ){	struct berval	oid = BER_BVNULL,			scope = BER_BVNULL,			rights = BER_BVNULL,			type = BER_BVNULL,			subject = BER_BVNULL;	int		idx;	int		rc;	if ( BER_BVISEMPTY( val ) ) {		Debug( LDAP_DEBUG_ACL, "aciValidatet: value is empty/n" );		return LDAP_INVALID_SYNTAX;	}	/* oid */	if ( acl_get_part( val, 0, '#', &oid ) < 0 ||		numericoidValidate( NULL, &oid ) != LDAP_SUCCESS )	{		/* NOTE: the numericoidValidate() is rather pedantic;		 * I'd replace it with X-ORDERED VALUES so that		 * it's guaranteed values are maintained and used		 * in the desired order */		Debug( LDAP_DEBUG_ACL, "aciValidate: invalid oid '%s'/n", oid.bv_val );		return LDAP_INVALID_SYNTAX;	}	/* scope */	if ( acl_get_part( val, 1, '#', &scope ) < 0 ||		bv_getcaseidx( &scope, OpenLDAPaciscopes ) == -1 )	{		Debug( LDAP_DEBUG_ACL, "aciValidate: invalid scope '%s'/n", scope.bv_val );		return LDAP_INVALID_SYNTAX;	}	/* rights */	if ( acl_get_part( val, 2, '#', &rights ) < 0 ||		OpenLDAPaciValidateRights( &rights ) != LDAP_SUCCESS )	{		return LDAP_INVALID_SYNTAX;	}	/* type */	if ( acl_get_part( val, 3, '#', &type ) < 0 ) {		Debug( LDAP_DEBUG_ACL, "aciValidate: missing type in '%s'/n", val->bv_val );		return LDAP_INVALID_SYNTAX;	}	idx = bv_getcaseidx( &type, OpenLDAPacitypes );	if ( idx == -1 ) {		struct berval	isgr;		if ( acl_get_part( &type, 0, '/', &isgr ) < 0 ) {			Debug( LDAP_DEBUG_ACL, "aciValidate: invalid type '%s'/n", type.bv_val );			return LDAP_INVALID_SYNTAX;		}		idx = bv_getcaseidx( &isgr, OpenLDAPacitypes );		if ( idx == -1 || idx >= LAST_OPTIONAL ) {			Debug( LDAP_DEBUG_ACL, "aciValidate: invalid type '%s'/n", isgr.bv_val );			return LDAP_INVALID_SYNTAX;		}	}	/* subject */	bv_get_tail( val, &type, &subject );	if ( subject.bv_val[ 0 ] != '#' ) {		Debug( LDAP_DEBUG_ACL, "aciValidate: missing subject in '%s'/n", val->bv_val );		return LDAP_INVALID_SYNTAX;	}	if ( idx >= LAST_DNVALUED ) {		if ( OpenLDAPacitypes[ idx ] == &aci_bv[ ACI_BV_DNATTR ] ) {			AttributeDescription	*ad = NULL;			const char		*text = NULL;			rc = slap_bv2ad( &subject, &ad, &text );			if ( rc != LDAP_SUCCESS ) {				Debug( LDAP_DEBUG_ACL, "aciValidate: unknown dn attribute '%s'/n", subject.bv_val );				return LDAP_INVALID_SYNTAX;			}			if ( ad->ad_type->sat_syntax != slap_schema.si_syn_distinguishedName ) {				/* FIXME: allow nameAndOptionalUID? */				Debug( LDAP_DEBUG_ACL, "aciValidate: wrong syntax for dn attribute '%s'/n", subject.bv_val );				return LDAP_INVALID_SYNTAX;			}		}		/* not a DN */		return LDAP_SUCCESS;	} else if ( OpenLDAPacitypes[ idx ] == &aci_bv[ ACI_BV_GROUP ]			|| OpenLDAPacitypes[ idx ] == &aci_bv[ ACI_BV_ROLE ] )	{		/* do {group|role}/oc/at check */		struct berval	ocbv = BER_BVNULL,				atbv = BER_BVNULL;//.........这里部分代码省略.........