]> git.sur5r.net Git - openldap/blob - servers/slapd/acl.c
fix negative counters; prepare for imrpved count of sent data
[openldap] / servers / slapd / acl.c
1 /* acl.c - routines to parse and check acl's */
2 /* $OpenLDAP$ */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
4  *
5  * Copyright 1998-2004 The OpenLDAP Foundation.
6  * All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted only as authorized by the OpenLDAP
10  * Public License.
11  *
12  * A copy of this license is available in the file LICENSE in the
13  * top-level directory of the distribution or, alternatively, at
14  * <http://www.OpenLDAP.org/license.html>.
15  */
16 /* Portions Copyright (c) 1995 Regents of the University of Michigan.
17  * All rights reserved.
18  *
19  * Redistribution and use in source and binary forms are permitted
20  * provided that this notice is preserved and that due credit is given
21  * to the University of Michigan at Ann Arbor. The name of the University
22  * may not be used to endorse or promote products derived from this
23  * software without specific prior written permission. This software
24  * is provided ``as is'' without express or implied warranty.
25  */
26
27 #include "portable.h"
28
29 #include <stdio.h>
30
31 #include <ac/regex.h>
32 #include <ac/socket.h>
33 #include <ac/string.h>
34
35 #include "slap.h"
36 #include "sets.h"
37 #include "lber_pvt.h"
38
39 #ifdef LDAP_SLAPI
40 #include "slapi/slapi.h"
41 #endif /* LDAPI_SLAPI */
42
43 #define ACL_BUF_SIZE    1024    /* use most appropriate size */
44
45 /*
46  * speed up compares
47  */
48 static struct berval 
49         aci_bv_entry            = BER_BVC("entry"),
50         aci_bv_children         = BER_BVC("children"),
51         aci_bv_br_entry         = BER_BVC("[entry]"),
52         aci_bv_br_all           = BER_BVC("[all]"),
53         aci_bv_access_id        = BER_BVC("access-id"),
54         aci_bv_anonymous        = BER_BVC("anonymous"),
55         aci_bv_public           = BER_BVC("public"),
56         aci_bv_users            = BER_BVC("users"),
57         aci_bv_self             = BER_BVC("self"),
58         aci_bv_dnattr           = BER_BVC("dnattr"),
59         aci_bv_group            = BER_BVC("group"),
60         aci_bv_role             = BER_BVC("role"),
61         aci_bv_set              = BER_BVC("set"),
62         aci_bv_set_ref          = BER_BVC("set-ref"),
63         aci_bv_grant            = BER_BVC("grant"),
64         aci_bv_deny             = BER_BVC("deny"),
65
66         aci_bv_ip_eq            = BER_BVC("IP="),
67 #ifdef LDAP_PF_LOCAL
68         aci_bv_path_eq          = BER_BVC("PATH="),
69         aci_bv_dirsep           = BER_BVC(LDAP_DIRSEP),
70 #endif /* LDAP_PF_LOCAL */
71         
72         aci_bv_group_class      = BER_BVC(SLAPD_GROUP_CLASS),
73         aci_bv_group_attr       = BER_BVC(SLAPD_GROUP_ATTR),
74         aci_bv_role_class       = BER_BVC(SLAPD_ROLE_CLASS),
75         aci_bv_role_attr        = BER_BVC(SLAPD_ROLE_ATTR),
76         aci_bv_set_attr         = BER_BVC(SLAPD_ACI_SET_ATTR);
77
78
79 static AccessControl * acl_get(
80         AccessControl *ac, int *count,
81         Operation *op, Entry *e,
82         AttributeDescription *desc,
83         struct berval *val,
84         int nmatches, regmatch_t *matches,
85         AccessControlState *state );
86
87 static slap_control_t acl_mask(
88         AccessControl *ac, slap_mask_t *mask,
89         Operation *op, Entry *e,
90         AttributeDescription *desc,
91         struct berval *val,
92         regmatch_t *matches,
93         int count,
94         AccessControlState *state );
95
96 #ifdef SLAPD_ACI_ENABLED
97 static int aci_mask(
98         Operation *op, Entry *e,
99         AttributeDescription *desc,
100         struct berval *val,
101         struct berval *aci,
102         regmatch_t *matches,
103         slap_access_t *grant,
104         slap_access_t *deny,
105         struct berval *scope);
106 #endif
107
108 static int      regex_matches(
109         struct berval *pat, char *str, char *buf, regmatch_t *matches);
110 static void     string_expand(
111         struct berval *newbuf, struct berval *pattern,
112         char *match, regmatch_t *matches);
113
114 typedef struct AciSetCookie {
115         Operation *op;
116         Entry *e;
117 } AciSetCookie;
118
119 SLAP_SET_GATHER aci_set_gather;
120 static int aci_match_set ( struct berval *subj, Operation *op,
121     Entry *e, int setref );
122
123 /*
124  * access_allowed - check whether op->o_ndn is allowed the requested access
125  * to entry e, attribute attr, value val.  if val is null, access to
126  * the whole attribute is assumed (all values).
127  *
128  * This routine loops through all access controls and calls
129  * acl_mask() on each applicable access control.
130  * The loop exits when a definitive answer is reached or
131  * or no more controls remain.
132  *
133  * returns:
134  *              0       access denied
135  *              1       access granted
136  *
137  * Notes:
138  * - can be legally called with op == NULL
139  * - can be legally called with op->o_bd == NULL
140  */
141
142 int
143 access_allowed_mask(
144         Operation               *op,
145         Entry           *e,
146         AttributeDescription    *desc,
147         struct berval   *val,
148         slap_access_t   access,
149         AccessControlState *state,
150         slap_mask_t *maskp )
151 {
152         int                             ret = 1;
153         int                             count;
154         AccessControl                   *a = NULL;
155         Backend *be;
156         int     be_null = 0;
157
158 #ifdef LDAP_DEBUG
159         char accessmaskbuf[ACCESSMASK_MAXLEN];
160 #endif
161         slap_mask_t mask;
162         slap_control_t control;
163         const char *attr;
164         regmatch_t matches[MAXREMATCHES];
165         int        st_same_attr = 0;
166         static AccessControlState state_init = ACL_STATE_INIT;
167
168         assert( e != NULL );
169         assert( desc != NULL );
170         assert( access > ACL_NONE );
171         if ( maskp ) ACL_INVALIDATE( *maskp );
172
173         attr = desc->ad_cname.bv_val;
174
175         assert( attr != NULL );
176
177         if( op && op->o_is_auth_check &&
178                 ( access == ACL_SEARCH || access == ACL_READ ))
179         {
180                 access = ACL_AUTH;
181         }
182
183         if( state ) {
184                 if ( state->as_vd_ad==desc) {
185                         if ( state->as_recorded ) {
186                                 if( state->as_recorded & ACL_STATE_RECORDED_NV &&
187                                         val == NULL )
188                                 {
189                                         return state->as_result;
190                                 } else if ( state->as_recorded & ACL_STATE_RECORDED_VD &&
191                                         val != NULL && state->as_vd_acl == NULL )
192                                 {
193                                         return state->as_result;
194                                 }
195                         }
196                         st_same_attr = 1;
197                 } else {
198                         *state = state_init;
199                 }
200
201                 state->as_vd_ad=desc;
202         }
203
204         Debug( LDAP_DEBUG_ACL,
205                 "=> access_allowed: %s access to \"%s\" \"%s\" requested\n",
206             access2str( access ), e->e_dn, attr );
207
208         if ( op == NULL ) {
209                 /* no-op call */
210                 goto done;
211         }
212
213         be = op->o_bd;
214         if ( be == NULL ) {
215                 be = &backends[0];
216                 be_null = 1;
217 #ifdef LDAP_DEVEL
218                 /*
219                  * FIXME: experimental; use first backend rules
220                  * iff there is no global_acl (ITS#3100) */
221                 if ( frontendDB->be_acl == NULL ) 
222 #endif
223                 {
224                         op->o_bd = be;
225                 }
226         }
227         assert( be != NULL );
228
229 #ifdef LDAP_SLAPI
230         if ( op->o_pb != NULL ) {
231                 ret = slapi_int_access_allowed( op, e, desc, val, access, state );
232                 if ( ret == 0 ) {
233                         /* ACL plugin denied access */
234                         goto done;
235                 }
236         }
237 #endif /* LDAP_SLAPI */
238
239         /* grant database root access */
240         if ( be != NULL && be_isroot( op ) ) {
241                 Debug( LDAP_DEBUG_ACL,
242                     "<= root access granted\n",
243                         0, 0, 0 );
244                 if ( maskp ) {
245                         mask = ACL_LVL_WRITE;
246                 }
247
248                 goto done;
249         }
250
251         /*
252          * no-user-modification operational attributes are ignored
253          * by ACL_WRITE checking as any found here are not provided
254          * by the user
255          */
256         if ( access >= ACL_WRITE && is_at_no_user_mod( desc->ad_type )
257                 && desc != slap_schema.si_ad_entry
258                 && desc != slap_schema.si_ad_children )
259         {
260                 Debug( LDAP_DEBUG_ACL, "NoUserMod Operational attribute:"
261                         " %s access granted\n",
262                         attr, 0, 0 );
263                 goto done;
264         }
265
266         /* use backend default access if no backend acls */
267         if( be != NULL && be->be_acl == NULL ) {
268                 Debug( LDAP_DEBUG_ACL,
269                         "=> access_allowed: backend default %s access %s to \"%s\"\n",
270                         access2str( access ),
271                         be->be_dfltaccess >= access ? "granted" : "denied",
272                         op->o_dn.bv_val ? op->o_dn.bv_val : "(anonymous)" );
273                 ret = be->be_dfltaccess >= access;
274
275                 if ( maskp ) {
276                         int     i;
277
278                         mask = ACL_PRIV_LEVEL;
279                         for ( i = ACL_NONE; i <= be->be_dfltaccess; i++ ) {
280                                 mask |= ACL_ACCESS2PRIV( i );
281                         }
282                 }
283
284                 goto done;
285
286 #ifdef notdef
287         /* be is always non-NULL */
288         /* use global default access if no global acls */
289         } else if ( be == NULL && frontendDB->be_acl == NULL ) {
290                 Debug( LDAP_DEBUG_ACL,
291                         "=> access_allowed: global default %s access %s to \"%s\"\n",
292                         access2str( access ),
293                         frontendDB->be_dfltaccess >= access ? "granted" : "denied", op->o_dn.bv_val );
294                 ret = frontendDB->be_dfltaccess >= access;
295
296                 if ( maskp ) {
297                         int     i;
298
299                         mask = ACL_PRIV_LEVEL;
300                         for ( i = ACL_NONE; i <= global_default_access; i++ ) {
301                                 mask |= ACL_ACCESS2PRIV( i );
302                         }
303                 }
304
305                 goto done;
306 #endif
307         }
308
309         ret = 0;
310         control = ACL_BREAK;
311
312         if( st_same_attr ) {
313                 assert( state->as_vd_acl != NULL );
314
315                 a = state->as_vd_acl;
316                 count = state->as_vd_acl_count;
317                 if ( !ACL_IS_INVALID( state->as_vd_acl_mask )) {
318                         mask = state->as_vd_acl_mask;
319                         AC_MEMCPY( matches, state->as_vd_acl_matches, sizeof(matches) );
320                         goto vd_access;
321                 }
322
323         } else {
324                 if ( state ) state->as_vi_acl = NULL;
325                 a = NULL;
326                 ACL_INIT(mask);
327                 count = 0;
328                 memset(matches, '\0', sizeof(matches));
329         }
330
331         while((a = acl_get( a, &count, op, e, desc, val,
332                 MAXREMATCHES, matches, state )) != NULL)
333         {
334                 int i;
335
336                 for (i = 0; i < MAXREMATCHES && matches[i].rm_so > 0; i++) {
337                         Debug( LDAP_DEBUG_ACL, "=> match[%d]: %d %d ", i,
338                             (int)matches[i].rm_so, (int)matches[i].rm_eo );
339                         if( matches[i].rm_so <= matches[0].rm_eo ) {
340                                 int n;
341                                 for ( n = matches[i].rm_so; n < matches[i].rm_eo; n++) {
342                                         Debug( LDAP_DEBUG_ACL, "%c", e->e_ndn[n], 0, 0 );
343                                 }
344                         }
345                         Debug( LDAP_DEBUG_ARGS, "\n", 0, 0, 0 );
346                 }
347
348                 if (state) {
349                         if (state->as_vi_acl == a && (state->as_recorded & ACL_STATE_RECORDED_NV)) {
350                                 Debug( LDAP_DEBUG_ACL, "access_allowed: result from state (%s)\n", attr, 0, 0 );
351                                 ret = state->as_result;
352                                 goto done;
353                         } else {
354                                 Debug( LDAP_DEBUG_ACL, "access_allowed: no res from state (%s)\n", attr, 0, 0);
355                         }
356                 }
357
358 vd_access:
359                 control = acl_mask( a, &mask, op,
360                         e, desc, val, matches, count, state );
361
362                 if ( control != ACL_BREAK ) {
363                         break;
364                 }
365
366                 memset(matches, '\0', sizeof(matches));
367         }
368
369         if ( ACL_IS_INVALID( mask ) ) {
370                 Debug( LDAP_DEBUG_ACL,
371                         "=> access_allowed: \"%s\" (%s) invalid!\n",
372                         e->e_dn, attr, 0 );
373                 ACL_INIT(mask);
374
375         } else if ( control == ACL_BREAK ) {
376                 Debug( LDAP_DEBUG_ACL,
377                         "=> access_allowed: no more rules\n", 0, 0, 0);
378
379                 goto done;
380         }
381
382         Debug( LDAP_DEBUG_ACL,
383                 "=> access_allowed: %s access %s by %s\n",
384                 access2str( access ),
385                 ACL_GRANT(mask, access) ? "granted" : "denied",
386                 accessmask2str( mask, accessmaskbuf ) );
387
388         ret = ACL_GRANT(mask, access);
389
390 done:
391         if( state != NULL ) {
392                 /* If not value-dependent, save ACL in case of more attrs */
393                 if ( !(state->as_recorded & ACL_STATE_RECORDED_VD) ) {
394                         state->as_vi_acl = a;
395                         state->as_result = ret;
396                 }
397                 state->as_recorded |= ACL_STATE_RECORDED;
398         }
399         if (be_null) op->o_bd = NULL;
400         if ( maskp ) *maskp = mask;
401         return ret;
402 }
403
404
405 /*
406  * acl_get - return the acl applicable to entry e, attribute
407  * attr.  the acl returned is suitable for use in subsequent calls to
408  * acl_access_allowed().
409  */
410
411 static AccessControl *
412 acl_get(
413         AccessControl *a,
414         int                     *count,
415         Operation       *op,
416         Entry           *e,
417         AttributeDescription *desc,
418         struct berval   *val,
419         int                     nmatch,
420         regmatch_t      *matches,
421         AccessControlState *state )
422 {
423         const char *attr;
424         int dnlen, patlen;
425         AccessControl *prev;
426
427         assert( e != NULL );
428         assert( count != NULL );
429         assert( desc != NULL );
430
431         attr = desc->ad_cname.bv_val;
432
433         assert( attr != NULL );
434
435         if( a == NULL ) {
436                 if( op->o_bd == NULL ) {
437                         a = frontendDB->be_acl;
438                 } else {
439                         a = op->o_bd->be_acl;
440                 }
441                 prev = NULL;
442
443                 assert( a != NULL );
444
445         } else {
446                 prev = a;
447                 a = a->acl_next;
448         }
449
450         dnlen = e->e_nname.bv_len;
451
452         for ( ; a != NULL; a = a->acl_next ) {
453                 (*count) ++;
454
455                 if ( a->acl_dn_pat.bv_len || ( a->acl_dn_style != ACL_STYLE_REGEX )) {
456                         if ( a->acl_dn_style == ACL_STYLE_REGEX ) {
457                                 Debug( LDAP_DEBUG_ACL, "=> dnpat: [%d] %s nsub: %d\n", 
458                                         *count, a->acl_dn_pat.bv_val, (int) a->acl_dn_re.re_nsub );
459                                 if (regexec(&a->acl_dn_re, e->e_ndn, nmatch, matches, 0))
460                                         continue;
461
462                         } else {
463                                 Debug( LDAP_DEBUG_ACL, "=> dn: [%d] %s\n", 
464                                         *count, a->acl_dn_pat.bv_val, 0 );
465                                 patlen = a->acl_dn_pat.bv_len;
466                                 if ( dnlen < patlen )
467                                         continue;
468
469                                 if ( a->acl_dn_style == ACL_STYLE_BASE ) {
470                                         /* base dn -- entire object DN must match */
471                                         if ( dnlen != patlen )
472                                                 continue;
473
474                                 } else if ( a->acl_dn_style == ACL_STYLE_ONE ) {
475                                         int     rdnlen = -1, sep = 0;
476
477                                         if ( dnlen <= patlen )
478                                                 continue;
479
480                                         if ( patlen > 0 ) {
481                                                 if ( !DN_SEPARATOR( e->e_ndn[dnlen - patlen - 1] ) )
482                                                         continue;
483                                                 sep = 1;
484                                         }
485
486                                         rdnlen = dn_rdnlen( NULL, &e->e_nname );
487                                         if ( rdnlen != dnlen - patlen - sep )
488                                                 continue;
489
490                                 } else if ( a->acl_dn_style == ACL_STYLE_SUBTREE ) {
491                                         if ( dnlen > patlen && !DN_SEPARATOR( e->e_ndn[dnlen - patlen - 1] ) )
492                                                 continue;
493
494                                 } else if ( a->acl_dn_style == ACL_STYLE_CHILDREN ) {
495                                         if ( dnlen <= patlen )
496                                                 continue;
497                                         if ( !DN_SEPARATOR( e->e_ndn[dnlen - patlen - 1] ) )
498                                                 continue;
499                                 }
500
501                                 if ( strcmp( a->acl_dn_pat.bv_val, e->e_ndn + dnlen - patlen ) != 0 )
502                                         continue;
503                         }
504
505                         Debug( LDAP_DEBUG_ACL, "=> acl_get: [%d] matched\n",
506                                 *count, 0, 0 );
507                 }
508
509                 if ( a->acl_attrs && !ad_inlist( desc, a->acl_attrs ) ) {
510                         matches[0].rm_so = matches[0].rm_eo = -1;
511                         continue;
512                 }
513
514                 /* Is this ACL only for a specific value? */
515                 if ( a->acl_attrval.bv_len ) {
516                         if ( val == NULL ) {
517                                 continue;
518                         }
519
520                         if( state && !( state->as_recorded & ACL_STATE_RECORDED_VD )) {
521                                 state->as_recorded |= ACL_STATE_RECORDED_VD;
522                                 state->as_vd_acl = prev;
523                                 state->as_vd_acl_count = *count;
524                                 state->as_vd_access = a->acl_access;
525                                 state->as_vd_access_count = 1;
526                                 ACL_INVALIDATE( state->as_vd_acl_mask );
527                         }
528
529                         if ( a->acl_attrval_style == ACL_STYLE_REGEX ) {
530                                 Debug( LDAP_DEBUG_ACL,
531                                         "acl_get: valpat %s\n",
532                                         a->acl_attrval.bv_val, 0, 0 );
533                                 if (regexec(&a->acl_attrval_re, val->bv_val, 0, NULL, 0))
534                                         continue;
535                         } else {
536                                 int match = 0;
537                                 const char *text;
538                                 Debug( LDAP_DEBUG_ACL,
539                                         "acl_get: val %s\n",
540                                         a->acl_attrval.bv_val, 0, 0 );
541         
542                                 if ( a->acl_attrs[0].an_desc->ad_type->sat_syntax != slap_schema.si_syn_distinguishedName ) {
543                                         if (value_match( &match, desc,
544                                                 desc->ad_type->sat_equality, 0,
545                                                 val, &a->acl_attrval, &text ) != LDAP_SUCCESS ||
546                                                         match )
547                                                 continue;
548                                         
549                                 } else {
550                                         int             patlen, vdnlen;
551         
552                                         patlen = a->acl_attrval.bv_len;
553                                         vdnlen = val->bv_len;
554         
555                                         if ( vdnlen < patlen )
556                                                 continue;
557         
558                                         if ( a->acl_dn_style == ACL_STYLE_BASE ) {
559                                                 if ( vdnlen > patlen )
560                                                         continue;
561         
562                                         } else if ( a->acl_dn_style == ACL_STYLE_ONE ) {
563                                                 int rdnlen = -1;
564         
565                                                 if ( !DN_SEPARATOR( val->bv_val[vdnlen - patlen - 1] ) )
566                                                         continue;
567         
568                                                 rdnlen = dn_rdnlen( NULL, val );
569                                                 if ( rdnlen != vdnlen - patlen - 1 )
570                                                         continue;
571         
572                                         } else if ( a->acl_dn_style == ACL_STYLE_SUBTREE ) {
573                                                 if ( vdnlen > patlen && !DN_SEPARATOR( val->bv_val[vdnlen - patlen - 1] ) )
574                                                         continue;
575         
576                                         } else if ( a->acl_dn_style == ACL_STYLE_CHILDREN ) {
577                                                 if ( vdnlen <= patlen )
578                                                         continue;
579         
580                                                 if ( !DN_SEPARATOR( val->bv_val[vdnlen - patlen - 1] ) )
581                                                         continue;
582                                         }
583         
584                                         if ( strcmp( a->acl_attrval.bv_val, val->bv_val + vdnlen - patlen ))
585                                                 continue;
586                                 }
587                         }
588                 }
589
590                 if ( a->acl_filter != NULL ) {
591                         ber_int_t rc = test_filter( NULL, e, a->acl_filter );
592                         if ( rc != LDAP_COMPARE_TRUE ) {
593                                 continue;
594                         }
595                 }
596
597                 Debug( LDAP_DEBUG_ACL, "=> acl_get: [%d] attr %s\n",
598                        *count, attr, 0);
599                 return a;
600         }
601
602         Debug( LDAP_DEBUG_ACL, "<= acl_get: done.\n", 0, 0, 0 );
603         return( NULL );
604 }
605
606 /*
607  * Record value-dependent access control state
608  */
609 #define ACL_RECORD_VALUE_STATE do { \
610                 if( state && !( state->as_recorded & ACL_STATE_RECORDED_VD )) { \
611                         state->as_recorded |= ACL_STATE_RECORDED_VD; \
612                         state->as_vd_acl = a; \
613                         AC_MEMCPY( state->as_vd_acl_matches, matches, \
614                                 sizeof( state->as_vd_acl_matches )) ; \
615                         state->as_vd_acl_count = count; \
616                         state->as_vd_access = b; \
617                         state->as_vd_access_count = i; \
618                 } \
619         } while( 0 )
620
621 /*
622  * acl_mask - modifies mask based upon the given acl and the
623  * requested access to entry e, attribute attr, value val.  if val
624  * is null, access to the whole attribute is assumed (all values).
625  *
626  * returns      0       access NOT allowed
627  *              1       access allowed
628  */
629
630 static slap_control_t
631 acl_mask(
632         AccessControl   *a,
633         slap_mask_t *mask,
634         Operation       *op,
635         Entry           *e,
636         AttributeDescription *desc,
637         struct berval   *val,
638         regmatch_t      *matches,
639         int     count,
640         AccessControlState *state )
641 {
642         int             i, odnlen, patlen;
643         Access  *b;
644 #ifdef LDAP_DEBUG
645         char accessmaskbuf[ACCESSMASK_MAXLEN];
646         char accessmaskbuf1[ACCESSMASK_MAXLEN];
647 #endif
648         const char *attr;
649
650         assert( a != NULL );
651         assert( mask != NULL );
652         assert( desc != NULL );
653
654         attr = desc->ad_cname.bv_val;
655
656         assert( attr != NULL );
657
658         Debug( LDAP_DEBUG_ACL,
659                 "=> acl_mask: access to entry \"%s\", attr \"%s\" requested\n",
660                 e->e_dn, attr, 0 );
661
662         Debug( LDAP_DEBUG_ACL,
663                 "=> acl_mask: to %s by \"%s\", (%s) \n",
664                 val ? "value" : "all values",
665                 op->o_ndn.bv_val ?  op->o_ndn.bv_val : "",
666                 accessmask2str( *mask, accessmaskbuf ) );
667
668
669         if( state && ( state->as_recorded & ACL_STATE_RECORDED_VD )
670                 && state->as_vd_acl == a )
671         {
672                 b = state->as_vd_access;
673                 i = state->as_vd_access_count;
674
675         } else {
676                 b = a->acl_access;
677                 i = 1;
678         }
679
680         for ( ; b != NULL; b = b->a_next, i++ ) {
681                 slap_mask_t oldmask, modmask;
682
683                 ACL_INVALIDATE( modmask );
684
685                 /* AND <who> clauses */
686                 if ( b->a_dn_pat.bv_len != 0 ) {
687                         Debug( LDAP_DEBUG_ACL, "<= check a_dn_pat: %s\n",
688                                 b->a_dn_pat.bv_val, 0, 0);
689                         /*
690                          * if access applies to the entry itself, and the
691                          * user is bound as somebody in the same namespace as
692                          * the entry, OR the given dn matches the dn pattern
693                          */
694                         if ( bvmatch( &b->a_dn_pat, &aci_bv_anonymous ) ) {
695                                 if ( op->o_ndn.bv_len != 0 ) {
696                                         continue;
697                                 }
698
699                         } else if ( bvmatch( &b->a_dn_pat, &aci_bv_users ) ) {
700                                 if ( op->o_ndn.bv_len == 0 ) {
701                                         continue;
702                                 }
703
704                         } else if ( bvmatch( &b->a_dn_pat, &aci_bv_self ) ) {
705                                 if ( op->o_ndn.bv_len == 0 ) {
706                                         continue;
707                                 }
708                                 
709                                 if ( e->e_dn == NULL || !dn_match( &e->e_nname, &op->o_ndn ) ) {
710                                         continue;
711                                 }
712
713                         } else if ( b->a_dn_style == ACL_STYLE_REGEX ) {
714                                 if ( !ber_bvccmp( &b->a_dn_pat, '*' ) ) {
715                                         int ret = regex_matches( &b->a_dn_pat,
716                                                 op->o_ndn.bv_val, e->e_ndn, matches );
717
718                                         if( ret == 0 ) {
719                                                 continue;
720                                         }
721                                 }
722
723                         } else {
724                                 struct berval pat;
725                                 int got_match = 0;
726
727                                 if ( e->e_dn == NULL )
728                                         continue;
729
730                                 if ( b->a_dn_expand ) {
731                                         struct berval bv;
732                                         char buf[ACL_BUF_SIZE];
733
734                                         bv.bv_len = sizeof( buf ) - 1;
735                                         bv.bv_val = buf;
736
737                                         string_expand(&bv, &b->a_dn_pat, 
738                                                         e->e_ndn, matches);
739                                         if ( dnNormalize(0, NULL, NULL, &bv, &pat, op->o_tmpmemctx ) != LDAP_SUCCESS ) {
740                                                 /* did not expand to a valid dn */
741                                                 continue;
742                                         }
743                                 } else {
744                                         pat = b->a_dn_pat;
745                                 }
746
747                                 patlen = pat.bv_len;
748                                 odnlen = op->o_ndn.bv_len;
749                                 if ( odnlen < patlen ) {
750                                         goto dn_match_cleanup;
751
752                                 }
753
754                                 if ( b->a_dn_style == ACL_STYLE_BASE ) {
755                                         /* base dn -- entire object DN must match */
756                                         if ( odnlen != patlen ) {
757                                                 goto dn_match_cleanup;
758                                         }
759
760                                 } else if ( b->a_dn_style == ACL_STYLE_ONE ) {
761                                         int rdnlen = -1;
762
763                                         if ( odnlen <= patlen ) {
764                                                 goto dn_match_cleanup;
765                                         }
766
767                                         if ( !DN_SEPARATOR( op->o_ndn.bv_val[odnlen - patlen - 1] ) ) {
768                                                 goto dn_match_cleanup;
769                                         }
770
771                                         rdnlen = dn_rdnlen( NULL, &op->o_ndn );
772                                         if ( rdnlen != odnlen - patlen - 1 ) {
773                                                 goto dn_match_cleanup;
774                                         }
775
776                                 } else if ( b->a_dn_style == ACL_STYLE_SUBTREE ) {
777                                         if ( odnlen > patlen && !DN_SEPARATOR( op->o_ndn.bv_val[odnlen - patlen - 1] ) ) {
778                                                 goto dn_match_cleanup;
779                                         }
780
781                                 } else if ( b->a_dn_style == ACL_STYLE_CHILDREN ) {
782                                         if ( odnlen <= patlen ) {
783                                                 goto dn_match_cleanup;
784                                         }
785
786                                         if ( !DN_SEPARATOR( op->o_ndn.bv_val[odnlen - patlen - 1] ) ) {
787                                                 goto dn_match_cleanup;
788                                         }
789                                 }
790
791                                 got_match = !strcmp( pat.bv_val, op->o_ndn.bv_val + odnlen - patlen );
792
793 dn_match_cleanup:;
794                                 if ( pat.bv_val != b->a_dn_pat.bv_val ) {
795                                         free( pat.bv_val );
796                                 }
797
798                                 if ( !got_match ) {
799                                         continue;
800                                 }
801                         }
802                 }
803
804                 if ( b->a_sockurl_pat.bv_len ) {
805                         if ( ! op->o_conn->c_listener ) {
806                                 continue;
807                         }
808                         Debug( LDAP_DEBUG_ACL, "<= check a_sockurl_pat: %s\n",
809                                 b->a_sockurl_pat.bv_val, 0, 0 );
810
811                         if ( !ber_bvccmp( &b->a_sockurl_pat, '*' ) ) {
812                                 if ( b->a_sockurl_style == ACL_STYLE_REGEX) {
813                                         if (!regex_matches( &b->a_sockurl_pat, op->o_conn->c_listener_url.bv_val,
814                                                         e->e_ndn, matches ) ) 
815                                         {
816                                                 continue;
817                                         }
818
819                                 } else if ( b->a_sockurl_style == ACL_STYLE_EXPAND ) {
820                                         struct berval   bv;
821                                         char buf[ACL_BUF_SIZE];
822
823                                         bv.bv_len = sizeof( buf ) - 1;
824                                         bv.bv_val = buf;
825                                         string_expand( &bv, &b->a_sockurl_pat, e->e_ndn, matches );
826
827                                         if ( ber_bvstrcasecmp( &bv, &op->o_conn->c_listener_url ) != 0 ) {
828                                                 continue;
829                                         }
830
831                                 } else {
832                                         if ( ber_bvstrcasecmp( &b->a_sockurl_pat, &op->o_conn->c_listener_url ) != 0 )
833                                                 continue;
834                                 }
835                         }
836                 }
837
838                 if ( b->a_domain_pat.bv_len ) {
839                         if ( !op->o_conn->c_peer_domain.bv_val ) {
840                                 continue;
841                         }
842                         Debug( LDAP_DEBUG_ACL, "<= check a_domain_pat: %s\n",
843                                 b->a_domain_pat.bv_val, 0, 0 );
844                         if ( !ber_bvccmp( &b->a_domain_pat, '*' ) ) {
845                                 if ( b->a_domain_style == ACL_STYLE_REGEX) {
846                                         if (!regex_matches( &b->a_domain_pat, op->o_conn->c_peer_domain.bv_val,
847                                                         e->e_ndn, matches ) ) 
848                                         {
849                                                 continue;
850                                         }
851                                 } else {
852                                         char buf[ACL_BUF_SIZE];
853
854                                         struct berval   cmp = op->o_conn->c_peer_domain;
855                                         struct berval   pat = b->a_domain_pat;
856
857                                         if ( b->a_domain_expand ) {
858                                                 struct berval bv;
859
860                                                 bv.bv_len = sizeof(buf) - 1;
861                                                 bv.bv_val = buf;
862
863                                                 string_expand(&bv, &b->a_domain_pat, e->e_ndn, matches);
864                                                 pat = bv;
865                                         }
866
867                                         if ( b->a_domain_style == ACL_STYLE_SUBTREE ) {
868                                                 int offset = cmp.bv_len - pat.bv_len;
869                                                 if ( offset < 0 ) {
870                                                         continue;
871                                                 }
872
873                                                 if ( offset == 1 || ( offset > 1 && cmp.bv_val[ offset - 1 ] != '.' ) ) {
874                                                         continue;
875                                                 }
876
877                                                 /* trim the domain */
878                                                 cmp.bv_val = &cmp.bv_val[ offset ];
879                                                 cmp.bv_len -= offset;
880                                         }
881                                         
882                                         if ( ber_bvstrcasecmp( &pat, &cmp ) != 0 ) {
883                                                 continue;
884                                         }
885                                 }
886                         }
887                 }
888
889                 if ( b->a_peername_pat.bv_len ) {
890                         if ( !op->o_conn->c_peer_name.bv_val ) {
891                                 continue;
892                         }
893                         Debug( LDAP_DEBUG_ACL, "<= check a_peername_path: %s\n",
894                                 b->a_peername_pat.bv_val, 0, 0 );
895                         if ( !ber_bvccmp( &b->a_peername_pat, '*' ) ) {
896                                 if ( b->a_peername_style == ACL_STYLE_REGEX ) {
897                                         if (!regex_matches( &b->a_peername_pat, op->o_conn->c_peer_name.bv_val,
898                                                         e->e_ndn, matches ) ) 
899                                         {
900                                                 continue;
901                                         }
902
903                                 } else {
904                                         /* try exact match */
905                                         if ( b->a_peername_style == ACL_STYLE_BASE ) {
906                                                 if ( ber_bvstrcasecmp( &b->a_peername_pat, &op->o_conn->c_peer_name ) != 0 ) {
907                                                         continue;
908                                                 }
909
910                                         } else if ( b->a_peername_style == ACL_STYLE_EXPAND ) {
911                                                 struct berval   bv;
912                                                 char buf[ACL_BUF_SIZE];
913
914                                                 bv.bv_len = sizeof( buf ) - 1;
915                                                 bv.bv_val = buf;
916                                                 string_expand( &bv, &b->a_peername_pat, e->e_ndn, matches );
917
918                                                 if ( ber_bvstrcasecmp( &bv, &op->o_conn->c_peer_name ) != 0 ) {
919                                                         continue;
920                                                 }
921
922                                         /* extract IP and try exact match */
923                                         } else if ( b->a_peername_style == ACL_STYLE_IP ) {
924                                                 char            *port;
925                                                 char            buf[] = "255.255.255.255";
926                                                 struct berval   ip;
927                                                 unsigned long   addr;
928                                                 int             port_number = -1;
929                                                 
930                                                 if ( strncasecmp( op->o_conn->c_peer_name.bv_val, 
931                                                                         aci_bv_ip_eq.bv_val, aci_bv_ip_eq.bv_len ) != 0 ) 
932                                                         continue;
933
934                                                 ip.bv_val = op->o_conn->c_peer_name.bv_val + aci_bv_ip_eq.bv_len;
935                                                 ip.bv_len = op->o_conn->c_peer_name.bv_len - aci_bv_ip_eq.bv_len;
936
937                                                 port = strrchr( ip.bv_val, ':' );
938                                                 if ( port ) {
939                                                         char    *next;
940                                                         
941                                                         ip.bv_len = port - ip.bv_val;
942                                                         ++port;
943                                                         port_number = strtol( port, &next, 10 );
944                                                         if ( next[0] != '\0' )
945                                                                 continue;
946                                                 }
947                                                 
948                                                 /* the port check can be anticipated here */
949                                                 if ( b->a_peername_port != -1 && port_number != b->a_peername_port )
950                                                         continue;
951                                                 
952                                                 /* address longer than expected? */
953                                                 if ( ip.bv_len >= sizeof(buf) )
954                                                         continue;
955
956                                                 AC_MEMCPY( buf, ip.bv_val, ip.bv_len );
957                                                 buf[ ip.bv_len ] = '\0';
958
959                                                 addr = inet_addr( buf );
960
961                                                 /* unable to convert? */
962                                                 if ( addr == (unsigned long)(-1) )
963                                                         continue;
964
965                                                 if ( (addr & b->a_peername_mask) != b->a_peername_addr )
966                                                         continue;
967
968 #ifdef LDAP_PF_LOCAL
969                                         /* extract path and try exact match */
970                                         } else if ( b->a_peername_style == ACL_STYLE_PATH ) {
971                                                 struct berval path;
972                                                 
973                                                 if ( strncmp( op->o_conn->c_peer_name.bv_val,
974                                                                         aci_bv_path_eq.bv_val, aci_bv_path_eq.bv_len ) != 0 )
975                                                         continue;
976
977                                                 path.bv_val = op->o_conn->c_peer_name.bv_val + aci_bv_path_eq.bv_len;
978                                                 path.bv_len = op->o_conn->c_peer_name.bv_len - aci_bv_path_eq.bv_len;
979
980                                                 if ( ber_bvcmp( &b->a_peername_pat, &path ) != 0 )
981                                                         continue;
982
983 #endif /* LDAP_PF_LOCAL */
984
985                                         /* exact match (very unlikely...) */
986                                         } else if ( ber_bvcmp( &op->o_conn->c_peer_name, &b->a_peername_pat ) != 0 ) {
987                                                         continue;
988                                         }
989                                 }
990                         }
991                 }
992
993                 if ( b->a_sockname_pat.bv_len ) {
994                         if ( !op->o_conn->c_sock_name.bv_val ) {
995                                 continue;
996                         }
997                         Debug( LDAP_DEBUG_ACL, "<= check a_sockname_path: %s\n",
998                                 b->a_sockname_pat.bv_val, 0, 0 );
999                         if ( !ber_bvccmp( &b->a_sockname_pat, '*' ) ) {
1000                                 if ( b->a_sockname_style == ACL_STYLE_REGEX) {
1001                                         if (!regex_matches( &b->a_sockname_pat, op->o_conn->c_sock_name.bv_val,
1002                                                         e->e_ndn, matches ) ) 
1003                                         {
1004                                                 continue;
1005                                         }
1006
1007                                 } else if ( b->a_sockname_style == ACL_STYLE_EXPAND ) {
1008                                         struct berval   bv;
1009                                         char buf[ACL_BUF_SIZE];
1010
1011                                         bv.bv_len = sizeof( buf ) - 1;
1012                                         bv.bv_val = buf;
1013                                         string_expand( &bv, &b->a_sockname_pat, e->e_ndn, matches );
1014
1015                                         if ( ber_bvstrcasecmp( &bv, &op->o_conn->c_sock_name ) != 0 ) {
1016                                                 continue;
1017                                         }
1018
1019                                 } else {
1020                                         if ( ber_bvstrcasecmp( &b->a_sockname_pat, &op->o_conn->c_sock_name ) != 0 )
1021                                                 continue;
1022                                 }
1023                         }
1024                 }
1025
1026                 if ( b->a_dn_at != NULL ) {
1027                         Attribute       *at;
1028                         struct berval   bv;
1029                         int rc, match = 0;
1030                         const char *text;
1031                         const char *attr = b->a_dn_at->ad_cname.bv_val;
1032
1033                         assert( attr != NULL );
1034
1035                         if ( op->o_ndn.bv_len == 0 ) {
1036                                 continue;
1037                         }
1038
1039                         Debug( LDAP_DEBUG_ACL, "<= check a_dn_at: %s\n",
1040                                 attr, 0, 0);
1041                         bv = op->o_ndn;
1042
1043                         /* see if asker is listed in dnattr */
1044                         for( at = attrs_find( e->e_attrs, b->a_dn_at );
1045                                 at != NULL;
1046                                 at = attrs_find( at->a_next, b->a_dn_at ) )
1047                         {
1048                                 if( value_find_ex( b->a_dn_at,
1049                                         SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
1050                                                 SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
1051                                         at->a_nvals,
1052                                         &bv, op->o_tmpmemctx ) == 0 )
1053                                 {
1054                                         /* found it */
1055                                         match = 1;
1056                                         break;
1057                                 }
1058                         }
1059
1060                         if( match ) {
1061                                 /* have a dnattr match. if this is a self clause then
1062                                  * the target must also match the op dn.
1063                                  */
1064                                 if ( b->a_dn_self ) {
1065                                         /* check if the target is an attribute. */
1066                                         if ( val == NULL ) continue;
1067
1068                                         /* target is attribute, check if the attribute value
1069                                          * is the op dn.
1070                                          */
1071                                         rc = value_match( &match, b->a_dn_at,
1072                                                 b->a_dn_at->ad_type->sat_equality, 0,
1073                                                 val, &bv, &text );
1074                                         /* on match error or no match, fail the ACL clause */
1075                                         if (rc != LDAP_SUCCESS || match != 0 )
1076                                                 continue;
1077                                 }
1078                         } else {
1079                                 /* no dnattr match, check if this is a self clause */
1080                                 if ( ! b->a_dn_self )
1081                                         continue;
1082
1083                                 ACL_RECORD_VALUE_STATE;
1084                                 
1085                                 /* this is a self clause, check if the target is an
1086                                  * attribute.
1087                                  */
1088                                 if ( val == NULL )
1089                                         continue;
1090
1091                                 /* target is attribute, check if the attribute value
1092                                  * is the op dn.
1093                                  */
1094                                 rc = value_match( &match, b->a_dn_at,
1095                                         b->a_dn_at->ad_type->sat_equality, 0,
1096                                         val, &bv, &text );
1097
1098                                 /* on match error or no match, fail the ACL clause */
1099                                 if (rc != LDAP_SUCCESS || match != 0 )
1100                                         continue;
1101                         }
1102                 }
1103
1104                 if ( b->a_group_pat.bv_len ) {
1105                         struct berval bv;
1106                         struct berval ndn = BER_BVNULL;
1107                         int rc;
1108
1109                         if ( op->o_ndn.bv_len == 0 ) {
1110                                 continue;
1111                         }
1112
1113                         /* b->a_group is an unexpanded entry name, expanded it should be an 
1114                          * entry with objectclass group* and we test to see if odn is one of
1115                          * the values in the attribute group
1116                          */
1117                         /* see if asker is listed in dnattr */
1118                         if ( b->a_group_style == ACL_STYLE_EXPAND ) {
1119                                 char buf[ACL_BUF_SIZE];
1120                                 bv.bv_len = sizeof(buf) - 1;
1121                                 bv.bv_val = buf; 
1122
1123                                 string_expand( &bv, &b->a_group_pat, e->e_ndn, matches );
1124                                 if ( dnNormalize( 0, NULL, NULL, &bv, &ndn, op->o_tmpmemctx ) != LDAP_SUCCESS ) {
1125                                         /* did not expand to a valid dn */
1126                                         continue;
1127                                 }
1128
1129                                 bv = ndn;
1130
1131                         } else {
1132                                 bv = b->a_group_pat;
1133                         }
1134
1135                         rc = backend_group( op, e, &bv, &op->o_ndn,
1136                                 b->a_group_oc, b->a_group_at );
1137
1138                         if ( ndn.bv_val ) free( ndn.bv_val );
1139
1140                         if ( rc != 0 ) {
1141                                 continue;
1142                         }
1143                 }
1144
1145                 if ( b->a_set_pat.bv_len != 0 ) {
1146                         struct berval bv;
1147                         char buf[ACL_BUF_SIZE];
1148                         if( b->a_set_style == ACL_STYLE_REGEX ){
1149                                 bv.bv_len = sizeof(buf) - 1;
1150                                 bv.bv_val = buf;
1151                                 string_expand( &bv, &b->a_set_pat, e->e_ndn, matches );
1152                         }else{
1153                                 bv = b->a_set_pat;
1154                         }
1155                         if (aci_match_set( &bv, op, e, 0 ) == 0) {
1156                                 continue;
1157                         }
1158                 }
1159
1160                 if ( b->a_authz.sai_ssf ) {
1161                         Debug( LDAP_DEBUG_ACL, "<= check a_authz.sai_ssf: ACL %u > OP %u\n",
1162                                 b->a_authz.sai_ssf, op->o_ssf, 0 );
1163                         if ( b->a_authz.sai_ssf >  op->o_ssf ) {
1164                                 continue;
1165                         }
1166                 }
1167
1168                 if ( b->a_authz.sai_transport_ssf ) {
1169                         Debug( LDAP_DEBUG_ACL,
1170                                 "<= check a_authz.sai_transport_ssf: ACL %u > OP %u\n",
1171                                 b->a_authz.sai_transport_ssf, op->o_transport_ssf, 0 );
1172                         if ( b->a_authz.sai_transport_ssf >  op->o_transport_ssf ) {
1173                                 continue;
1174                         }
1175                 }
1176
1177                 if ( b->a_authz.sai_tls_ssf ) {
1178                         Debug( LDAP_DEBUG_ACL,
1179                                 "<= check a_authz.sai_tls_ssf: ACL %u > OP %u\n",
1180                                 b->a_authz.sai_tls_ssf, op->o_tls_ssf, 0 );
1181                         if ( b->a_authz.sai_tls_ssf >  op->o_tls_ssf ) {
1182                                 continue;
1183                         }
1184                 }
1185
1186                 if ( b->a_authz.sai_sasl_ssf ) {
1187                         Debug( LDAP_DEBUG_ACL,
1188                                 "<= check a_authz.sai_sasl_ssf: ACL %u > OP %u\n",
1189                                 b->a_authz.sai_sasl_ssf, op->o_sasl_ssf, 0 );
1190                         if ( b->a_authz.sai_sasl_ssf >  op->o_sasl_ssf ) {
1191                                 continue;
1192                         }
1193                 }
1194
1195 #ifdef SLAPD_ACI_ENABLED
1196                 if ( b->a_aci_at != NULL ) {
1197                         Attribute       *at;
1198                         slap_access_t grant, deny, tgrant, tdeny;
1199                         struct berval parent_ndn, old_parent_ndn;
1200                         BerVarray bvals = NULL;
1201                         int ret,stop;
1202
1203                         /* this case works different from the others above.
1204                          * since aci's themselves give permissions, we need
1205                          * to first check b->a_access_mask, the ACL's access level.
1206                          */
1207
1208                         if ( e->e_nname.bv_len == 0 ) {
1209                                 /* no ACIs in the root DSE */
1210                                 continue;
1211                         }
1212
1213                         /* first check if the right being requested
1214                          * is allowed by the ACL clause.
1215                          */
1216                         if ( ! ACL_GRANT( b->a_access_mask, *mask ) ) {
1217                                 continue;
1218                         }
1219                         /* start out with nothing granted, nothing denied */
1220                         ACL_INIT(tgrant);
1221                         ACL_INIT(tdeny);
1222
1223                         /* get the aci attribute */
1224                         at = attr_find( e->e_attrs, b->a_aci_at );
1225                         if ( at != NULL ) {
1226 #if 0
1227                                 /* FIXME: this breaks acl caching;
1228                                  * see also ACL_RECORD_VALUE_STATE below */
1229                                 ACL_RECORD_VALUE_STATE;
1230 #endif
1231                                 /* the aci is an multi-valued attribute.  The
1232                                 * rights are determined by OR'ing the individual
1233                                 * rights given by the acis.
1234                                 */
1235                                 for ( i = 0; !BER_BVISNULL( &at->a_nvals[i] ); i++ ) {
1236                                         if (aci_mask( op,
1237                                                 e, desc, val,
1238                                                 &at->a_nvals[i],
1239                                                 matches, &grant, &deny,  &aci_bv_entry ) != 0)
1240                                         {
1241                                                 tgrant |= grant;
1242                                                 tdeny |= deny;
1243                                         }
1244                                 }
1245                                 Debug(LDAP_DEBUG_ACL, "<= aci_mask grant %s deny %s\n",
1246                                           accessmask2str(tgrant,accessmaskbuf), 
1247                                           accessmask2str(tdeny, accessmaskbuf1), 0);
1248
1249                         }
1250                         /* If the entry level aci didn't contain anything valid for the 
1251                          * current operation, climb up the tree and evaluate the
1252                          * acis with scope set to subtree
1253                          */
1254                         if( (tgrant == ACL_PRIV_NONE) && (tdeny == ACL_PRIV_NONE) ){
1255                                 dnParent(&(e->e_nname), &parent_ndn);
1256                                 while ( parent_ndn.bv_val != old_parent_ndn.bv_val ){
1257                                         old_parent_ndn = parent_ndn;
1258                                         Debug(LDAP_DEBUG_ACL, "checking ACI of %s\n", parent_ndn.bv_val, 0, 0);
1259                                         ret = backend_attribute(op, NULL, &parent_ndn, b->a_aci_at, &bvals, ACL_AUTH);
1260                                         switch(ret){
1261                                         case LDAP_SUCCESS :
1262                                                 stop = 0;
1263                                                 if (!bvals){
1264                                                         break;
1265                                                 }
1266
1267                                                 for( i = 0; bvals[i].bv_val != NULL; i++){
1268 #if 0
1269                                                         /* FIXME: this breaks acl caching;
1270                                                          * see also ACL_RECORD_VALUE_STATE above */
1271                                                         ACL_RECORD_VALUE_STATE;
1272 #endif
1273                                                         if (aci_mask(op, e, desc, val, &bvals[i], matches,
1274                                                                         &grant, &deny, &aci_bv_children) != 0) {
1275                                                                 tgrant |= grant;
1276                                                                 tdeny |= deny;
1277                                                                 /* evaluation stops as soon as either a "deny" or a 
1278                                                                  * "grant" directive matches.
1279                                                                  */
1280                                                                 if( (tgrant != ACL_PRIV_NONE) || (tdeny != ACL_PRIV_NONE) ){
1281                                                                         stop = 1;
1282                                                                 }
1283                                                         }
1284                                                         Debug(LDAP_DEBUG_ACL, "<= aci_mask grant %s deny %s\n", 
1285                                                                 accessmask2str(tgrant,accessmaskbuf),
1286                                                                 accessmask2str(tdeny, accessmaskbuf1), 0);
1287                                                 }
1288                                                 break;
1289
1290                                         case LDAP_NO_SUCH_ATTRIBUTE:
1291                                                 /* just go on if the aci-Attribute is not present in
1292                                                  * the current entry 
1293                                                  */
1294                                                 Debug(LDAP_DEBUG_ACL, "no such attribute\n", 0, 0, 0);
1295                                                 stop = 0;
1296                                                 break;
1297
1298                                         case LDAP_NO_SUCH_OBJECT:
1299                                                 /* We have reached the base object */
1300                                                 Debug(LDAP_DEBUG_ACL, "no such object\n", 0, 0, 0);
1301                                                 stop = 1;
1302                                                 break;
1303
1304                                         default:
1305                                                 stop = 1;
1306                                                 break;
1307                                         }
1308                                         if (stop){
1309                                                 break;
1310                                         }
1311                                         dnParent(&old_parent_ndn, &parent_ndn);
1312                                 }
1313                         }
1314
1315
1316                         /* remove anything that the ACL clause does not allow */
1317                         tgrant &= b->a_access_mask & ACL_PRIV_MASK;
1318                         tdeny &= ACL_PRIV_MASK;
1319
1320                         /* see if we have anything to contribute */
1321                         if( ACL_IS_INVALID(tgrant) && ACL_IS_INVALID(tdeny) ) { 
1322                                 continue;
1323                         }
1324
1325                         /* this could be improved by changing acl_mask so that it can deal with
1326                          * by clauses that return grant/deny pairs.  Right now, it does either
1327                          * additive or subtractive rights, but not both at the same time.  So,
1328                          * we need to combine the grant/deny pair into a single rights mask in
1329                          * a smart way:  if either grant or deny is "empty", then we use the
1330                          * opposite as is, otherwise we remove any denied rights from the grant
1331                          * rights mask and construct an additive mask.
1332                          */
1333                         if (ACL_IS_INVALID(tdeny)) {
1334                                 modmask = tgrant | ACL_PRIV_ADDITIVE;
1335
1336                         } else if (ACL_IS_INVALID(tgrant)) {
1337                                 modmask = tdeny | ACL_PRIV_SUBSTRACTIVE;
1338
1339                         } else {
1340                                 modmask = (tgrant & ~tdeny) | ACL_PRIV_ADDITIVE;
1341                         }
1342
1343                 } else
1344 #endif
1345                 {
1346                         modmask = b->a_access_mask;
1347                 }
1348
1349                 Debug( LDAP_DEBUG_ACL,
1350                         "<= acl_mask: [%d] applying %s (%s)\n",
1351                         i, accessmask2str( modmask, accessmaskbuf ), 
1352                         b->a_type == ACL_CONTINUE
1353                                 ? "continue"
1354                                 : b->a_type == ACL_BREAK
1355                                         ? "break"
1356                                         : "stop" );
1357                 /* save old mask */
1358                 oldmask = *mask;
1359
1360                 if( ACL_IS_ADDITIVE(modmask) ) {
1361                         /* add privs */
1362                         ACL_PRIV_SET( *mask, modmask );
1363
1364                         /* cleanup */
1365                         ACL_PRIV_CLR( *mask, ~ACL_PRIV_MASK );
1366
1367                 } else if( ACL_IS_SUBTRACTIVE(modmask) ) {
1368                         /* substract privs */
1369                         ACL_PRIV_CLR( *mask, modmask );
1370
1371                         /* cleanup */
1372                         ACL_PRIV_CLR( *mask, ~ACL_PRIV_MASK );
1373
1374                 } else {
1375                         /* assign privs */
1376                         *mask = modmask;
1377                 }
1378
1379                 Debug( LDAP_DEBUG_ACL,
1380                         "<= acl_mask: [%d] mask: %s\n",
1381                         i, accessmask2str(*mask, accessmaskbuf), 0 );
1382
1383                 if( b->a_type == ACL_CONTINUE ) {
1384                         continue;
1385
1386                 } else if ( b->a_type == ACL_BREAK ) {
1387                         return ACL_BREAK;
1388
1389                 } else {
1390                         return ACL_STOP;
1391                 }
1392         }
1393
1394         /* implicit "by * none" clause */
1395         ACL_INIT(*mask);
1396
1397         Debug( LDAP_DEBUG_ACL,
1398                 "<= acl_mask: no more <who> clauses, returning %s (stop)\n",
1399                 accessmask2str(*mask, accessmaskbuf), 0, 0 );
1400         return ACL_STOP;
1401 }
1402
1403 /*
1404  * acl_check_modlist - check access control on the given entry to see if
1405  * it allows the given modifications by the user associated with op.
1406  * returns      1       if mods allowed ok
1407  *              0       mods not allowed
1408  */
1409
1410 int
1411 acl_check_modlist(
1412         Operation       *op,
1413         Entry   *e,
1414         Modifications   *mlist
1415 )
1416 {
1417         struct berval *bv;
1418         AccessControlState state = ACL_STATE_INIT;
1419         Backend *be;
1420         int be_null = 0;
1421         int ret = 1; /* default is access allowed */
1422
1423         be = op->o_bd;
1424         if ( be == NULL ) {
1425                 be = &backends[0];
1426                 be_null = 1;
1427                 op->o_bd = be;
1428         }
1429         assert( be != NULL );
1430
1431         /* short circuit root database access */
1432         if ( be_isroot( op ) ) {
1433                 Debug( LDAP_DEBUG_ACL,
1434                         "<= acl_access_allowed: granted to database root\n",
1435                     0, 0, 0 );
1436                 goto done;
1437         }
1438
1439         /* use backend default access if no backend acls */
1440         if( op->o_bd != NULL && op->o_bd->be_acl == NULL ) {
1441                 Debug( LDAP_DEBUG_ACL,
1442                         "=> access_allowed: backend default %s access %s to \"%s\"\n",
1443                         access2str( ACL_WRITE ),
1444                         op->o_bd->be_dfltaccess >= ACL_WRITE ? "granted" : "denied", op->o_dn.bv_val );
1445                 ret = (op->o_bd->be_dfltaccess >= ACL_WRITE);
1446                 goto done;
1447         }
1448
1449         for ( ; mlist != NULL; mlist = mlist->sml_next ) {
1450                 /*
1451                  * no-user-modification operational attributes are ignored
1452                  * by ACL_WRITE checking as any found here are not provided
1453                  * by the user
1454                  */
1455                 if ( is_at_no_user_mod( mlist->sml_desc->ad_type ) ) {
1456                         Debug( LDAP_DEBUG_ACL, "acl: no-user-mod %s:"
1457                                 " modify access granted\n",
1458                                 mlist->sml_desc->ad_cname.bv_val, 0, 0 );
1459                         continue;
1460                 }
1461
1462                 switch ( mlist->sml_op ) {
1463                 case LDAP_MOD_REPLACE:
1464                         /*
1465                          * We must check both permission to delete the whole
1466                          * attribute and permission to add the specific attributes.
1467                          * This prevents abuse from selfwriters.
1468                          */
1469                         if ( ! access_allowed( op, e,
1470                                 mlist->sml_desc, NULL, ACL_WRITE, &state ) )
1471                         {
1472                                 ret = 0;
1473                                 goto done;
1474                         }
1475
1476                         if ( mlist->sml_values == NULL ) break;
1477
1478                         /* fall thru to check value to add */
1479
1480                 case LDAP_MOD_ADD:
1481                         assert( mlist->sml_values != NULL );
1482
1483                         for ( bv = mlist->sml_nvalues
1484                                         ? mlist->sml_nvalues : mlist->sml_values;
1485                                 bv->bv_val != NULL; bv++ )
1486                         {
1487                                 if ( ! access_allowed( op, e,
1488                                         mlist->sml_desc, bv, ACL_WRITE, &state ) )
1489                                 {
1490                                         ret = 0;
1491                                         goto done;
1492                                 }
1493                         }
1494                         break;
1495
1496                 case LDAP_MOD_DELETE:
1497                         if ( mlist->sml_values == NULL ) {
1498                                 if ( ! access_allowed( op, e,
1499                                         mlist->sml_desc, NULL, ACL_WRITE, NULL ) )
1500                                 {
1501                                         ret = 0;
1502                                         goto done;
1503                                 }
1504                                 break;
1505                         }
1506                         for ( bv = mlist->sml_nvalues
1507                                         ? mlist->sml_nvalues : mlist->sml_values;
1508                                 bv->bv_val != NULL; bv++ )
1509                         {
1510                                 if ( ! access_allowed( op, e,
1511                                         mlist->sml_desc, bv, ACL_WRITE, &state ) )
1512                                 {
1513                                         ret = 0;
1514                                         goto done;
1515                                 }
1516                         }
1517                         break;
1518
1519                 case SLAP_MOD_SOFTADD:
1520                         /* allow adding attribute via modrdn thru */
1521                         break;
1522
1523                 default:
1524                         assert( 0 );
1525                         /* not reached */
1526                         ret = 0;
1527                         break;
1528                 }
1529         }
1530
1531 done:
1532         if (be_null) op->o_bd = NULL;
1533         return( ret );
1534 }
1535
1536 static int
1537 aci_get_part(
1538         struct berval *list,
1539         int ix,
1540         char sep,
1541         struct berval *bv )
1542 {
1543         int len;
1544         char *p;
1545
1546         if (bv) {
1547                 BER_BVZERO( bv );
1548         }
1549         len = list->bv_len;
1550         p = list->bv_val;
1551         while (len >= 0 && --ix >= 0) {
1552                 while (--len >= 0 && *p++ != sep) ;
1553         }
1554         while (len >= 0 && *p == ' ') {
1555                 len--;
1556                 p++;
1557         }
1558         if (len < 0)
1559                 return(-1);
1560
1561         if (!bv)
1562                 return(0);
1563
1564         bv->bv_val = p;
1565         while (--len >= 0 && *p != sep) {
1566                 bv->bv_len++;
1567                 p++;
1568         }
1569         while (bv->bv_len > 0 && *--p == ' ')
1570                 bv->bv_len--;
1571         return(bv->bv_len);
1572 }
1573
1574 BerVarray
1575 aci_set_gather (SetCookie *cookie, struct berval *name, struct berval *attr)
1576 {
1577         AciSetCookie *cp = (AciSetCookie *)cookie;
1578         BerVarray bvals = NULL;
1579         struct berval ndn;
1580
1581         /* this routine needs to return the bervals instead of
1582          * plain strings, since syntax is not known.  It should
1583          * also return the syntax or some "comparison cookie".
1584          */
1585
1586         if (dnNormalize(0, NULL, NULL, name, &ndn, cp->op->o_tmpmemctx) == LDAP_SUCCESS) {
1587                 const char *text;
1588                 AttributeDescription *desc = NULL;
1589                 if (slap_bv2ad(attr, &desc, &text) == LDAP_SUCCESS) {
1590                         backend_attribute(cp->op,
1591                                 cp->e, &ndn, desc, &bvals, ACL_NONE);
1592                 }
1593                 slap_sl_free(ndn.bv_val, cp->op->o_tmpmemctx);
1594         }
1595         return(bvals);
1596 }
1597
1598 static int
1599 aci_match_set (
1600         struct berval *subj,
1601         Operation *op,
1602         Entry *e,
1603         int setref
1604 )
1605 {
1606         struct berval   set = BER_BVNULL;
1607         int             rc = 0;
1608         AciSetCookie    cookie;
1609
1610         if (setref == 0) {
1611                 ber_dupbv_x( &set, subj, op->o_tmpmemctx );
1612         } else {
1613                 struct berval           subjdn, ndn = BER_BVNULL;
1614                 struct berval           setat;
1615                 BerVarray               bvals;
1616                 const char              *text;
1617                 AttributeDescription    *desc = NULL;
1618
1619                 /* format of string is "entry/setAttrName" */
1620                 if ( aci_get_part( subj, 0, '/', &subjdn ) < 0 ) {
1621                         return(0);
1622                 }
1623
1624                 if ( aci_get_part( subj, 1, '/', &setat ) < 0 ) {
1625                         setat = aci_bv_set_attr;
1626                 }
1627
1628                 /*
1629                  * NOTE: dnNormalize honors the ber_len field
1630                  * as the length of the dn to be normalized
1631                  */
1632                 if ( slap_bv2ad( &setat, &desc, &text ) == LDAP_SUCCESS ) {
1633                         if ( dnNormalize( 0, NULL, NULL, &subjdn, &ndn, op->o_tmpmemctx ) == LDAP_SUCCESS )
1634                         {
1635                                 backend_attribute( op, e, &ndn, desc, &bvals, ACL_NONE );
1636                                 if ( bvals != NULL && !BER_BVISNULL( &bvals[0] ) ) {
1637                                         int     i;
1638
1639                                         set = bvals[0];
1640                                         BER_BVZERO( &bvals[0] );
1641                                         for ( i = 1; !BER_BVISNULL( &bvals[i] ); i++ )
1642                                                 /* count */ ;
1643                                         bvals[0].bv_val = bvals[i-1].bv_val;
1644                                         BER_BVZERO( &bvals[i-1] );
1645                                 }
1646                                 ber_bvarray_free_x( bvals, op->o_tmpmemctx );
1647                                 slap_sl_free( ndn.bv_val, op->o_tmpmemctx );
1648                         }
1649                 }
1650         }
1651
1652         if ( !BER_BVISNULL( &set ) ) {
1653                 cookie.op = op;
1654                 cookie.e = e;
1655                 rc = ( slap_set_filter( aci_set_gather, (SetCookie *)&cookie, &set,
1656                         &op->o_ndn, &e->e_nname, NULL ) > 0 );
1657                 slap_sl_free( set.bv_val, op->o_tmpmemctx );
1658         }
1659
1660         return(rc);
1661 }
1662
1663 #ifdef SLAPD_ACI_ENABLED
1664 static int
1665 aci_list_map_rights(
1666         struct berval *list )
1667 {
1668         struct berval bv;
1669         slap_access_t mask;
1670         int i;
1671
1672         ACL_INIT(mask);
1673         for (i = 0; aci_get_part(list, i, ',', &bv) >= 0; i++) {
1674                 if (bv.bv_len <= 0)
1675                         continue;
1676                 switch (*bv.bv_val) {
1677                 case 'c':
1678                         ACL_PRIV_SET(mask, ACL_PRIV_COMPARE);
1679                         break;
1680                 case 's':
1681                         /* **** NOTE: draft-ietf-ldapext-aci-model-0.3.txt defines
1682                          * the right 's' to mean "set", but in the examples states
1683                          * that the right 's' means "search".  The latter definition
1684                          * is used here.
1685                          */
1686                         ACL_PRIV_SET(mask, ACL_PRIV_SEARCH);
1687                         break;
1688                 case 'r':
1689                         ACL_PRIV_SET(mask, ACL_PRIV_READ);
1690                         break;
1691                 case 'w':
1692                         ACL_PRIV_SET(mask, ACL_PRIV_WRITE);
1693                         break;
1694                 case 'x':
1695                         /* **** NOTE: draft-ietf-ldapext-aci-model-0.3.txt does not 
1696                          * define any equivalent to the AUTH right, so I've just used
1697                          * 'x' for now.
1698                          */
1699                         ACL_PRIV_SET(mask, ACL_PRIV_AUTH);
1700                         break;
1701                 default:
1702                         break;
1703                 }
1704
1705         }
1706         return(mask);
1707 }
1708
1709 static int
1710 aci_list_has_attr(
1711         struct berval *list,
1712         const struct berval *attr,
1713         struct berval *val )
1714 {
1715         struct berval bv, left, right;
1716         int i;
1717
1718         for (i = 0; aci_get_part(list, i, ',', &bv) >= 0; i++) {
1719                 if (aci_get_part(&bv, 0, '=', &left) < 0
1720                         || aci_get_part(&bv, 1, '=', &right) < 0)
1721                 {
1722                         if (ber_bvstrcasecmp(attr, &bv) == 0)
1723                                 return(1);
1724                 } else if (val == NULL) {
1725                         if (ber_bvstrcasecmp(attr, &left) == 0)
1726                                 return(1);
1727                 } else {
1728                         if (ber_bvstrcasecmp(attr, &left) == 0) {
1729                                 /* this is experimental code that implements a
1730                                  * simple (prefix) match of the attribute value.
1731                                  * the ACI draft does not provide for aci's that
1732                                  * apply to specific values, but it would be
1733                                  * nice to have.  If the <attr> part of an aci's
1734                                  * rights list is of the form <attr>=<value>,
1735                                  * that means the aci applies only to attrs with
1736                                  * the given value.  Furthermore, if the attr is
1737                                  * of the form <attr>=<value>*, then <value> is
1738                                  * treated as a prefix, and the aci applies to 
1739                                  * any value with that prefix.
1740                                  *
1741                                  * Ideally, this would allow r.e. matches.
1742                                  */
1743                                 if (aci_get_part(&right, 0, '*', &left) < 0
1744                                         || right.bv_len <= left.bv_len)
1745                                 {
1746                                         if (ber_bvstrcasecmp(val, &right) == 0)
1747                                                 return(1);
1748                                 } else if (val->bv_len >= left.bv_len) {
1749                                         if (strncasecmp( val->bv_val, left.bv_val, left.bv_len ) == 0)
1750                                                 return(1);
1751                                 }
1752                         }
1753                 }
1754         }
1755         return(0);
1756 }
1757
1758 static slap_access_t
1759 aci_list_get_attr_rights(
1760         struct berval *list,
1761         const struct berval *attr,
1762         struct berval *val )
1763 {
1764     struct berval bv;
1765     slap_access_t mask;
1766     int i;
1767
1768         /* loop through each rights/attr pair, skip first part (action) */
1769         ACL_INIT(mask);
1770         for (i = 1; aci_get_part(list, i + 1, ';', &bv) >= 0; i += 2) {
1771                 if (aci_list_has_attr(&bv, attr, val) == 0)
1772                         continue;
1773                 if (aci_get_part(list, i, ';', &bv) < 0)
1774                         continue;
1775                 mask |= aci_list_map_rights(&bv);
1776         }
1777         return(mask);
1778 }
1779
1780 static int
1781 aci_list_get_rights(
1782         struct berval *list,
1783         const struct berval *attr,
1784         struct berval *val,
1785         slap_access_t *grant,
1786         slap_access_t *deny )
1787 {
1788     struct berval perm, actn;
1789     slap_access_t *mask;
1790     int i, found;
1791
1792         if (attr == NULL || attr->bv_len == 0 
1793                         || ber_bvstrcasecmp( attr, &aci_bv_entry ) == 0) {
1794                 attr = &aci_bv_br_entry;
1795         }
1796
1797         found = 0;
1798         ACL_INIT(*grant);
1799         ACL_INIT(*deny);
1800         /* loop through each permissions clause */
1801         for (i = 0; aci_get_part(list, i, '$', &perm) >= 0; i++) {
1802                 if (aci_get_part(&perm, 0, ';', &actn) < 0)
1803                         continue;
1804                 if (ber_bvstrcasecmp( &aci_bv_grant, &actn ) == 0) {
1805                         mask = grant;
1806                 } else if (ber_bvstrcasecmp( &aci_bv_deny, &actn ) == 0) {
1807                         mask = deny;
1808                 } else {
1809                         continue;
1810                 }
1811
1812                 found = 1;
1813                 *mask |= aci_list_get_attr_rights(&perm, attr, val);
1814                 *mask |= aci_list_get_attr_rights(&perm, &aci_bv_br_all, NULL);
1815         }
1816         return(found);
1817 }
1818
1819 static int
1820 aci_group_member (
1821         struct berval *subj,
1822         struct berval *defgrpoc,
1823         struct berval *defgrpat,
1824         Operation               *op,
1825         Entry           *e,
1826         regmatch_t      *matches
1827 )
1828 {
1829         struct berval subjdn;
1830         struct berval grpoc;
1831         struct berval grpat;
1832         ObjectClass *grp_oc = NULL;
1833         AttributeDescription *grp_ad = NULL;
1834         const char *text;
1835         int rc;
1836
1837         /* format of string is "group/objectClassValue/groupAttrName" */
1838         if (aci_get_part(subj, 0, '/', &subjdn) < 0) {
1839                 return(0);
1840         }
1841
1842         if (aci_get_part(subj, 1, '/', &grpoc) < 0) {
1843                 grpoc = *defgrpoc;
1844         }
1845
1846         if (aci_get_part(subj, 2, '/', &grpat) < 0) {
1847                 grpat = *defgrpat;
1848         }
1849
1850         rc = slap_bv2ad( &grpat, &grp_ad, &text );
1851         if( rc != LDAP_SUCCESS ) {
1852                 rc = 0;
1853                 goto done;
1854         }
1855         rc = 0;
1856
1857         grp_oc = oc_bvfind( &grpoc );
1858
1859         if (grp_oc != NULL && grp_ad != NULL ) {
1860                 char buf[ACL_BUF_SIZE];
1861                 struct berval bv, ndn;
1862                 bv.bv_len = sizeof( buf ) - 1;
1863                 bv.bv_val = (char *)&buf;
1864                 string_expand(&bv, &subjdn, e->e_ndn, matches);
1865                 if ( dnNormalize(0, NULL, NULL, &bv, &ndn, op->o_tmpmemctx) == LDAP_SUCCESS ) {
1866                         rc = (backend_group(op, e, &ndn, &op->o_ndn,
1867                                 grp_oc, grp_ad) == 0);
1868                         free( ndn.bv_val );
1869                 }
1870         }
1871
1872 done:
1873         return(rc);
1874 }
1875
1876 static int
1877 aci_mask(
1878     Operation           *op,
1879     Entry                       *e,
1880         AttributeDescription *desc,
1881     struct berval       *val,
1882     struct berval       *aci,
1883         regmatch_t              *matches,
1884         slap_access_t   *grant,
1885         slap_access_t   *deny,
1886         struct berval   *scope
1887 )
1888 {
1889     struct berval bv, perms, sdn;
1890         int rc;
1891                 
1892
1893         assert( desc->ad_cname.bv_val != NULL );
1894
1895         /* parse an aci of the form:
1896                 oid#scope#action;rights;attr;rights;attr$action;rights;attr;rights;attr#dnType#subjectDN
1897
1898            See draft-ietf-ldapext-aci-model-04.txt section 9.1 for
1899            a full description of the format for this attribute.
1900            Differences: "this" in the draft is "self" here, and
1901            "self" and "public" is in the position of dnType.
1902
1903            For now, this routine only supports scope=entry.
1904          */
1905         /* check that the aci has all 5 components */
1906         if (aci_get_part(aci, 4, '#', NULL) < 0)
1907                 return(0);
1908
1909         /* check that the aci family is supported */
1910         if (aci_get_part(aci, 0, '#', &bv) < 0)
1911                 return(0);
1912
1913         /* check that the scope matches */
1914         if (aci_get_part(aci, 1, '#', &bv) < 0
1915                 || ber_bvstrcasecmp( scope, &bv ) != 0)
1916         {
1917                 return(0);
1918         }
1919
1920         /* get the list of permissions clauses, bail if empty */
1921         if (aci_get_part(aci, 2, '#', &perms) <= 0)
1922                 return(0);
1923
1924         /* check if any permissions allow desired access */
1925         if (aci_list_get_rights(&perms, &desc->ad_cname, val, grant, deny) == 0)
1926                 return(0);
1927
1928         /* see if we have a DN match */
1929         if (aci_get_part(aci, 3, '#', &bv) < 0)
1930                 return(0);
1931
1932         if (aci_get_part(aci, 4, '#', &sdn) < 0)
1933                 return(0);
1934
1935         if (ber_bvstrcasecmp( &aci_bv_access_id, &bv ) == 0) {
1936                 struct berval ndn;
1937                 rc = 0;
1938                 if ( dnNormalize(0, NULL, NULL, &sdn, &ndn, op->o_tmpmemctx) == LDAP_SUCCESS ) {
1939                         if (dn_match( &op->o_ndn, &ndn))
1940                                 rc = 1;
1941                         free(ndn.bv_val);
1942                 }
1943                 return (rc);
1944
1945         } else if (ber_bvstrcasecmp( &aci_bv_public, &bv ) == 0) {
1946                 return(1);
1947
1948         } else if (ber_bvstrcasecmp( &aci_bv_self, &bv ) == 0) {
1949                 if (dn_match(&op->o_ndn, &e->e_nname))
1950                         return(1);
1951
1952         } else if (ber_bvstrcasecmp( &aci_bv_dnattr, &bv ) == 0) {
1953                 Attribute *at;
1954                 AttributeDescription *ad = NULL;
1955                 const char *text;
1956
1957                 rc = slap_bv2ad( &sdn, &ad, &text );
1958
1959                 if( rc != LDAP_SUCCESS ) {
1960                         return 0;
1961                 }
1962
1963                 rc = 0;
1964
1965                 bv = op->o_ndn;
1966
1967                 for(at = attrs_find( e->e_attrs, ad );
1968                         at != NULL;
1969                         at = attrs_find( at->a_next, ad ) )
1970                 {
1971                         if (value_find_ex( ad,
1972                                 SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
1973                                         SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
1974                                 at->a_nvals,
1975                                 &bv, op->o_tmpmemctx) == 0 )
1976                         {
1977                                 rc = 1;
1978                                 break;
1979                         }
1980                 }
1981
1982                 return rc;
1983
1984
1985         } else if (ber_bvstrcasecmp( &aci_bv_group, &bv ) == 0) {
1986                 if (aci_group_member(&sdn, &aci_bv_group_class, &aci_bv_group_attr, op, e, matches))
1987                         return(1);
1988
1989         } else if (ber_bvstrcasecmp( &aci_bv_role, &bv ) == 0) {
1990                 if (aci_group_member(&sdn, &aci_bv_role_class, &aci_bv_role_attr, op, e, matches))
1991                         return(1);
1992
1993         } else if (ber_bvstrcasecmp( &aci_bv_set, &bv ) == 0) {
1994                 if (aci_match_set(&sdn, op, e, 0))
1995                         return(1);
1996
1997         } else if (ber_bvstrcasecmp( &aci_bv_set_ref, &bv ) == 0) {
1998                 if (aci_match_set(&sdn, op, e, 1))
1999                         return(1);
2000
2001         }
2002
2003         return(0);
2004 }
2005
2006 #endif  /* SLAPD_ACI_ENABLED */
2007
2008 static void
2009 string_expand(
2010         struct berval *bv,
2011         struct berval *pat,
2012         char *match,
2013         regmatch_t *matches)
2014 {
2015         ber_len_t       size;
2016         char   *sp;
2017         char   *dp;
2018         int     flag;
2019
2020         size = 0;
2021         bv->bv_val[0] = '\0';
2022         bv->bv_len--; /* leave space for lone $ */
2023
2024         flag = 0;
2025         for ( dp = bv->bv_val, sp = pat->bv_val; size < bv->bv_len &&
2026                 sp < pat->bv_val + pat->bv_len ; sp++ )
2027         {
2028                 /* did we previously see a $ */
2029                 if ( flag ) {
2030                         if ( flag == 1 && *sp == '$' ) {
2031                                 *dp++ = '$';
2032                                 size++;
2033                                 flag = 0;
2034
2035                         } else if ( flag == 1 && *sp == '{' /*'}'*/) {
2036                                 flag = 2;
2037
2038                         } else if ( *sp >= '0' && *sp <= '9' ) {
2039                                 int     n;
2040                                 int     i;
2041                                 int     l;
2042
2043                                 n = *sp - '0';
2044
2045                                 if ( flag == 2 ) {
2046                                         for ( sp++; *sp != '\0' && *sp != /*'{'*/ '}'; sp++ ) {
2047                                                 if ( *sp >= '0' && *sp <= '9' ) {
2048                                                         n = 10*n + ( *sp - '0' );
2049                                                 }
2050                                         }
2051
2052                                         if ( *sp != /*'{'*/ '}' ) {
2053                                                 /* error */
2054                                         }
2055                                 }
2056
2057                                 if ( n >= MAXREMATCHES ) {
2058                                 
2059                                 }
2060                                 
2061                                 *dp = '\0';
2062                                 i = matches[n].rm_so;
2063                                 l = matches[n].rm_eo; 
2064                                 for ( ; size < bv->bv_len && i < l; size++, i++ ) {
2065                                         *dp++ = match[i];
2066                                 }
2067                                 *dp = '\0';
2068
2069                                 flag = 0;
2070                         }
2071                 } else {
2072                         if (*sp == '$') {
2073                                 flag = 1;
2074                         } else {
2075                                 *dp++ = *sp;
2076                                 size++;
2077                         }
2078                 }
2079         }
2080
2081         if ( flag ) {
2082                 /* must have ended with a single $ */
2083                 *dp++ = '$';
2084                 size++;
2085         }
2086
2087         *dp = '\0';
2088         bv->bv_len = size;
2089
2090         Debug( LDAP_DEBUG_TRACE, "=> string_expand: pattern:  %.*s\n", (int)pat->bv_len, pat->bv_val, 0 );
2091         Debug( LDAP_DEBUG_TRACE, "=> string_expand: expanded: %s\n", bv->bv_val, 0, 0 );
2092 }
2093
2094 static int
2095 regex_matches(
2096         struct berval *pat,                     /* pattern to expand and match against */
2097         char *str,                              /* string to match against pattern */
2098         char *buf,                              /* buffer with $N expansion variables */
2099         regmatch_t *matches             /* offsets in buffer for $N expansion variables */
2100 )
2101 {
2102         regex_t re;
2103         char newbuf[ACL_BUF_SIZE];
2104         struct berval bv;
2105         int     rc;
2106
2107         bv.bv_len = sizeof(newbuf) - 1;
2108         bv.bv_val = newbuf;
2109
2110         if(str == NULL) str = "";
2111
2112         string_expand(&bv, pat, buf, matches);
2113         if (( rc = regcomp(&re, newbuf, REG_EXTENDED|REG_ICASE))) {
2114                 char error[ACL_BUF_SIZE];
2115                 regerror(rc, &re, error, sizeof(error));
2116
2117                 Debug( LDAP_DEBUG_TRACE,
2118                     "compile( \"%s\", \"%s\") failed %s\n",
2119                         pat->bv_val, str, error );
2120                 return( 0 );
2121         }
2122
2123         rc = regexec(&re, str, 0, NULL, 0);
2124         regfree( &re );
2125
2126         Debug( LDAP_DEBUG_TRACE,
2127             "=> regex_matches: string:   %s\n", str, 0, 0 );
2128         Debug( LDAP_DEBUG_TRACE,
2129             "=> regex_matches: rc: %d %s\n",
2130                 rc, !rc ? "matches" : "no matches", 0 );
2131         return( !rc );
2132 }
2133