]> git.sur5r.net Git - openldap/blob - servers/slapd/acl.c
utime is not needed here any more
[openldap] / servers / slapd / acl.c
1 /* acl.c - routines to parse and check acl's */
2 /* $OpenLDAP$ */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
4  *
5  * Copyright 1998-2005 The OpenLDAP Foundation.
6  * All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted only as authorized by the OpenLDAP
10  * Public License.
11  *
12  * A copy of this license is available in the file LICENSE in the
13  * top-level directory of the distribution or, alternatively, at
14  * <http://www.OpenLDAP.org/license.html>.
15  */
16 /* Portions Copyright (c) 1995 Regents of the University of Michigan.
17  * All rights reserved.
18  *
19  * Redistribution and use in source and binary forms are permitted
20  * provided that this notice is preserved and that due credit is given
21  * to the University of Michigan at Ann Arbor. The name of the University
22  * may not be used to endorse or promote products derived from this
23  * software without specific prior written permission. This software
24  * is provided ``as is'' without express or implied warranty.
25  */
26
27 #include "portable.h"
28
29 #include <stdio.h>
30
31 #include <ac/regex.h>
32 #include <ac/socket.h>
33 #include <ac/string.h>
34
35 #include "slap.h"
36 #include "sets.h"
37 #include "lber_pvt.h"
38 #include "lutil.h"
39
40 #define ACL_BUF_SIZE    1024    /* use most appropriate size */
41
42 /*
43  * speed up compares
44  */
45 static struct berval 
46         aci_bv_entry            = BER_BVC("entry"),
47         aci_bv_children         = BER_BVC("children"),
48         aci_bv_onelevel         = BER_BVC("onelevel"),
49         aci_bv_subtree          = BER_BVC("subtree"),
50         aci_bv_br_entry         = BER_BVC("[entry]"),
51         aci_bv_br_all           = BER_BVC("[all]"),
52         aci_bv_access_id        = BER_BVC("access-id"),
53 #if 0
54         aci_bv_anonymous        = BER_BVC("anonymous"),
55 #endif
56         aci_bv_public           = BER_BVC("public"),
57         aci_bv_users            = BER_BVC("users"),
58         aci_bv_self             = BER_BVC("self"),
59         aci_bv_dnattr           = BER_BVC("dnattr"),
60         aci_bv_group            = BER_BVC("group"),
61         aci_bv_role             = BER_BVC("role"),
62         aci_bv_set              = BER_BVC("set"),
63         aci_bv_set_ref          = BER_BVC("set-ref"),
64         aci_bv_grant            = BER_BVC("grant"),
65         aci_bv_deny             = BER_BVC("deny"),
66
67         aci_bv_ip_eq            = BER_BVC("IP="),
68 #ifdef LDAP_PF_LOCAL
69         aci_bv_path_eq          = BER_BVC("PATH="),
70 #if 0
71         aci_bv_dirsep           = BER_BVC(LDAP_DIRSEP),
72 #endif
73 #endif /* LDAP_PF_LOCAL */
74         
75         aci_bv_group_class      = BER_BVC(SLAPD_GROUP_CLASS),
76         aci_bv_group_attr       = BER_BVC(SLAPD_GROUP_ATTR),
77         aci_bv_role_class       = BER_BVC(SLAPD_ROLE_CLASS),
78         aci_bv_role_attr        = BER_BVC(SLAPD_ROLE_ATTR),
79         aci_bv_set_attr         = BER_BVC(SLAPD_ACI_SET_ATTR);
80
81 typedef enum slap_aci_scope_t {
82         SLAP_ACI_SCOPE_ENTRY            = 0x1,
83         SLAP_ACI_SCOPE_CHILDREN         = 0x2,
84         SLAP_ACI_SCOPE_SUBTREE          = ( SLAP_ACI_SCOPE_ENTRY | SLAP_ACI_SCOPE_CHILDREN )
85 } slap_aci_scope_t;
86
87 static AccessControl * slap_acl_get(
88         AccessControl *ac, int *count,
89         Operation *op, Entry *e,
90         AttributeDescription *desc,
91         struct berval *val,
92         int nmatch, regmatch_t *matches,
93         AccessControlState *state );
94
95 static slap_control_t slap_acl_mask(
96         AccessControl *ac, slap_mask_t *mask,
97         Operation *op, Entry *e,
98         AttributeDescription *desc,
99         struct berval *val,
100         int nmatch,
101         regmatch_t *matches,
102         int count,
103         AccessControlState *state );
104
105 #ifdef SLAPD_ACI_ENABLED
106 static int aci_mask(
107         Operation *op, Entry *e,
108         AttributeDescription *desc,
109         struct berval *val,
110         struct berval *aci,
111         int nmatch,
112         regmatch_t *matches,
113         slap_access_t *grant,
114         slap_access_t *deny,
115         slap_aci_scope_t scope);
116 #endif /* SLAPD_ACI_ENABLED */
117
118 static int      regex_matches(
119         struct berval *pat, char *str, char *buf,
120         int nmatch, regmatch_t *matches);
121 static int      string_expand(
122         struct berval *newbuf, struct berval *pattern,
123         char *match, int nmatch, regmatch_t *matches);
124
125 typedef struct AciSetCookie {
126         Operation *op;
127         Entry *e;
128 } AciSetCookie;
129
130 SLAP_SET_GATHER aci_set_gather;
131 SLAP_SET_GATHER aci_set_gather2;
132 static int aci_match_set ( struct berval *subj, Operation *op,
133     Entry *e, int setref );
134
135 /*
136  * access_allowed - check whether op->o_ndn is allowed the requested access
137  * to entry e, attribute attr, value val.  if val is null, access to
138  * the whole attribute is assumed (all values).
139  *
140  * This routine loops through all access controls and calls
141  * slap_acl_mask() on each applicable access control.
142  * The loop exits when a definitive answer is reached or
143  * or no more controls remain.
144  *
145  * returns:
146  *              0       access denied
147  *              1       access granted
148  *
149  * Notes:
150  * - can be legally called with op == NULL
151  * - can be legally called with op->o_bd == NULL
152  */
153
154 #ifdef SLAP_OVERLAY_ACCESS
155 int
156 slap_access_always_allowed(
157         Operation               *op,
158         Entry                   *e,
159         AttributeDescription    *desc,
160         struct berval           *val,
161         slap_access_t           access,
162         AccessControlState      *state,
163         slap_mask_t             *maskp )
164 {
165         assert( maskp != NULL );
166
167         ACL_PRIV_SET( *maskp, ACL_ACCESS2PRIV( access ) );
168
169         return 1;
170 }
171
172 int
173 slap_access_allowed(
174         Operation               *op,
175         Entry                   *e,
176         AttributeDescription    *desc,
177         struct berval           *val,
178         slap_access_t           access,
179         AccessControlState      *state,
180         slap_mask_t             *maskp )
181 {
182         int                             ret = 1;
183         int                             count;
184         AccessControl                   *a = NULL;
185
186 #ifdef LDAP_DEBUG
187         char                            accessmaskbuf[ACCESSMASK_MAXLEN];
188 #endif
189         slap_mask_t                     mask;
190         slap_control_t                  control;
191         slap_access_t                   access_level;
192         const char                      *attr;
193         regmatch_t                      matches[MAXREMATCHES];
194         int                             st_same_attr = 0;
195
196         assert( op != NULL );
197         assert( e != NULL );
198         assert( desc != NULL );
199         assert( maskp != NULL );
200
201         access_level = ACL_LEVEL( access );
202         attr = desc->ad_cname.bv_val;
203
204         assert( attr != NULL );
205
206         /* grant database root access */
207         if ( be_isroot( op ) ) {
208                 Debug( LDAP_DEBUG_ACL, "<= root access granted\n", 0, 0, 0 );
209                 mask = ACL_LVL_MANAGE;
210                 goto done;
211         }
212
213         /*
214          * no-user-modification operational attributes are ignored
215          * by ACL_WRITE checking as any found here are not provided
216          * by the user
217          */
218         if ( access_level >= ACL_WRITE && is_at_no_user_mod( desc->ad_type )
219                 && desc != slap_schema.si_ad_entry
220                 && desc != slap_schema.si_ad_children )
221         {
222                 Debug( LDAP_DEBUG_ACL, "NoUserMod Operational attribute:"
223                         " %s access granted\n",
224                         attr, 0, 0 );
225                 goto done;
226         }
227
228         /* use backend default access if no backend acls */
229         if ( op->o_bd->be_acl == NULL ) {
230                 int     i;
231
232                 Debug( LDAP_DEBUG_ACL,
233                         "=> slap_access_allowed: backend default %s "
234                         "access %s to \"%s\"\n",
235                         access2str( access ),
236                         op->o_bd->be_dfltaccess >= access_level ? "granted" : "denied",
237                         op->o_dn.bv_val ? op->o_dn.bv_val : "(anonymous)" );
238                 ret = op->o_bd->be_dfltaccess >= access_level;
239
240                 mask = ACL_PRIV_LEVEL;
241                 for ( i = ACL_NONE; i <= op->o_bd->be_dfltaccess; i++ ) {
242                         ACL_PRIV_SET( mask, ACL_ACCESS2PRIV( i ) );
243                 }
244
245                 goto done;
246         }
247
248         ret = 0;
249         control = ACL_BREAK;
250
251         if ( st_same_attr ) {
252                 assert( state->as_vd_acl != NULL );
253
254                 a = state->as_vd_acl;
255                 count = state->as_vd_acl_count;
256                 if ( !ACL_IS_INVALID( state->as_vd_acl_mask ) ) {
257                         mask = state->as_vd_acl_mask;
258                         AC_MEMCPY( matches, state->as_vd_acl_matches, sizeof(matches) );
259                         goto vd_access;
260                 }
261
262         } else {
263                 if ( state ) state->as_vi_acl = NULL;
264                 a = NULL;
265                 ACL_PRIV_ASSIGN( mask, *maskp );
266                 count = 0;
267                 memset( matches, '\0', sizeof( matches ) );
268         }
269
270         while ( ( a = slap_acl_get( a, &count, op, e, desc, val,
271                 MAXREMATCHES, matches, state ) ) != NULL )
272         {
273                 int i;
274
275                 for ( i = 0; i < MAXREMATCHES && matches[i].rm_so > 0; i++ ) {
276                         Debug( LDAP_DEBUG_ACL, "=> match[%d]: %d %d ", i,
277                                 (int)matches[i].rm_so, (int)matches[i].rm_eo );
278                         if ( matches[i].rm_so <= matches[0].rm_eo ) {
279                                 int n;
280                                 for ( n = matches[i].rm_so; n < matches[i].rm_eo; n++ ) {
281                                         Debug( LDAP_DEBUG_ACL, "%c", e->e_ndn[n], 0, 0 );
282                                 }
283                         }
284                         Debug( LDAP_DEBUG_ARGS, "\n", 0, 0, 0 );
285                 }
286
287                 if ( state ) {
288                         if ( state->as_vi_acl == a &&
289                                 ( state->as_recorded & ACL_STATE_RECORDED_NV ) )
290                         {
291                                 Debug( LDAP_DEBUG_ACL,
292                                         "=> slap_access_allowed: result from state (%s)\n",
293                                         attr, 0, 0 );
294                                 ret = state->as_result;
295                                 goto done;
296                         } else {
297                                 Debug( LDAP_DEBUG_ACL,
298                                         "=> slap_access_allowed: no res from state (%s)\n",
299                                         attr, 0, 0 );
300                         }
301                 }
302
303 vd_access:
304                 control = slap_acl_mask( a, &mask, op,
305                         e, desc, val, MAXREMATCHES, matches, count, state );
306
307                 if ( control != ACL_BREAK ) {
308                         break;
309                 }
310
311                 memset( matches, '\0', sizeof( matches ) );
312         }
313
314         if ( ACL_IS_INVALID( mask ) ) {
315                 Debug( LDAP_DEBUG_ACL,
316                         "=> slap_access_allowed: \"%s\" (%s) invalid!\n",
317                         e->e_dn, attr, 0 );
318                 ACL_PRIV_ASSIGN( mask, *maskp );
319
320         } else if ( control == ACL_BREAK ) {
321                 Debug( LDAP_DEBUG_ACL,
322                         "=> slap_access_allowed: no more rules\n", 0, 0, 0 );
323
324                 goto done;
325         }
326
327         ret = ACL_GRANT( mask, access );
328
329         Debug( LDAP_DEBUG_ACL,
330                 "=> slap_access_allowed: %s access %s by %s\n",
331                 access2str( access ), ret ? "granted" : "denied",
332                 accessmask2str( mask, accessmaskbuf, 1 ) );
333
334 done:
335         ACL_PRIV_ASSIGN( *maskp, mask );
336         return ret;
337 }
338
339 int
340 fe_access_allowed(
341         Operation               *op,
342         Entry                   *e,
343         AttributeDescription    *desc,
344         struct berval           *val,
345         slap_access_t           access,
346         AccessControlState      *state,
347         slap_mask_t             *maskp )
348 {
349         BackendDB               *be_orig;
350         int                     rc;
351
352         /*
353          * NOTE: control gets here if FIXME
354          * if an appropriate backend cannot be selected for the operation,
355          * we assume that the frontend should handle this
356          * FIXME: should select_backend() take care of this,
357          * and return frontendDB instead of NULL?  maybe for some value
358          * of the flags?
359          */
360         be_orig = op->o_bd;
361
362         op->o_bd = select_backend( &op->o_req_ndn, 0, 0 );
363         if ( op->o_bd == NULL ) {
364                 op->o_bd = frontendDB;
365         }
366         rc = slap_access_allowed( op, e, desc, val, access, state, maskp );
367         op->o_bd = be_orig;
368
369         return rc;
370 }
371
372 int
373 access_allowed_mask(
374         Operation               *op,
375         Entry                   *e,
376         AttributeDescription    *desc,
377         struct berval           *val,
378         slap_access_t           access,
379         AccessControlState      *state,
380         slap_mask_t             *maskp )
381 {
382         int                             ret = 1;
383         AccessControl                   *a = NULL;
384         int                             be_null = 0;
385
386 #ifdef LDAP_DEBUG
387         char                            accessmaskbuf[ACCESSMASK_MAXLEN];
388 #endif
389         slap_mask_t                     mask;
390         slap_access_t                   access_level;
391         const char                      *attr;
392         int                             st_same_attr = 0;
393         static AccessControlState       state_init = ACL_STATE_INIT;
394
395         assert( e != NULL );
396         assert( desc != NULL );
397
398         access_level = ACL_LEVEL( access );
399
400         assert( access_level > ACL_NONE );
401
402         ACL_INIT( mask );
403         if ( maskp ) ACL_INVALIDATE( *maskp );
404
405         attr = desc->ad_cname.bv_val;
406
407         assert( attr != NULL );
408
409         if ( op && op->o_is_auth_check &&
410                 ( access_level == ACL_SEARCH || access_level == ACL_READ ) )
411         {
412                 access = ACL_AUTH;
413         }
414
415         if ( state ) {
416                 if ( state->as_vd_ad == desc ) {
417                         if ( state->as_recorded ) {
418                                 if ( ( state->as_recorded & ACL_STATE_RECORDED_NV ) &&
419                                         val == NULL )
420                                 {
421                                         return state->as_result;
422
423                                 } else if ( ( state->as_recorded & ACL_STATE_RECORDED_VD ) &&
424                                         val != NULL && state->as_vd_acl == NULL )
425                                 {
426                                         return state->as_result;
427                                 }
428                         }
429                         st_same_attr = 1;
430                 } else {
431                         *state = state_init;
432                 }
433
434                 state->as_vd_ad = desc;
435         }
436
437         Debug( LDAP_DEBUG_ACL,
438                 "=> access_allowed: %s access to \"%s\" \"%s\" requested\n",
439                 access2str( access ), e->e_dn, attr );
440
441         if ( op == NULL ) {
442                 /* no-op call */
443                 goto done;
444         }
445
446         if ( op->o_bd == NULL ) {
447                 op->o_bd = LDAP_STAILQ_FIRST( &backendDB );
448                 be_null = 1;
449
450 #ifdef LDAP_DEVEL
451                 /*
452                  * FIXME: experimental; use first backend rules
453                  * iff there is no global_acl (ITS#3100) */
454                 if ( frontendDB->be_acl != NULL ) {
455                         op->o_bd = frontendDB;
456                 }
457 #endif /* LDAP_DEVEL */
458         }
459         assert( op->o_bd != NULL );
460
461         /* this is enforced in backend_add() */
462         if ( op->o_bd->bd_info->bi_access_allowed ) {
463                 /* delegate to backend */
464                 ret = op->o_bd->bd_info->bi_access_allowed( op, e,
465                                 desc, val, access, state, &mask );
466
467         } else {
468                 BackendDB       *be_orig = op->o_bd;
469
470                 /* use default (but pass through frontend
471                  * for global ACL overlays) */
472                 op->o_bd = frontendDB;
473                 ret = frontendDB->bd_info->bi_access_allowed( op, e,
474                                 desc, val, access, state, &mask );
475                 op->o_bd = be_orig;
476         }
477
478         if ( !ret ) {
479                 if ( ACL_IS_INVALID( mask ) ) {
480                         Debug( LDAP_DEBUG_ACL,
481                                 "=> access_allowed: \"%s\" (%s) invalid!\n",
482                                 e->e_dn, attr, 0 );
483                         ACL_INIT( mask );
484
485                 } else {
486                         Debug( LDAP_DEBUG_ACL,
487                                 "=> access_allowed: no more rules\n", 0, 0, 0 );
488
489                         goto done;
490                 }
491         }
492
493         Debug( LDAP_DEBUG_ACL,
494                 "=> access_allowed: %s access %s by %s\n",
495                 access2str( access ), ret ? "granted" : "denied",
496                 accessmask2str( mask, accessmaskbuf, 1 ) );
497
498 done:
499         if ( state != NULL ) {
500                 /* If not value-dependent, save ACL in case of more attrs */
501                 if ( !( state->as_recorded & ACL_STATE_RECORDED_VD ) ) {
502                         state->as_vi_acl = a;
503                         state->as_result = ret;
504                 }
505                 state->as_recorded |= ACL_STATE_RECORDED;
506         }
507         if ( be_null ) op->o_bd = NULL;
508         if ( maskp ) ACL_PRIV_ASSIGN( *maskp, mask );
509         return ret;
510 }
511
512 #else /* !SLAP_OVERLAY_ACCESS */
513
514 int
515 access_allowed_mask(
516         Operation               *op,
517         Entry                   *e,
518         AttributeDescription    *desc,
519         struct berval           *val,
520         slap_access_t           access,
521         AccessControlState      *state,
522         slap_mask_t             *maskp )
523 {
524         int                             ret = 1;
525         int                             count;
526         AccessControl                   *a = NULL;
527         Backend                         *be;
528         int                             be_null = 0;
529
530 #ifdef LDAP_DEBUG
531         char                            accessmaskbuf[ACCESSMASK_MAXLEN];
532 #endif
533         slap_mask_t                     mask;
534         slap_control_t                  control;
535         slap_access_t                   access_level;
536         const char                      *attr;
537         regmatch_t                      matches[MAXREMATCHES];
538         int                             st_same_attr = 0;
539         static AccessControlState       state_init = ACL_STATE_INIT;
540
541         assert( e != NULL );
542         assert( desc != NULL );
543
544         access_level = ACL_LEVEL( access );
545
546         assert( access_level > ACL_NONE );
547         if ( maskp ) ACL_INVALIDATE( *maskp );
548
549         attr = desc->ad_cname.bv_val;
550
551         assert( attr != NULL );
552
553         if ( op && op->o_is_auth_check &&
554                 ( access_level == ACL_SEARCH || access_level == ACL_READ ) )
555         {
556                 access = ACL_AUTH;
557         }
558
559         if ( state ) {
560                 if ( state->as_vd_ad == desc ) {
561                         if ( state->as_recorded ) {
562                                 if ( ( state->as_recorded & ACL_STATE_RECORDED_NV ) &&
563                                         val == NULL )
564                                 {
565                                         return state->as_result;
566
567                                 } else if ( ( state->as_recorded & ACL_STATE_RECORDED_VD ) &&
568                                         val != NULL && state->as_vd_acl == NULL )
569                                 {
570                                         return state->as_result;
571                                 }
572                         }
573                         st_same_attr = 1;
574                 } else {
575                         *state = state_init;
576                 }
577
578                 state->as_vd_ad=desc;
579         }
580
581         Debug( LDAP_DEBUG_ACL,
582                 "=> access_allowed: %s access to \"%s\" \"%s\" requested\n",
583                 access2str( access ), e->e_dn, attr );
584
585         if ( op == NULL ) {
586                 /* no-op call */
587                 goto done;
588         }
589
590         be = op->o_bd;
591         if ( be == NULL ) {
592                 be = LDAP_STAILQ_FIRST(&backendDB);
593                 be_null = 1;
594 #ifdef LDAP_DEVEL
595                 /*
596                  * FIXME: experimental; use first backend rules
597                  * iff there is no global_acl (ITS#3100) */
598                 if ( frontendDB->be_acl == NULL ) 
599 #endif
600                 {
601                         op->o_bd = be;
602                 }
603         }
604         assert( be != NULL );
605
606         /* grant database root access */
607         if ( be_isroot( op ) ) {
608                 Debug( LDAP_DEBUG_ACL, "<= root access granted\n", 0, 0, 0 );
609                 if ( maskp ) {
610                         mask = ACL_LVL_MANAGE;
611                 }
612
613                 goto done;
614         }
615
616         /*
617          * no-user-modification operational attributes are ignored
618          * by ACL_WRITE checking as any found here are not provided
619          * by the user
620          */
621         if ( access_level >= ACL_WRITE && is_at_no_user_mod( desc->ad_type )
622                 && desc != slap_schema.si_ad_entry
623                 && desc != slap_schema.si_ad_children )
624         {
625                 Debug( LDAP_DEBUG_ACL, "NoUserMod Operational attribute:"
626                         " %s access granted\n",
627                         attr, 0, 0 );
628                 goto done;
629         }
630
631         /* use backend default access if no backend acls */
632         if ( be->be_acl == NULL ) {
633                 Debug( LDAP_DEBUG_ACL,
634                         "=> access_allowed: backend default %s "
635                         "access %s to \"%s\"\n",
636                         access2str( access ),
637                         be->be_dfltaccess >= access_level ? "granted" : "denied",
638                         op->o_dn.bv_val ? op->o_dn.bv_val : "(anonymous)" );
639                 ret = be->be_dfltaccess >= access_level;
640
641                 if ( maskp ) {
642                         int     i;
643
644                         mask = ACL_PRIV_LEVEL;
645                         for ( i = ACL_NONE; i <= be->be_dfltaccess; i++ ) {
646                                 mask |= ACL_ACCESS2PRIV( i );
647                         }
648                 }
649
650                 goto done;
651
652 #ifdef notdef
653         /* be is always non-NULL */
654         /* use global default access if no global acls */
655         } else if ( be == NULL && frontendDB->be_acl == NULL ) {
656                 Debug( LDAP_DEBUG_ACL,
657                         "=> access_allowed: global default %s access %s to \"%s\"\n",
658                         access2str( access ),
659                         frontendDB->be_dfltaccess >= access_level ?
660                                 "granted" : "denied", op->o_dn.bv_val );
661                 ret = frontendDB->be_dfltaccess >= access_level;
662
663                 if ( maskp ) {
664                         int     i;
665
666                         mask = ACL_PRIV_LEVEL;
667                         for ( i = ACL_NONE; i <= global_default_access; i++ ) {
668                                 mask |= ACL_ACCESS2PRIV( i );
669                         }
670                 }
671
672                 goto done;
673 #endif
674         }
675
676         ret = 0;
677         control = ACL_BREAK;
678
679         if ( st_same_attr ) {
680                 assert( state->as_vd_acl != NULL );
681
682                 a = state->as_vd_acl;
683                 count = state->as_vd_acl_count;
684                 if ( !ACL_IS_INVALID( state->as_vd_acl_mask ) ) {
685                         mask = state->as_vd_acl_mask;
686                         AC_MEMCPY( matches, state->as_vd_acl_matches, sizeof(matches) );
687                         goto vd_access;
688                 }
689
690         } else {
691                 if ( state ) state->as_vi_acl = NULL;
692                 a = NULL;
693                 ACL_INIT(mask);
694                 count = 0;
695                 memset( matches, '\0', sizeof(matches) );
696         }
697
698         while ( ( a = slap_acl_get( a, &count, op, e, desc, val,
699                 MAXREMATCHES, matches, state ) ) != NULL )
700         {
701                 int i;
702
703                 for ( i = 0; i < MAXREMATCHES && matches[i].rm_so > 0; i++ ) {
704                         Debug( LDAP_DEBUG_ACL, "=> match[%d]: %d %d ", i,
705                                 (int)matches[i].rm_so, (int)matches[i].rm_eo );
706                         if ( matches[i].rm_so <= matches[0].rm_eo ) {
707                                 int n;
708                                 for ( n = matches[i].rm_so; n < matches[i].rm_eo; n++ ) {
709                                         Debug( LDAP_DEBUG_ACL, "%c", e->e_ndn[n], 0, 0 );
710                                 }
711                         }
712                         Debug( LDAP_DEBUG_ARGS, "\n", 0, 0, 0 );
713                 }
714
715                 if ( state ) {
716                         if ( state->as_vi_acl == a &&
717                                 ( state->as_recorded & ACL_STATE_RECORDED_NV ) )
718                         {
719                                 Debug( LDAP_DEBUG_ACL,
720                                         "access_allowed: result from state (%s)\n",
721                                         attr, 0, 0 );
722                                 ret = state->as_result;
723                                 goto done;
724                         } else {
725                                 Debug( LDAP_DEBUG_ACL,
726                                         "access_allowed: no res from state (%s)\n",
727                                         attr, 0, 0 );
728                         }
729                 }
730
731 vd_access:
732                 control = slap_acl_mask( a, &mask, op,
733                         e, desc, val, MAXREMATCHES, matches, count, state );
734
735                 if ( control != ACL_BREAK ) {
736                         break;
737                 }
738
739                 memset( matches, '\0', sizeof(matches) );
740         }
741
742         if ( ACL_IS_INVALID( mask ) ) {
743                 Debug( LDAP_DEBUG_ACL,
744                         "=> access_allowed: \"%s\" (%s) invalid!\n",
745                         e->e_dn, attr, 0 );
746                 ACL_INIT(mask);
747
748         } else if ( control == ACL_BREAK ) {
749                 Debug( LDAP_DEBUG_ACL,
750                         "=> access_allowed: no more rules\n", 0, 0, 0 );
751
752                 goto done;
753         }
754
755         Debug( LDAP_DEBUG_ACL,
756                 "=> access_allowed: %s access %s by %s\n",
757                 access2str( access ),
758                 ACL_GRANT(mask, access) ? "granted" : "denied",
759                 accessmask2str( mask, accessmaskbuf, 1 ) );
760
761         ret = ACL_GRANT(mask, access);
762
763 done:
764         if ( state != NULL ) {
765                 /* If not value-dependent, save ACL in case of more attrs */
766                 if ( !( state->as_recorded & ACL_STATE_RECORDED_VD ) ) {
767                         state->as_vi_acl = a;
768                         state->as_result = ret;
769                 }
770                 state->as_recorded |= ACL_STATE_RECORDED;
771         }
772         if ( be_null ) op->o_bd = NULL;
773         if ( maskp ) *maskp = mask;
774         return ret;
775 }
776
777 #endif /* SLAP_OVERLAY_ACCESS */
778
779 /*
780  * slap_acl_get - return the acl applicable to entry e, attribute
781  * attr.  the acl returned is suitable for use in subsequent calls to
782  * acl_access_allowed().
783  */
784
785 static AccessControl *
786 slap_acl_get(
787         AccessControl *a,
788         int                     *count,
789         Operation       *op,
790         Entry           *e,
791         AttributeDescription *desc,
792         struct berval   *val,
793         int                     nmatch,
794         regmatch_t      *matches,
795         AccessControlState *state )
796 {
797         const char *attr;
798         int dnlen, patlen;
799         AccessControl *prev;
800
801         assert( e != NULL );
802         assert( count != NULL );
803         assert( desc != NULL );
804
805         attr = desc->ad_cname.bv_val;
806
807         assert( attr != NULL );
808
809         if( a == NULL ) {
810                 if( op->o_bd == NULL ) {
811                         a = frontendDB->be_acl;
812                 } else {
813                         a = op->o_bd->be_acl;
814                 }
815                 prev = NULL;
816
817                 assert( a != NULL );
818
819         } else {
820                 prev = a;
821                 a = a->acl_next;
822         }
823
824         dnlen = e->e_nname.bv_len;
825
826         for ( ; a != NULL; a = a->acl_next ) {
827                 (*count) ++;
828
829                 if ( a->acl_dn_pat.bv_len || ( a->acl_dn_style != ACL_STYLE_REGEX )) {
830                         if ( a->acl_dn_style == ACL_STYLE_REGEX ) {
831                                 Debug( LDAP_DEBUG_ACL, "=> dnpat: [%d] %s nsub: %d\n", 
832                                         *count, a->acl_dn_pat.bv_val, (int) a->acl_dn_re.re_nsub );
833                                 if (regexec(&a->acl_dn_re, e->e_ndn, nmatch, matches, 0))
834                                         continue;
835
836                         } else {
837                                 Debug( LDAP_DEBUG_ACL, "=> dn: [%d] %s\n", 
838                                         *count, a->acl_dn_pat.bv_val, 0 );
839                                 patlen = a->acl_dn_pat.bv_len;
840                                 if ( dnlen < patlen )
841                                         continue;
842
843                                 if ( a->acl_dn_style == ACL_STYLE_BASE ) {
844                                         /* base dn -- entire object DN must match */
845                                         if ( dnlen != patlen )
846                                                 continue;
847
848                                 } else if ( a->acl_dn_style == ACL_STYLE_ONE ) {
849                                         int     rdnlen = -1, sep = 0;
850
851                                         if ( dnlen <= patlen )
852                                                 continue;
853
854                                         if ( patlen > 0 ) {
855                                                 if ( !DN_SEPARATOR( e->e_ndn[dnlen - patlen - 1] ) )
856                                                         continue;
857                                                 sep = 1;
858                                         }
859
860                                         rdnlen = dn_rdnlen( NULL, &e->e_nname );
861                                         if ( rdnlen != dnlen - patlen - sep )
862                                                 continue;
863
864                                 } else if ( a->acl_dn_style == ACL_STYLE_SUBTREE ) {
865                                         if ( dnlen > patlen && !DN_SEPARATOR( e->e_ndn[dnlen - patlen - 1] ) )
866                                                 continue;
867
868                                 } else if ( a->acl_dn_style == ACL_STYLE_CHILDREN ) {
869                                         if ( dnlen <= patlen )
870                                                 continue;
871                                         if ( !DN_SEPARATOR( e->e_ndn[dnlen - patlen - 1] ) )
872                                                 continue;
873                                 }
874
875                                 if ( strcmp( a->acl_dn_pat.bv_val, e->e_ndn + dnlen - patlen ) != 0 )
876                                         continue;
877                         }
878
879                         Debug( LDAP_DEBUG_ACL, "=> acl_get: [%d] matched\n",
880                                 *count, 0, 0 );
881                 }
882
883                 if ( a->acl_attrs && !ad_inlist( desc, a->acl_attrs ) ) {
884                         matches[0].rm_so = matches[0].rm_eo = -1;
885                         continue;
886                 }
887
888                 /* Is this ACL only for a specific value? */
889                 if ( a->acl_attrval.bv_len ) {
890                         if ( val == NULL ) {
891                                 continue;
892                         }
893
894                         if( state && !( state->as_recorded & ACL_STATE_RECORDED_VD )) {
895                                 state->as_recorded |= ACL_STATE_RECORDED_VD;
896                                 state->as_vd_acl = a;
897                                 state->as_vd_acl_count = *count;
898                                 state->as_vd_access = a->acl_access;
899                                 state->as_vd_access_count = 1;
900                                 ACL_INVALIDATE( state->as_vd_acl_mask );
901                         }
902
903                         if ( a->acl_attrval_style == ACL_STYLE_REGEX ) {
904                                 Debug( LDAP_DEBUG_ACL,
905                                         "acl_get: valpat %s\n",
906                                         a->acl_attrval.bv_val, 0, 0 );
907                                 if ( regexec( &a->acl_attrval_re, val->bv_val, 0, NULL, 0 ) )
908                                 {
909                                         continue;
910                                 }
911
912                         } else {
913                                 int match = 0;
914                                 const char *text;
915                                 Debug( LDAP_DEBUG_ACL,
916                                         "acl_get: val %s\n",
917                                         a->acl_attrval.bv_val, 0, 0 );
918         
919                                 if ( a->acl_attrs[0].an_desc->ad_type->sat_syntax != slap_schema.si_syn_distinguishedName ) {
920                                         if (value_match( &match, desc,
921                                                 /* desc->ad_type->sat_equality */ a->acl_attrval_mr, 0,
922                                                 val, &a->acl_attrval, &text ) != LDAP_SUCCESS ||
923                                                         match )
924                                                 continue;
925                                         
926                                 } else {
927                                         int             patlen, vdnlen;
928         
929                                         patlen = a->acl_attrval.bv_len;
930                                         vdnlen = val->bv_len;
931         
932                                         if ( vdnlen < patlen )
933                                                 continue;
934         
935                                         if ( a->acl_attrval_style == ACL_STYLE_BASE ) {
936                                                 if ( vdnlen > patlen )
937                                                         continue;
938         
939                                         } else if ( a->acl_attrval_style == ACL_STYLE_ONE ) {
940                                                 int rdnlen = -1;
941         
942                                                 if ( !DN_SEPARATOR( val->bv_val[vdnlen - patlen - 1] ) )
943                                                         continue;
944         
945                                                 rdnlen = dn_rdnlen( NULL, val );
946                                                 if ( rdnlen != vdnlen - patlen - 1 )
947                                                         continue;
948         
949                                         } else if ( a->acl_attrval_style == ACL_STYLE_SUBTREE ) {
950                                                 if ( vdnlen > patlen && !DN_SEPARATOR( val->bv_val[vdnlen - patlen - 1] ) )
951                                                         continue;
952         
953                                         } else if ( a->acl_attrval_style == ACL_STYLE_CHILDREN ) {
954                                                 if ( vdnlen <= patlen )
955                                                         continue;
956         
957                                                 if ( !DN_SEPARATOR( val->bv_val[vdnlen - patlen - 1] ) )
958                                                         continue;
959                                         }
960         
961                                         if ( strcmp( a->acl_attrval.bv_val, val->bv_val + vdnlen - patlen ))
962                                                 continue;
963                                 }
964                         }
965                 }
966
967                 if ( a->acl_filter != NULL ) {
968                         ber_int_t rc = test_filter( NULL, e, a->acl_filter );
969                         if ( rc != LDAP_COMPARE_TRUE ) {
970                                 continue;
971                         }
972                 }
973
974                 Debug( LDAP_DEBUG_ACL, "=> acl_get: [%d] attr %s\n",
975                        *count, attr, 0);
976                 return a;
977         }
978
979         Debug( LDAP_DEBUG_ACL, "<= acl_get: done.\n", 0, 0, 0 );
980         return( NULL );
981 }
982
983 static int
984 acl_mask_dn(
985         Operation               *op,
986         Entry                   *e,
987         AccessControl           *a,
988         int                     nmatch,
989         regmatch_t              *matches,
990         slap_dn_access          *b,
991         struct berval           *opndn )
992 {
993         /*
994          * if access applies to the entry itself, and the
995          * user is bound as somebody in the same namespace as
996          * the entry, OR the given dn matches the dn pattern
997          */
998         /*
999          * NOTE: styles "anonymous", "users" and "self" 
1000          * have been moved to enum slap_style_t, whose 
1001          * value is set in a_dn_style; however, the string
1002          * is maintaned in a_dn_pat.
1003          */
1004         if ( b->a_style == ACL_STYLE_ANONYMOUS ) {
1005                 if ( !BER_BVISEMPTY( opndn ) ) {
1006                         return 1;
1007                 }
1008
1009         } else if ( b->a_style == ACL_STYLE_USERS ) {
1010                 if ( BER_BVISEMPTY( opndn ) ) {
1011                         return 1;
1012                 }
1013
1014         } else if ( b->a_style == ACL_STYLE_SELF ) {
1015                 struct berval   ndn, selfndn;
1016                 int             level;
1017
1018                 if ( BER_BVISEMPTY( opndn ) || BER_BVISNULL( &e->e_nname ) ) {
1019                         return 1;
1020                 }
1021
1022                 level = b->a_self_level;
1023                 if ( level < 0 ) {
1024                         selfndn = *opndn;
1025                         ndn = e->e_nname;
1026                         level = -level;
1027
1028                 } else {
1029                         ndn = *opndn;
1030                         selfndn = e->e_nname;
1031                 }
1032
1033                 for ( ; level > 0; level-- ) {
1034                         if ( BER_BVISEMPTY( &ndn ) ) {
1035                                 break;
1036                         }
1037                         dnParent( &ndn, &ndn );
1038                 }
1039                         
1040                 if ( BER_BVISEMPTY( &ndn ) || !dn_match( &ndn, &selfndn ) )
1041                 {
1042                         return 1;
1043                 }
1044
1045         } else if ( b->a_style == ACL_STYLE_REGEX ) {
1046                 if ( !ber_bvccmp( &b->a_pat, '*' ) ) {
1047                         int             tmp_nmatch;
1048                         regmatch_t      tmp_matches[2],
1049                                         *tmp_matchesp = tmp_matches;
1050
1051                         int             rc = 0;
1052
1053                         switch ( a->acl_dn_style ) {
1054                         case ACL_STYLE_REGEX:
1055                                 if ( !BER_BVISNULL( &a->acl_dn_pat ) ) {
1056                                         tmp_matchesp = matches;
1057                                         tmp_nmatch = nmatch;
1058                                         break;
1059                                 }
1060                         /* FALLTHRU: applies also to ACL_STYLE_REGEX when pattern is "*" */
1061
1062                         case ACL_STYLE_BASE:
1063                                 tmp_matches[0].rm_so = 0;
1064                                 tmp_matches[0].rm_eo = e->e_nname.bv_len;
1065                                 tmp_nmatch = 1;
1066                                 break;
1067
1068                         case ACL_STYLE_ONE:
1069                         case ACL_STYLE_SUBTREE:
1070                         case ACL_STYLE_CHILDREN:
1071                                 tmp_matches[0].rm_so = 0;
1072                                 tmp_matches[0].rm_eo = e->e_nname.bv_len;
1073                                 tmp_matches[1].rm_so = e->e_nname.bv_len - a->acl_dn_pat.bv_len;
1074                                 tmp_matches[1].rm_eo = e->e_nname.bv_len;
1075                                 tmp_nmatch = 2;
1076                                 break;
1077
1078                         default:
1079                                 /* error */
1080                                 rc = 1;
1081                                 break;
1082                         }
1083
1084                         if ( rc ) {
1085                                 return 1;
1086                         }
1087
1088                         if ( !regex_matches( &b->a_pat, opndn->bv_val,
1089                                 e->e_ndn, tmp_nmatch, tmp_matchesp ) )
1090                         {
1091                                 return 1;
1092                         }
1093                 }
1094
1095         } else {
1096                 struct berval   pat;
1097                 ber_len_t       patlen, odnlen;
1098                 int             got_match = 0;
1099
1100                 if ( e->e_dn == NULL )
1101                         return 1;
1102
1103                 if ( b->a_expand ) {
1104                         struct berval   bv;
1105                         char            buf[ACL_BUF_SIZE];
1106                         
1107                         int             tmp_nmatch;
1108                         regmatch_t      tmp_matches[2],
1109                                         *tmp_matchesp = tmp_matches;
1110
1111                         int             rc = 0;
1112
1113                         bv.bv_len = sizeof( buf ) - 1;
1114                         bv.bv_val = buf;
1115
1116                         switch ( a->acl_dn_style ) {
1117                         case ACL_STYLE_REGEX:
1118                                 if ( !BER_BVISNULL( &a->acl_dn_pat ) ) {
1119                                         tmp_matchesp = matches;
1120                                         tmp_nmatch = nmatch;
1121                                         break;
1122                                 }
1123                         /* FALLTHRU: applies also to ACL_STYLE_REGEX when pattern is "*" */
1124
1125                         case ACL_STYLE_BASE:
1126                                 tmp_matches[0].rm_so = 0;
1127                                 tmp_matches[0].rm_eo = e->e_nname.bv_len;
1128                                 tmp_nmatch = 1;
1129                                 break;
1130
1131                         case ACL_STYLE_ONE:
1132                         case ACL_STYLE_SUBTREE:
1133                         case ACL_STYLE_CHILDREN:
1134                                 tmp_matches[0].rm_so = 0;
1135                                 tmp_matches[0].rm_eo = e->e_nname.bv_len;
1136                                 tmp_matches[1].rm_so = e->e_nname.bv_len - a->acl_dn_pat.bv_len;
1137                                 tmp_matches[1].rm_eo = e->e_nname.bv_len;
1138                                 tmp_nmatch = 2;
1139                                 break;
1140
1141                         default:
1142                                 /* error */
1143                                 rc = 1;
1144                                 break;
1145                         }
1146
1147                         if ( rc ) {
1148                                 return 1;
1149                         }
1150
1151                         if ( string_expand( &bv, &b->a_pat, 
1152                                         e->e_nname.bv_val,
1153                                         tmp_nmatch, tmp_matchesp ) )
1154                         {
1155                                 return 1;
1156                         }
1157                         
1158                         if ( dnNormalize(0, NULL, NULL, &bv,
1159                                         &pat, op->o_tmpmemctx )
1160                                         != LDAP_SUCCESS )
1161                         {
1162                                 /* did not expand to a valid dn */
1163                                 return 1;
1164                         }
1165
1166                 } else {
1167                         pat = b->a_pat;
1168                 }
1169
1170                 patlen = pat.bv_len;
1171                 odnlen = opndn->bv_len;
1172                 if ( odnlen < patlen ) {
1173                         goto dn_match_cleanup;
1174
1175                 }
1176
1177                 if ( b->a_style == ACL_STYLE_BASE ) {
1178                         /* base dn -- entire object DN must match */
1179                         if ( odnlen != patlen ) {
1180                                 goto dn_match_cleanup;
1181                         }
1182
1183                 } else if ( b->a_style == ACL_STYLE_ONE ) {
1184                         int rdnlen = -1;
1185
1186                         if ( odnlen <= patlen ) {
1187                                 goto dn_match_cleanup;
1188                         }
1189
1190                         if ( !DN_SEPARATOR( opndn->bv_val[odnlen - patlen - 1] ) ) {
1191                                 goto dn_match_cleanup;
1192                         }
1193
1194                         rdnlen = dn_rdnlen( NULL, opndn );
1195                         if ( rdnlen != odnlen - patlen - 1 ) {
1196                                 goto dn_match_cleanup;
1197                         }
1198
1199                 } else if ( b->a_style == ACL_STYLE_SUBTREE ) {
1200                         if ( odnlen > patlen && !DN_SEPARATOR( opndn->bv_val[odnlen - patlen - 1] ) ) {
1201                                 goto dn_match_cleanup;
1202                         }
1203
1204                 } else if ( b->a_style == ACL_STYLE_CHILDREN ) {
1205                         if ( odnlen <= patlen ) {
1206                                 goto dn_match_cleanup;
1207                         }
1208
1209                         if ( !DN_SEPARATOR( opndn->bv_val[odnlen - patlen - 1] ) ) {
1210                                 goto dn_match_cleanup;
1211                         }
1212
1213                 } else if ( b->a_style == ACL_STYLE_LEVEL ) {
1214                         int level;
1215                         struct berval ndn;
1216
1217                         if ( odnlen <= patlen ) {
1218                                 goto dn_match_cleanup;
1219                         }
1220
1221                         if ( level > 0 && !DN_SEPARATOR( opndn->bv_val[odnlen - patlen - 1] ) )
1222                         {
1223                                 goto dn_match_cleanup;
1224                         }
1225                         
1226                         level = b->a_level;
1227                         ndn = *opndn;
1228                         for ( ; level > 0; level-- ) {
1229                                 if ( BER_BVISEMPTY( &ndn ) ) {
1230                                         goto dn_match_cleanup;
1231                                 }
1232                                 dnParent( &ndn, &ndn );
1233                                 if ( ndn.bv_len < patlen ) {
1234                                         goto dn_match_cleanup;
1235                                 }
1236                         }
1237                         
1238                         if ( ndn.bv_len != patlen ) {
1239                                 goto dn_match_cleanup;
1240                         }
1241                 }
1242
1243                 got_match = !strcmp( pat.bv_val, &opndn->bv_val[ odnlen - patlen ] );
1244
1245 dn_match_cleanup:;
1246                 if ( pat.bv_val != b->a_pat.bv_val ) {
1247                         slap_sl_free( pat.bv_val, op->o_tmpmemctx );
1248                 }
1249
1250                 if ( !got_match ) {
1251                         return 1;
1252                 }
1253         }
1254
1255         return 0;
1256 }
1257
1258 /*
1259  * Record value-dependent access control state
1260  */
1261 #define ACL_RECORD_VALUE_STATE do { \
1262                 if( state && !( state->as_recorded & ACL_STATE_RECORDED_VD )) { \
1263                         state->as_recorded |= ACL_STATE_RECORDED_VD; \
1264                         state->as_vd_acl = a; \
1265                         AC_MEMCPY( state->as_vd_acl_matches, matches, \
1266                                 sizeof( state->as_vd_acl_matches )) ; \
1267                         state->as_vd_acl_count = count; \
1268                         state->as_vd_access = b; \
1269                         state->as_vd_access_count = i; \
1270                 } \
1271         } while( 0 )
1272
1273 static int
1274 acl_mask_dnattr(
1275         Operation               *op,
1276         Entry                   *e,
1277         struct berval           *val,
1278         AccessControl           *a,
1279         Access                  *b,
1280         int                     i,
1281         regmatch_t              *matches,
1282         int                     count,
1283         AccessControlState      *state,
1284         slap_dn_access          *bdn,
1285         struct berval           *opndn )
1286 {
1287         Attribute       *at;
1288         struct berval   bv;
1289         int             rc, match = 0;
1290         const char      *text;
1291         const char      *attr = bdn->a_at->ad_cname.bv_val;
1292
1293         assert( attr != NULL );
1294
1295         if ( BER_BVISEMPTY( opndn ) ) {
1296                 return 1;
1297         }
1298
1299         Debug( LDAP_DEBUG_ACL, "<= check a_dn_at: %s\n", attr, 0, 0 );
1300         bv = *opndn;
1301
1302         /* see if asker is listed in dnattr */
1303         for ( at = attrs_find( e->e_attrs, bdn->a_at );
1304                 at != NULL;
1305                 at = attrs_find( at->a_next, bdn->a_at ) )
1306         {
1307                 if ( value_find_ex( bdn->a_at,
1308                         SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
1309                                 SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
1310                         at->a_nvals,
1311                         &bv, op->o_tmpmemctx ) == 0 )
1312                 {
1313                         /* found it */
1314                         match = 1;
1315                         break;
1316                 }
1317         }
1318
1319         if ( match ) {
1320                 /* have a dnattr match. if this is a self clause then
1321                  * the target must also match the op dn.
1322                  */
1323                 if ( bdn->a_self ) {
1324                         /* check if the target is an attribute. */
1325                         if ( val == NULL ) return 1;
1326
1327                         /* target is attribute, check if the attribute value
1328                          * is the op dn.
1329                          */
1330                         rc = value_match( &match, bdn->a_at,
1331                                 bdn->a_at->ad_type->sat_equality, 0,
1332                                 val, &bv, &text );
1333                         /* on match error or no match, fail the ACL clause */
1334                         if ( rc != LDAP_SUCCESS || match != 0 )
1335                                 return 1;
1336                 }
1337
1338         } else {
1339                 /* no dnattr match, check if this is a self clause */
1340                 if ( ! bdn->a_self )
1341                         return 1;
1342
1343                 ACL_RECORD_VALUE_STATE;
1344                 
1345                 /* this is a self clause, check if the target is an
1346                  * attribute.
1347                  */
1348                 if ( val == NULL )
1349                         return 1;
1350
1351                 /* target is attribute, check if the attribute value
1352                  * is the op dn.
1353                  */
1354                 rc = value_match( &match, bdn->a_at,
1355                         bdn->a_at->ad_type->sat_equality, 0,
1356                         val, &bv, &text );
1357
1358                 /* on match error or no match, fail the ACL clause */
1359                 if ( rc != LDAP_SUCCESS || match != 0 )
1360                         return 1;
1361         }
1362
1363         return 0;
1364 }
1365
1366
1367 /*
1368  * slap_acl_mask - modifies mask based upon the given acl and the
1369  * requested access to entry e, attribute attr, value val.  if val
1370  * is null, access to the whole attribute is assumed (all values).
1371  *
1372  * returns      0       access NOT allowed
1373  *              1       access allowed
1374  */
1375
1376 static slap_control_t
1377 slap_acl_mask(
1378         AccessControl           *a,
1379         slap_mask_t             *mask,
1380         Operation               *op,
1381         Entry                   *e,
1382         AttributeDescription    *desc,
1383         struct berval           *val,
1384         int                     nmatch,
1385         regmatch_t              *matches,
1386         int                     count,
1387         AccessControlState      *state )
1388 {
1389         int             i;
1390         Access  *b;
1391 #ifdef LDAP_DEBUG
1392         char accessmaskbuf[ACCESSMASK_MAXLEN];
1393 #if !defined( SLAP_DYNACL ) && defined( SLAPD_ACI_ENABLED )
1394         char accessmaskbuf1[ACCESSMASK_MAXLEN];
1395 #endif /* !SLAP_DYNACL && SLAPD_ACI_ENABLED */
1396 #endif /* DEBUG */
1397         const char *attr;
1398
1399         assert( a != NULL );
1400         assert( mask != NULL );
1401         assert( desc != NULL );
1402
1403         attr = desc->ad_cname.bv_val;
1404
1405         assert( attr != NULL );
1406
1407         Debug( LDAP_DEBUG_ACL,
1408                 "=> acl_mask: access to entry \"%s\", attr \"%s\" requested\n",
1409                 e->e_dn, attr, 0 );
1410
1411         Debug( LDAP_DEBUG_ACL,
1412                 "=> acl_mask: to %s by \"%s\", (%s) \n",
1413                 val ? "value" : "all values",
1414                 op->o_ndn.bv_val ?  op->o_ndn.bv_val : "",
1415                 accessmask2str( *mask, accessmaskbuf, 1 ) );
1416
1417
1418         if( state && ( state->as_recorded & ACL_STATE_RECORDED_VD )
1419                 && state->as_vd_acl == a )
1420         {
1421                 b = state->as_vd_access;
1422                 i = state->as_vd_access_count;
1423
1424         } else {
1425                 b = a->acl_access;
1426                 i = 1;
1427         }
1428
1429         for ( ; b != NULL; b = b->a_next, i++ ) {
1430                 slap_mask_t oldmask, modmask;
1431
1432                 ACL_INVALIDATE( modmask );
1433
1434                 /* AND <who> clauses */
1435                 if ( !BER_BVISEMPTY( &b->a_dn_pat ) ) {
1436                         Debug( LDAP_DEBUG_ACL, "<= check a_dn_pat: %s\n",
1437                                 b->a_dn_pat.bv_val, 0, 0);
1438                         /*
1439                          * if access applies to the entry itself, and the
1440                          * user is bound as somebody in the same namespace as
1441                          * the entry, OR the given dn matches the dn pattern
1442                          */
1443                         /*
1444                          * NOTE: styles "anonymous", "users" and "self" 
1445                          * have been moved to enum slap_style_t, whose 
1446                          * value is set in a_dn_style; however, the string
1447                          * is maintaned in a_dn_pat.
1448                          */
1449
1450                         if ( acl_mask_dn( op, e, a, nmatch, matches,
1451                                 &b->a_dn, &op->o_ndn ) )
1452                         {
1453                                 continue;
1454                         }
1455                 }
1456
1457                 if ( !BER_BVISEMPTY( &b->a_realdn_pat ) ) {
1458                         struct berval   ndn;
1459
1460                         Debug( LDAP_DEBUG_ACL, "<= check a_realdn_pat: %s\n",
1461                                 b->a_realdn_pat.bv_val, 0, 0);
1462                         /*
1463                          * if access applies to the entry itself, and the
1464                          * user is bound as somebody in the same namespace as
1465                          * the entry, OR the given dn matches the dn pattern
1466                          */
1467                         /*
1468                          * NOTE: styles "anonymous", "users" and "self" 
1469                          * have been moved to enum slap_style_t, whose 
1470                          * value is set in a_dn_style; however, the string
1471                          * is maintaned in a_dn_pat.
1472                          */
1473
1474                         if ( op->o_conn && !BER_BVISNULL( &op->o_conn->c_ndn ) )
1475                         {
1476                                 ndn = op->o_conn->c_ndn;
1477                         } else {
1478                                 ndn = op->o_ndn;
1479                         }
1480
1481                         if ( acl_mask_dn( op, e, a, nmatch, matches,
1482                                 &b->a_realdn, &ndn ) )
1483                         {
1484                                 continue;
1485                         }
1486                 }
1487
1488                 if ( !BER_BVISEMPTY( &b->a_sockurl_pat ) ) {
1489                         if ( ! op->o_conn->c_listener ) {
1490                                 continue;
1491                         }
1492                         Debug( LDAP_DEBUG_ACL, "<= check a_sockurl_pat: %s\n",
1493                                 b->a_sockurl_pat.bv_val, 0, 0 );
1494
1495                         if ( !ber_bvccmp( &b->a_sockurl_pat, '*' ) ) {
1496                                 if ( b->a_sockurl_style == ACL_STYLE_REGEX) {
1497                                         if (!regex_matches( &b->a_sockurl_pat, op->o_conn->c_listener_url.bv_val,
1498                                                         e->e_ndn, nmatch, matches ) ) 
1499                                         {
1500                                                 continue;
1501                                         }
1502
1503                                 } else if ( b->a_sockurl_style == ACL_STYLE_EXPAND ) {
1504                                         struct berval   bv;
1505                                         char buf[ACL_BUF_SIZE];
1506
1507                                         bv.bv_len = sizeof( buf ) - 1;
1508                                         bv.bv_val = buf;
1509                                         if ( string_expand( &bv, &b->a_sockurl_pat,
1510                                                         e->e_ndn, nmatch, matches ) )
1511                                         {
1512                                                 continue;
1513                                         }
1514
1515                                         if ( ber_bvstrcasecmp( &bv, &op->o_conn->c_listener_url ) != 0 )
1516                                         {
1517                                                 continue;
1518                                         }
1519
1520                                 } else {
1521                                         if ( ber_bvstrcasecmp( &b->a_sockurl_pat, &op->o_conn->c_listener_url ) != 0 )
1522                                         {
1523                                                 continue;
1524                                         }
1525                                 }
1526                         }
1527                 }
1528
1529                 if ( !BER_BVISEMPTY( &b->a_domain_pat ) ) {
1530                         if ( !op->o_conn->c_peer_domain.bv_val ) {
1531                                 continue;
1532                         }
1533                         Debug( LDAP_DEBUG_ACL, "<= check a_domain_pat: %s\n",
1534                                 b->a_domain_pat.bv_val, 0, 0 );
1535                         if ( !ber_bvccmp( &b->a_domain_pat, '*' ) ) {
1536                                 if ( b->a_domain_style == ACL_STYLE_REGEX) {
1537                                         if (!regex_matches( &b->a_domain_pat, op->o_conn->c_peer_domain.bv_val,
1538                                                         e->e_ndn, nmatch, matches ) ) 
1539                                         {
1540                                                 continue;
1541                                         }
1542                                 } else {
1543                                         char buf[ACL_BUF_SIZE];
1544
1545                                         struct berval   cmp = op->o_conn->c_peer_domain;
1546                                         struct berval   pat = b->a_domain_pat;
1547
1548                                         if ( b->a_domain_expand ) {
1549                                                 struct berval bv;
1550
1551                                                 bv.bv_len = sizeof(buf) - 1;
1552                                                 bv.bv_val = buf;
1553
1554                                                 if ( string_expand(&bv, &b->a_domain_pat,
1555                                                                 e->e_ndn, nmatch, matches) )
1556                                                 {
1557                                                         continue;
1558                                                 }
1559                                                 pat = bv;
1560                                         }
1561
1562                                         if ( b->a_domain_style == ACL_STYLE_SUBTREE ) {
1563                                                 int offset = cmp.bv_len - pat.bv_len;
1564                                                 if ( offset < 0 ) {
1565                                                         continue;
1566                                                 }
1567
1568                                                 if ( offset == 1 || ( offset > 1 && cmp.bv_val[ offset - 1 ] != '.' ) ) {
1569                                                         continue;
1570                                                 }
1571
1572                                                 /* trim the domain */
1573                                                 cmp.bv_val = &cmp.bv_val[ offset ];
1574                                                 cmp.bv_len -= offset;
1575                                         }
1576                                         
1577                                         if ( ber_bvstrcasecmp( &pat, &cmp ) != 0 ) {
1578                                                 continue;
1579                                         }
1580                                 }
1581                         }
1582                 }
1583
1584                 if ( !BER_BVISEMPTY( &b->a_peername_pat ) ) {
1585                         if ( !op->o_conn->c_peer_name.bv_val ) {
1586                                 continue;
1587                         }
1588                         Debug( LDAP_DEBUG_ACL, "<= check a_peername_path: %s\n",
1589                                 b->a_peername_pat.bv_val, 0, 0 );
1590                         if ( !ber_bvccmp( &b->a_peername_pat, '*' ) ) {
1591                                 if ( b->a_peername_style == ACL_STYLE_REGEX ) {
1592                                         if (!regex_matches( &b->a_peername_pat, op->o_conn->c_peer_name.bv_val,
1593                                                         e->e_ndn, nmatch, matches ) ) 
1594                                         {
1595                                                 continue;
1596                                         }
1597
1598                                 } else {
1599                                         /* try exact match */
1600                                         if ( b->a_peername_style == ACL_STYLE_BASE ) {
1601                                                 if ( ber_bvstrcasecmp( &b->a_peername_pat, &op->o_conn->c_peer_name ) != 0 ) {
1602                                                         continue;
1603                                                 }
1604
1605                                         } else if ( b->a_peername_style == ACL_STYLE_EXPAND ) {
1606                                                 struct berval   bv;
1607                                                 char buf[ACL_BUF_SIZE];
1608
1609                                                 bv.bv_len = sizeof( buf ) - 1;
1610                                                 bv.bv_val = buf;
1611                                                 if ( string_expand( &bv, &b->a_peername_pat,
1612                                                                 e->e_ndn, nmatch, matches ) )
1613                                                 {
1614                                                         continue;
1615                                                 }
1616
1617                                                 if ( ber_bvstrcasecmp( &bv, &op->o_conn->c_peer_name ) != 0 ) {
1618                                                         continue;
1619                                                 }
1620
1621                                         /* extract IP and try exact match */
1622                                         } else if ( b->a_peername_style == ACL_STYLE_IP ) {
1623                                                 char            *port;
1624                                                 char            buf[] = "255.255.255.255";
1625                                                 struct berval   ip;
1626                                                 unsigned long   addr;
1627                                                 int             port_number = -1;
1628                                                 
1629                                                 if ( strncasecmp( op->o_conn->c_peer_name.bv_val, 
1630                                                                         aci_bv_ip_eq.bv_val, aci_bv_ip_eq.bv_len ) != 0 ) 
1631                                                         continue;
1632
1633                                                 ip.bv_val = op->o_conn->c_peer_name.bv_val + aci_bv_ip_eq.bv_len;
1634                                                 ip.bv_len = op->o_conn->c_peer_name.bv_len - aci_bv_ip_eq.bv_len;
1635
1636                                                 port = strrchr( ip.bv_val, ':' );
1637                                                 if ( port ) {
1638                                                         char    *next;
1639                                                         
1640                                                         ip.bv_len = port - ip.bv_val;
1641                                                         ++port;
1642                                                         port_number = strtol( port, &next, 10 );
1643                                                         if ( next[0] != '\0' )
1644                                                                 continue;
1645                                                 }
1646                                                 
1647                                                 /* the port check can be anticipated here */
1648                                                 if ( b->a_peername_port != -1 && port_number != b->a_peername_port )
1649                                                         continue;
1650                                                 
1651                                                 /* address longer than expected? */
1652                                                 if ( ip.bv_len >= sizeof(buf) )
1653                                                         continue;
1654
1655                                                 AC_MEMCPY( buf, ip.bv_val, ip.bv_len );
1656                                                 buf[ ip.bv_len ] = '\0';
1657
1658                                                 addr = inet_addr( buf );
1659
1660                                                 /* unable to convert? */
1661                                                 if ( addr == (unsigned long)(-1) )
1662                                                         continue;
1663
1664                                                 if ( (addr & b->a_peername_mask) != b->a_peername_addr )
1665                                                         continue;
1666
1667 #ifdef LDAP_PF_LOCAL
1668                                         /* extract path and try exact match */
1669                                         } else if ( b->a_peername_style == ACL_STYLE_PATH ) {
1670                                                 struct berval path;
1671                                                 
1672                                                 if ( strncmp( op->o_conn->c_peer_name.bv_val,
1673                                                                         aci_bv_path_eq.bv_val, aci_bv_path_eq.bv_len ) != 0 )
1674                                                         continue;
1675
1676                                                 path.bv_val = op->o_conn->c_peer_name.bv_val + aci_bv_path_eq.bv_len;
1677                                                 path.bv_len = op->o_conn->c_peer_name.bv_len - aci_bv_path_eq.bv_len;
1678
1679                                                 if ( ber_bvcmp( &b->a_peername_pat, &path ) != 0 )
1680                                                         continue;
1681
1682 #endif /* LDAP_PF_LOCAL */
1683
1684                                         /* exact match (very unlikely...) */
1685                                         } else if ( ber_bvcmp( &op->o_conn->c_peer_name, &b->a_peername_pat ) != 0 ) {
1686                                                         continue;
1687                                         }
1688                                 }
1689                         }
1690                 }
1691
1692                 if ( !BER_BVISEMPTY( &b->a_sockname_pat ) ) {
1693                         if ( BER_BVISNULL( &op->o_conn->c_sock_name ) ) {
1694                                 continue;
1695                         }
1696                         Debug( LDAP_DEBUG_ACL, "<= check a_sockname_path: %s\n",
1697                                 b->a_sockname_pat.bv_val, 0, 0 );
1698                         if ( !ber_bvccmp( &b->a_sockname_pat, '*' ) ) {
1699                                 if ( b->a_sockname_style == ACL_STYLE_REGEX) {
1700                                         if (!regex_matches( &b->a_sockname_pat, op->o_conn->c_sock_name.bv_val,
1701                                                         e->e_ndn, nmatch, matches ) ) 
1702                                         {
1703                                                 continue;
1704                                         }
1705
1706                                 } else if ( b->a_sockname_style == ACL_STYLE_EXPAND ) {
1707                                         struct berval   bv;
1708                                         char buf[ACL_BUF_SIZE];
1709
1710                                         bv.bv_len = sizeof( buf ) - 1;
1711                                         bv.bv_val = buf;
1712                                         if ( string_expand( &bv, &b->a_sockname_pat,
1713                                                         e->e_ndn, nmatch, matches ) )
1714                                         {
1715                                                 continue;
1716                                         }
1717
1718                                         if ( ber_bvstrcasecmp( &bv, &op->o_conn->c_sock_name ) != 0 ) {
1719                                                 continue;
1720                                         }
1721
1722                                 } else {
1723                                         if ( ber_bvstrcasecmp( &b->a_sockname_pat, &op->o_conn->c_sock_name ) != 0 ) {
1724                                                 continue;
1725                                         }
1726                                 }
1727                         }
1728                 }
1729
1730                 if ( b->a_dn_at != NULL ) {
1731                         if ( acl_mask_dnattr( op, e, val, a, b, i,
1732                                         matches, count, state,
1733                                         &b->a_dn, &op->o_ndn ) )
1734                         {
1735                                 continue;
1736                         }
1737                 }
1738
1739                 if ( b->a_realdn_at != NULL ) {
1740                         struct berval   ndn;
1741
1742                         if ( op->o_conn && !BER_BVISNULL( &op->o_conn->c_ndn ) )
1743                         {
1744                                 ndn = op->o_conn->c_ndn;
1745                         } else {
1746                                 ndn = op->o_ndn;
1747                         }
1748
1749                         if ( acl_mask_dnattr( op, e, val, a, b, i,
1750                                         matches, count, state,
1751                                         &b->a_realdn, &ndn ) )
1752                         {
1753                                 continue;
1754                         }
1755                 }
1756
1757                 if ( !BER_BVISEMPTY( &b->a_group_pat ) ) {
1758                         struct berval bv;
1759                         struct berval ndn = BER_BVNULL;
1760                         int rc;
1761
1762                         if ( op->o_ndn.bv_len == 0 ) {
1763                                 continue;
1764                         }
1765
1766                         Debug( LDAP_DEBUG_ACL, "<= check a_group_pat: %s\n",
1767                                 b->a_group_pat.bv_val, 0, 0 );
1768
1769                         /* b->a_group is an unexpanded entry name, expanded it should be an 
1770                          * entry with objectclass group* and we test to see if odn is one of
1771                          * the values in the attribute group
1772                          */
1773                         /* see if asker is listed in dnattr */
1774                         if ( b->a_group_style == ACL_STYLE_EXPAND ) {
1775                                 char            buf[ACL_BUF_SIZE];
1776                                 int             tmp_nmatch;
1777                                 regmatch_t      tmp_matches[2],
1778                                                 *tmp_matchesp = tmp_matches;
1779
1780                                 bv.bv_len = sizeof(buf) - 1;
1781                                 bv.bv_val = buf;
1782
1783                                 rc = 0;
1784
1785                                 switch ( a->acl_dn_style ) {
1786                                 case ACL_STYLE_REGEX:
1787                                         if ( !BER_BVISNULL( &a->acl_dn_pat ) ) {
1788                                                 tmp_matchesp = matches;
1789                                                 tmp_nmatch = nmatch;
1790                                                 break;
1791                                         }
1792
1793                                 /* FALLTHRU: applies also to ACL_STYLE_REGEX when pattern is "*" */
1794                                 case ACL_STYLE_BASE:
1795                                         tmp_matches[0].rm_so = 0;
1796                                         tmp_matches[0].rm_eo = e->e_nname.bv_len;
1797                                         tmp_nmatch = 1;
1798                                         break;
1799
1800                                 case ACL_STYLE_ONE:
1801                                 case ACL_STYLE_SUBTREE:
1802                                 case ACL_STYLE_CHILDREN:
1803                                         tmp_matches[0].rm_so = 0;
1804                                         tmp_matches[0].rm_eo = e->e_nname.bv_len;
1805                                         tmp_matches[1].rm_so = e->e_nname.bv_len - a->acl_dn_pat.bv_len;
1806                                         tmp_matches[1].rm_eo = e->e_nname.bv_len;
1807                                         tmp_nmatch = 2;
1808                                         break;
1809
1810                                 default:
1811                                         /* error */
1812                                         rc = 1;
1813                                         break;
1814                                 }
1815
1816                                 if ( rc ) {
1817                                         continue;
1818                                 }
1819                                 
1820                                 if ( string_expand( &bv, &b->a_group_pat,
1821                                                 e->e_nname.bv_val,
1822                                                 tmp_nmatch, tmp_matchesp ) )
1823                                 {
1824                                         continue;
1825                                 }
1826
1827                                 if ( dnNormalize( 0, NULL, NULL, &bv, &ndn,
1828                                                 op->o_tmpmemctx ) != LDAP_SUCCESS )
1829                                 {
1830                                         /* did not expand to a valid dn */
1831                                         continue;
1832                                 }
1833
1834                                 bv = ndn;
1835
1836                         } else {
1837                                 bv = b->a_group_pat;
1838                         }
1839
1840                         rc = backend_group( op, e, &bv, &op->o_ndn,
1841                                 b->a_group_oc, b->a_group_at );
1842
1843                         if ( ndn.bv_val ) {
1844                                 slap_sl_free( ndn.bv_val, op->o_tmpmemctx );
1845                         }
1846
1847                         if ( rc != 0 ) {
1848                                 continue;
1849                         }
1850                 }
1851
1852                 if ( !BER_BVISEMPTY( &b->a_set_pat ) ) {
1853                         struct berval   bv;
1854                         char            buf[ACL_BUF_SIZE];
1855
1856                         Debug( LDAP_DEBUG_ACL, "<= check a_set_pat: %s\n",
1857                                 b->a_set_pat.bv_val, 0, 0 );
1858
1859                         if ( b->a_set_style == ACL_STYLE_EXPAND ) {
1860                                 int             tmp_nmatch;
1861                                 regmatch_t      tmp_matches[2],
1862                                                 *tmp_matchesp = tmp_matches;
1863                                 int             rc = 0;
1864
1865                                 bv.bv_len = sizeof( buf ) - 1;
1866                                 bv.bv_val = buf;
1867
1868                                 rc = 0;
1869
1870                                 switch ( a->acl_dn_style ) {
1871                                 case ACL_STYLE_REGEX:
1872                                         if ( !BER_BVISNULL( &a->acl_dn_pat ) ) {
1873                                                 tmp_matchesp = matches;
1874                                                 tmp_nmatch = nmatch;
1875                                                 break;
1876                                         }
1877
1878                                 /* FALLTHRU: applies also to ACL_STYLE_REGEX when pattern is "*" */
1879                                 case ACL_STYLE_BASE:
1880                                         tmp_matches[0].rm_so = 0;
1881                                         tmp_matches[0].rm_eo = e->e_nname.bv_len;
1882                                         tmp_nmatch = 1;
1883                                         break;
1884
1885                                 case ACL_STYLE_ONE:
1886                                 case ACL_STYLE_SUBTREE:
1887                                 case ACL_STYLE_CHILDREN:
1888                                         tmp_matches[0].rm_so = 0;
1889                                         tmp_matches[0].rm_eo = e->e_nname.bv_len;
1890                                         tmp_matches[1].rm_so = e->e_nname.bv_len - a->acl_dn_pat.bv_len;
1891                                         tmp_matches[1].rm_eo = e->e_nname.bv_len;
1892                                         tmp_nmatch = 2;
1893                                         break;
1894
1895                                 default:
1896                                         /* error */
1897                                         rc = 1;
1898                                         break;
1899                                 }
1900
1901                                 if ( rc ) {
1902                                         continue;
1903                                 }
1904                                 
1905                                 if ( string_expand( &bv, &b->a_set_pat,
1906                                                 e->e_nname.bv_val,
1907                                                 tmp_nmatch, tmp_matchesp ) )
1908                                 {
1909                                         continue;
1910                                 }
1911
1912                         } else {
1913                                 bv = b->a_set_pat;
1914                         }
1915                         
1916                         if ( aci_match_set( &bv, op, e, 0 ) == 0 ) {
1917                                 continue;
1918                         }
1919                 }
1920
1921                 if ( b->a_authz.sai_ssf ) {
1922                         Debug( LDAP_DEBUG_ACL, "<= check a_authz.sai_ssf: ACL %u > OP %u\n",
1923                                 b->a_authz.sai_ssf, op->o_ssf, 0 );
1924                         if ( b->a_authz.sai_ssf >  op->o_ssf ) {
1925                                 continue;
1926                         }
1927                 }
1928
1929                 if ( b->a_authz.sai_transport_ssf ) {
1930                         Debug( LDAP_DEBUG_ACL,
1931                                 "<= check a_authz.sai_transport_ssf: ACL %u > OP %u\n",
1932                                 b->a_authz.sai_transport_ssf, op->o_transport_ssf, 0 );
1933                         if ( b->a_authz.sai_transport_ssf >  op->o_transport_ssf ) {
1934                                 continue;
1935                         }
1936                 }
1937
1938                 if ( b->a_authz.sai_tls_ssf ) {
1939                         Debug( LDAP_DEBUG_ACL,
1940                                 "<= check a_authz.sai_tls_ssf: ACL %u > OP %u\n",
1941                                 b->a_authz.sai_tls_ssf, op->o_tls_ssf, 0 );
1942                         if ( b->a_authz.sai_tls_ssf >  op->o_tls_ssf ) {
1943                                 continue;
1944                         }
1945                 }
1946
1947                 if ( b->a_authz.sai_sasl_ssf ) {
1948                         Debug( LDAP_DEBUG_ACL,
1949                                 "<= check a_authz.sai_sasl_ssf: ACL %u > OP %u\n",
1950                                 b->a_authz.sai_sasl_ssf, op->o_sasl_ssf, 0 );
1951                         if ( b->a_authz.sai_sasl_ssf >  op->o_sasl_ssf ) {
1952                                 continue;
1953                         }
1954                 }
1955
1956 #ifdef SLAP_DYNACL
1957                 if ( b->a_dynacl ) {
1958                         slap_dynacl_t   *da;
1959                         slap_access_t   tgrant, tdeny;
1960
1961                         Debug( LDAP_DEBUG_ACL, "<= check a_dynacl\n",
1962                                 0, 0, 0 );
1963
1964                         /* this case works different from the others above.
1965                          * since aci's themselves give permissions, we need
1966                          * to first check b->a_access_mask, the ACL's access level.
1967                          */
1968                         if ( BER_BVISEMPTY( &e->e_nname ) ) {
1969                                 /* no ACIs in the root DSE */
1970                                 continue;
1971                         }
1972
1973                         /* first check if the right being requested
1974                          * is allowed by the ACL clause.
1975                          */
1976                         if ( ! ACL_GRANT( b->a_access_mask, *mask ) ) {
1977                                 continue;
1978                         }
1979
1980                         /* start out with nothing granted, nothing denied */
1981                         ACL_INIT(tgrant);
1982                         ACL_INIT(tdeny);
1983
1984                         for ( da = b->a_dynacl; da; da = da->da_next ) {
1985                                 slap_access_t   grant, deny;
1986
1987                                 Debug( LDAP_DEBUG_ACL, "    <= check a_dynacl: %s\n",
1988                                         da->da_name, 0, 0 );
1989
1990                                 (void)( *da->da_mask )( da->da_private, op, e, desc, val, nmatch, matches, &grant, &deny );
1991
1992                                 tgrant |= grant;
1993                                 tdeny |= deny;
1994                         }
1995
1996                         /* remove anything that the ACL clause does not allow */
1997                         tgrant &= b->a_access_mask & ACL_PRIV_MASK;
1998                         tdeny &= ACL_PRIV_MASK;
1999
2000                         /* see if we have anything to contribute */
2001                         if( ACL_IS_INVALID(tgrant) && ACL_IS_INVALID(tdeny) ) { 
2002                                 continue;
2003                         }
2004
2005                         /* this could be improved by changing slap_acl_mask so that it can deal with
2006                          * by clauses that return grant/deny pairs.  Right now, it does either
2007                          * additive or subtractive rights, but not both at the same time.  So,
2008                          * we need to combine the grant/deny pair into a single rights mask in
2009                          * a smart way:  if either grant or deny is "empty", then we use the
2010                          * opposite as is, otherwise we remove any denied rights from the grant
2011                          * rights mask and construct an additive mask.
2012                          */
2013                         if (ACL_IS_INVALID(tdeny)) {
2014                                 modmask = tgrant | ACL_PRIV_ADDITIVE;
2015
2016                         } else if (ACL_IS_INVALID(tgrant)) {
2017                                 modmask = tdeny | ACL_PRIV_SUBSTRACTIVE;
2018
2019                         } else {
2020                                 modmask = (tgrant & ~tdeny) | ACL_PRIV_ADDITIVE;
2021                         }
2022
2023                 } else
2024 #else /* !SLAP_DYNACL */
2025
2026 #ifdef SLAPD_ACI_ENABLED
2027                 if ( b->a_aci_at != NULL ) {
2028                         Attribute       *at;
2029                         slap_access_t   grant, deny, tgrant, tdeny;
2030                         struct berval   parent_ndn;
2031                         BerVarray       bvals = NULL;
2032                         int             ret, stop;
2033
2034                         Debug( LDAP_DEBUG_ACL, "    <= check a_aci_at: %s\n",
2035                                 b->a_aci_at->ad_cname.bv_val, 0, 0 );
2036
2037                         /* this case works different from the others above.
2038                          * since aci's themselves give permissions, we need
2039                          * to first check b->a_access_mask, the ACL's access level.
2040                          */
2041
2042                         if ( BER_BVISEMPTY( &e->e_nname ) ) {
2043                                 /* no ACIs in the root DSE */
2044                                 continue;
2045                         }
2046
2047                         /* first check if the right being requested
2048                          * is allowed by the ACL clause.
2049                          */
2050                         if ( ! ACL_GRANT( b->a_access_mask, *mask ) ) {
2051                                 continue;
2052                         }
2053                         /* start out with nothing granted, nothing denied */
2054                         ACL_INIT(tgrant);
2055                         ACL_INIT(tdeny);
2056
2057                         /* get the aci attribute */
2058                         at = attr_find( e->e_attrs, b->a_aci_at );
2059                         if ( at != NULL ) {
2060 #if 0
2061                                 /* FIXME: this breaks acl caching;
2062                                  * see also ACL_RECORD_VALUE_STATE below */
2063                                 ACL_RECORD_VALUE_STATE;
2064 #endif
2065                                 /* the aci is an multi-valued attribute.  The
2066                                 * rights are determined by OR'ing the individual
2067                                 * rights given by the acis.
2068                                 */
2069                                 for ( i = 0; !BER_BVISNULL( &at->a_nvals[i] ); i++ ) {
2070                                         if (aci_mask( op,
2071                                                 e, desc, val,
2072                                                 &at->a_nvals[i],
2073                                                 nmatch, matches,
2074                                                 &grant, &deny, SLAP_ACI_SCOPE_ENTRY ) != 0)
2075                                         {
2076                                                 tgrant |= grant;
2077                                                 tdeny |= deny;
2078                                         }
2079                                 }
2080                                 Debug(LDAP_DEBUG_ACL, "<= aci_mask grant %s deny %s\n",
2081                                           accessmask2str(tgrant, accessmaskbuf, 1), 
2082                                           accessmask2str(tdeny, accessmaskbuf1, 1), 0);
2083
2084                         }
2085                         /* If the entry level aci didn't contain anything valid for the 
2086                          * current operation, climb up the tree and evaluate the
2087                          * acis with scope set to subtree
2088                          */
2089                         if ( (tgrant == ACL_PRIV_NONE) && (tdeny == ACL_PRIV_NONE) ) {
2090                                 dnParent( &e->e_nname, &parent_ndn );
2091                                 while ( !BER_BVISEMPTY( &parent_ndn ) ) {
2092                                         Debug(LDAP_DEBUG_ACL, "checking ACI of %s\n", parent_ndn.bv_val, 0, 0);
2093                                         ret = backend_attribute(op, NULL, &parent_ndn, b->a_aci_at, &bvals, ACL_AUTH);
2094                                         switch(ret){
2095                                         case LDAP_SUCCESS :
2096                                                 stop = 0;
2097                                                 if (!bvals){
2098                                                         break;
2099                                                 }
2100
2101                                                 for( i = 0; bvals[i].bv_val != NULL; i++){
2102 #if 0
2103                                                         /* FIXME: this breaks acl caching;
2104                                                          * see also ACL_RECORD_VALUE_STATE above */
2105                                                         ACL_RECORD_VALUE_STATE;
2106 #endif
2107                                                         if (aci_mask(op, e, desc, val, &bvals[i],
2108                                                                         nmatch, matches,
2109                                                                         &grant, &deny, SLAP_ACI_SCOPE_CHILDREN ) != 0 )
2110                                                         {
2111                                                                 tgrant |= grant;
2112                                                                 tdeny |= deny;
2113                                                                 /* evaluation stops as soon as either a "deny" or a 
2114                                                                  * "grant" directive matches.
2115                                                                  */
2116                                                                 if( (tgrant != ACL_PRIV_NONE) || (tdeny != ACL_PRIV_NONE) ){
2117                                                                         stop = 1;
2118                                                                 }
2119                                                         }
2120                                                         Debug(LDAP_DEBUG_ACL, "<= aci_mask grant %s deny %s\n", 
2121                                                                 accessmask2str(tgrant, accessmaskbuf, 1),
2122                                                                 accessmask2str(tdeny, accessmaskbuf1, 1), 0);
2123                                                 }
2124                                                 break;
2125
2126                                         case LDAP_NO_SUCH_ATTRIBUTE:
2127                                                 /* just go on if the aci-Attribute is not present in
2128                                                  * the current entry 
2129                                                  */
2130                                                 Debug(LDAP_DEBUG_ACL, "no such attribute\n", 0, 0, 0);
2131                                                 stop = 0;
2132                                                 break;
2133
2134                                         case LDAP_NO_SUCH_OBJECT:
2135                                                 /* We have reached the base object */
2136                                                 Debug(LDAP_DEBUG_ACL, "no such object\n", 0, 0, 0);
2137                                                 stop = 1;
2138                                                 break;
2139
2140                                         default:
2141                                                 stop = 1;
2142                                                 break;
2143                                         }
2144                                         if (stop){
2145                                                 break;
2146                                         }
2147                                         dnParent( &parent_ndn, &parent_ndn );
2148                                 }
2149                         }
2150
2151
2152                         /* remove anything that the ACL clause does not allow */
2153                         tgrant &= b->a_access_mask & ACL_PRIV_MASK;
2154                         tdeny &= ACL_PRIV_MASK;
2155
2156                         /* see if we have anything to contribute */
2157                         if( ACL_IS_INVALID(tgrant) && ACL_IS_INVALID(tdeny) ) { 
2158                                 continue;
2159                         }
2160
2161                         /* this could be improved by changing slap_acl_mask so that it can deal with
2162                          * by clauses that return grant/deny pairs.  Right now, it does either
2163                          * additive or subtractive rights, but not both at the same time.  So,
2164                          * we need to combine the grant/deny pair into a single rights mask in
2165                          * a smart way:  if either grant or deny is "empty", then we use the
2166                          * opposite as is, otherwise we remove any denied rights from the grant
2167                          * rights mask and construct an additive mask.
2168                          */
2169                         if (ACL_IS_INVALID(tdeny)) {
2170                                 modmask = tgrant | ACL_PRIV_ADDITIVE;
2171
2172                         } else if (ACL_IS_INVALID(tgrant)) {
2173                                 modmask = tdeny | ACL_PRIV_SUBSTRACTIVE;
2174
2175                         } else {
2176                                 modmask = (tgrant & ~tdeny) | ACL_PRIV_ADDITIVE;
2177                         }
2178
2179                 } else
2180 #endif /* SLAPD_ACI_ENABLED */
2181 #endif /* !SLAP_DYNACL */
2182                 {
2183                         modmask = b->a_access_mask;
2184                 }
2185
2186                 Debug( LDAP_DEBUG_ACL,
2187                         "<= acl_mask: [%d] applying %s (%s)\n",
2188                         i, accessmask2str( modmask, accessmaskbuf, 1 ), 
2189                         b->a_type == ACL_CONTINUE
2190                                 ? "continue"
2191                                 : b->a_type == ACL_BREAK
2192                                         ? "break"
2193                                         : "stop" );
2194                 /* save old mask */
2195                 oldmask = *mask;
2196
2197                 if( ACL_IS_ADDITIVE(modmask) ) {
2198                         /* add privs */
2199                         ACL_PRIV_SET( *mask, modmask );
2200
2201                         /* cleanup */
2202                         ACL_PRIV_CLR( *mask, ~ACL_PRIV_MASK );
2203
2204                 } else if( ACL_IS_SUBTRACTIVE(modmask) ) {
2205                         /* substract privs */
2206                         ACL_PRIV_CLR( *mask, modmask );
2207
2208                         /* cleanup */
2209                         ACL_PRIV_CLR( *mask, ~ACL_PRIV_MASK );
2210
2211                 } else {
2212                         /* assign privs */
2213                         *mask = modmask;
2214                 }
2215
2216                 Debug( LDAP_DEBUG_ACL,
2217                         "<= acl_mask: [%d] mask: %s\n",
2218                         i, accessmask2str(*mask, accessmaskbuf, 1), 0 );
2219
2220                 if( b->a_type == ACL_CONTINUE ) {
2221                         continue;
2222
2223                 } else if ( b->a_type == ACL_BREAK ) {
2224                         return ACL_BREAK;
2225
2226                 } else {
2227                         return ACL_STOP;
2228                 }
2229         }
2230
2231         /* implicit "by * none" clause */
2232         ACL_INIT(*mask);
2233
2234         Debug( LDAP_DEBUG_ACL,
2235                 "<= acl_mask: no more <who> clauses, returning %s (stop)\n",
2236                 accessmask2str(*mask, accessmaskbuf, 1), 0, 0 );
2237         return ACL_STOP;
2238 }
2239
2240 /*
2241  * acl_check_modlist - check access control on the given entry to see if
2242  * it allows the given modifications by the user associated with op.
2243  * returns      1       if mods allowed ok
2244  *              0       mods not allowed
2245  */
2246
2247 int
2248 acl_check_modlist(
2249         Operation       *op,
2250         Entry   *e,
2251         Modifications   *mlist
2252 )
2253 {
2254         struct berval *bv;
2255         AccessControlState state = ACL_STATE_INIT;
2256         Backend *be;
2257         int be_null = 0;
2258         int ret = 1; /* default is access allowed */
2259
2260         be = op->o_bd;
2261         if ( be == NULL ) {
2262                 be = LDAP_STAILQ_FIRST(&backendDB);
2263                 be_null = 1;
2264                 op->o_bd = be;
2265         }
2266         assert( be != NULL );
2267
2268         /* short circuit root database access */
2269         if ( be_isroot( op ) ) {
2270                 Debug( LDAP_DEBUG_ACL,
2271                         "<= acl_access_allowed: granted to database root\n",
2272                     0, 0, 0 );
2273                 goto done;
2274         }
2275
2276         /* use backend default access if no backend acls */
2277         if( op->o_bd != NULL && op->o_bd->be_acl == NULL ) {
2278                 Debug( LDAP_DEBUG_ACL,
2279                         "=> access_allowed: backend default %s access %s to \"%s\"\n",
2280                         access2str( ACL_WRITE ),
2281                         op->o_bd->be_dfltaccess >= ACL_WRITE
2282                                 ? "granted" : "denied",
2283                         op->o_dn.bv_val );
2284                 ret = (op->o_bd->be_dfltaccess >= ACL_WRITE);
2285                 goto done;
2286         }
2287
2288         for ( ; mlist != NULL; mlist = mlist->sml_next ) {
2289                 /*
2290                  * Internal mods are ignored by ACL_WRITE checking
2291                  */
2292                 if ( mlist->sml_flags & SLAP_MOD_INTERNAL ) {
2293                         Debug( LDAP_DEBUG_ACL, "acl: internal mod %s:"
2294                                 " modify access granted\n",
2295                                 mlist->sml_desc->ad_cname.bv_val, 0, 0 );
2296                         continue;
2297                 }
2298
2299                 /*
2300                  * no-user-modification operational attributes are ignored
2301                  * by ACL_WRITE checking as any found here are not provided
2302                  * by the user
2303                  */
2304                 if ( is_at_no_user_mod( mlist->sml_desc->ad_type ) ) {
2305                         Debug( LDAP_DEBUG_ACL, "acl: no-user-mod %s:"
2306                                 " modify access granted\n",
2307                                 mlist->sml_desc->ad_cname.bv_val, 0, 0 );
2308                         continue;
2309                 }
2310
2311                 switch ( mlist->sml_op ) {
2312                 case LDAP_MOD_REPLACE:
2313                         /*
2314                          * We must check both permission to delete the whole
2315                          * attribute and permission to add the specific attributes.
2316                          * This prevents abuse from selfwriters.
2317                          */
2318                         if ( ! access_allowed( op, e,
2319                                 mlist->sml_desc, NULL, ACL_WDEL, &state ) )
2320                         {
2321                                 ret = 0;
2322                                 goto done;
2323                         }
2324
2325                         if ( mlist->sml_values == NULL ) break;
2326
2327                         /* fall thru to check value to add */
2328
2329                 case LDAP_MOD_ADD:
2330                         assert( mlist->sml_values != NULL );
2331
2332                         for ( bv = mlist->sml_nvalues
2333                                         ? mlist->sml_nvalues : mlist->sml_values;
2334                                 bv->bv_val != NULL; bv++ )
2335                         {
2336                                 if ( ! access_allowed( op, e,
2337                                         mlist->sml_desc, bv, ACL_WADD, &state ) )
2338                                 {
2339                                         ret = 0;
2340                                         goto done;
2341                                 }
2342                         }
2343                         break;
2344
2345                 case LDAP_MOD_DELETE:
2346                         if ( mlist->sml_values == NULL ) {
2347                                 if ( ! access_allowed( op, e,
2348                                         mlist->sml_desc, NULL, ACL_WDEL, NULL ) )
2349                                 {
2350                                         ret = 0;
2351                                         goto done;
2352                                 }
2353                                 break;
2354                         }
2355                         for ( bv = mlist->sml_nvalues
2356                                         ? mlist->sml_nvalues : mlist->sml_values;
2357                                 bv->bv_val != NULL; bv++ )
2358                         {
2359                                 if ( ! access_allowed( op, e,
2360                                         mlist->sml_desc, bv, ACL_WDEL, &state ) )
2361                                 {
2362                                         ret = 0;
2363                                         goto done;
2364                                 }
2365                         }
2366                         break;
2367
2368                 case SLAP_MOD_SOFTADD:
2369                         /* allow adding attribute via modrdn thru */
2370                         break;
2371
2372                 default:
2373                         assert( 0 );
2374                         /* not reached */
2375                         ret = 0;
2376                         break;
2377                 }
2378         }
2379
2380 done:
2381         if (be_null) op->o_bd = NULL;
2382         return( ret );
2383 }
2384
2385 static int
2386 aci_get_part(
2387         struct berval   *list,
2388         int             ix,
2389         char            sep,
2390         struct berval   *bv )
2391 {
2392         int     len;
2393         char    *p;
2394
2395         if ( bv ) {
2396                 BER_BVZERO( bv );
2397         }
2398         len = list->bv_len;
2399         p = list->bv_val;
2400         while ( len >= 0 && --ix >= 0 ) {
2401                 while ( --len >= 0 && *p++ != sep )
2402                         ;
2403         }
2404         while ( len >= 0 && *p == ' ' ) {
2405                 len--;
2406                 p++;
2407         }
2408         if ( len < 0 ) {
2409                 return -1;
2410         }
2411
2412         if ( !bv ) {
2413                 return 0;
2414         }
2415
2416         bv->bv_val = p;
2417         while ( --len >= 0 && *p != sep ) {
2418                 bv->bv_len++;
2419                 p++;
2420         }
2421         while ( bv->bv_len > 0 && *--p == ' ' ) {
2422                 bv->bv_len--;
2423         }
2424         
2425         return bv->bv_len;
2426 }
2427
2428 typedef struct aci_set_gather_t {
2429         SetCookie               *cookie;
2430         BerVarray               bvals;
2431 } aci_set_gather_t;
2432
2433 static int
2434 aci_set_cb_gather( Operation *op, SlapReply *rs )
2435 {
2436         aci_set_gather_t        *p = (aci_set_gather_t *)op->o_callback->sc_private;
2437         
2438         if ( rs->sr_type == REP_SEARCH ) {
2439                 BerValue        bvals[ 2 ];
2440                 BerVarray       bvalsp = NULL;
2441                 int             j;
2442
2443                 for ( j = 0; !BER_BVISNULL( &rs->sr_attrs[ j ].an_name ); j++ ) {
2444                         AttributeDescription    *desc = rs->sr_attrs[ j ].an_desc;
2445                         
2446                         if ( desc == slap_schema.si_ad_entryDN ) {
2447                                 bvalsp = bvals;
2448                                 bvals[ 0 ] = rs->sr_entry->e_nname;
2449                                 BER_BVZERO( &bvals[ 1 ] );
2450
2451                         } else {
2452                                 Attribute       *a;
2453
2454                                 a = attr_find( rs->sr_entry->e_attrs, desc );
2455                                 if ( a != NULL ) {
2456                                         int     i;
2457
2458                                         for ( i = 0; !BER_BVISNULL( &a->a_nvals[ i ] ); i++ )
2459                                                 ;
2460
2461                                         bvalsp = a->a_nvals;
2462                                 }
2463                         }
2464                 }
2465
2466                 if ( bvals ) {
2467                         p->bvals = slap_set_join( p->cookie, p->bvals,
2468                                         ( '|' | SLAP_SET_RREF ), bvalsp );
2469                 }
2470
2471         } else {
2472                 assert( rs->sr_type == REP_RESULT );
2473         }
2474
2475         return 0;
2476 }
2477
2478 BerVarray
2479 aci_set_gather( SetCookie *cookie, struct berval *name, AttributeDescription *desc )
2480 {
2481         AciSetCookie            *cp = (AciSetCookie *)cookie;
2482         int                     rc = 0;
2483         LDAPURLDesc             *ludp = NULL;
2484         Operation               op2 = { 0 };
2485         SlapReply               rs = {REP_RESULT};
2486         AttributeName           anlist[ 2 ], *anlistp = NULL;
2487         int                     nattrs = 0;
2488         slap_callback           cb = { NULL, aci_set_cb_gather, NULL, NULL };
2489         aci_set_gather_t        p = { 0 };
2490         const char              *text = NULL;
2491         static struct berval    defaultFilter_bv = BER_BVC( "(objectClass=*)" );
2492
2493         /* this routine needs to return the bervals instead of
2494          * plain strings, since syntax is not known.  It should
2495          * also return the syntax or some "comparison cookie".
2496          */
2497         if ( strncasecmp( name->bv_val, "ldap:///", STRLENOF( "ldap:///" ) ) != 0 ) {
2498                 return aci_set_gather2( cookie, name, desc );
2499         }
2500
2501         rc = ldap_url_parse( name->bv_val, &ludp );
2502         if ( rc != LDAP_URL_SUCCESS ) {
2503                 rc = LDAP_PROTOCOL_ERROR;
2504                 goto url_done;
2505         }
2506         
2507         if ( ( ludp->lud_host && ludp->lud_host[0] ) || ludp->lud_exts )
2508         {
2509                 /* host part must be empty */
2510                 /* extensions parts must be empty */
2511                 rc = LDAP_PROTOCOL_ERROR;
2512                 goto url_done;
2513         }
2514
2515         /* Grab the searchbase and see if an appropriate database can be found */
2516         ber_str2bv( ludp->lud_dn, 0, 0, &op2.o_req_dn );
2517         rc = dnNormalize( 0, NULL, NULL, &op2.o_req_dn,
2518                         &op2.o_req_ndn, cp->op->o_tmpmemctx );
2519         BER_BVZERO( &op2.o_req_dn );
2520         if ( rc != LDAP_SUCCESS ) {
2521                 goto url_done;
2522         }
2523
2524         op2.o_bd = select_backend( &op2.o_req_ndn, 0, 1 );
2525         if ( ( op2.o_bd == NULL ) || ( op2.o_bd->be_search == NULL ) ) {
2526                 rc = LDAP_NO_SUCH_OBJECT;
2527                 goto url_done;
2528         }
2529
2530         /* Grab the filter */
2531         if ( ludp->lud_filter ) {
2532                 ber_str2bv_x( ludp->lud_filter, 0, 0, &op2.ors_filterstr,
2533                                 cp->op->o_tmpmemctx );
2534                 
2535         } else {
2536                 op2.ors_filterstr = defaultFilter_bv;
2537         }
2538
2539         op2.ors_filter = str2filter_x( cp->op, op2.ors_filterstr.bv_val );
2540         if ( op2.ors_filter == NULL ) {
2541                 rc = LDAP_PROTOCOL_ERROR;
2542                 goto url_done;
2543         }
2544
2545         /* Grab the scope */
2546         op2.ors_scope = ludp->lud_scope;
2547
2548         /* Grap the attributes */
2549         if ( ludp->lud_attrs ) {
2550                 for ( ; ludp->lud_attrs[ nattrs ]; nattrs++ )
2551                         ;
2552
2553                 anlistp = slap_sl_malloc( sizeof( AttributeName ) * ( nattrs + 2 ),
2554                                 cp->op->o_tmpmemctx );
2555
2556                 for ( ; ludp->lud_attrs[ nattrs ]; nattrs++ ) {
2557                         ber_str2bv( ludp->lud_attrs[ nattrs ], 0, 0, &anlistp[ nattrs ].an_name );
2558                         anlistp[ nattrs ].an_desc = NULL;
2559                         rc = slap_bv2ad( &anlistp[ nattrs ].an_name,
2560                                         &anlistp[ nattrs ].an_desc, &text );
2561                         if ( rc != LDAP_SUCCESS ) {
2562                                 goto url_done;
2563                         }
2564                 }
2565
2566         } else {
2567                 anlistp = anlist;
2568         }
2569
2570         anlistp[ nattrs ].an_name = desc->ad_cname;
2571         anlistp[ nattrs ].an_desc = desc;
2572
2573         BER_BVZERO( &anlistp[ nattrs + 1 ].an_name );
2574         
2575         p.cookie = cookie;
2576         
2577         op2.o_hdr = cp->op->o_hdr;
2578         op2.o_tag = LDAP_REQ_SEARCH;
2579         op2.o_ndn = op2.o_bd->be_rootndn;
2580         op2.o_callback = &cb;
2581         op2.o_time = slap_get_time();
2582         op2.o_do_not_cache = 1;
2583         op2.o_is_auth_check = 0;
2584         ber_dupbv_x( &op2.o_req_dn, &op2.o_req_ndn, cp->op->o_tmpmemctx );
2585         op2.ors_slimit = SLAP_NO_LIMIT;
2586         op2.ors_tlimit = SLAP_NO_LIMIT;
2587         op2.ors_attrs = anlistp;
2588         op2.ors_attrsonly = 0;
2589         op2.o_private = cp->op->o_private;
2590
2591         cb.sc_private = &p;
2592
2593         rc = op2.o_bd->be_search( &op2, &rs );
2594         if ( rc != 0 ) {
2595                 goto url_done;
2596         }
2597
2598 url_done:;
2599         if ( op2.ors_filter ) {
2600                 filter_free_x( cp->op, op2.ors_filter );
2601         }
2602         if ( !BER_BVISNULL( &op2.o_req_ndn ) ) {
2603                 slap_sl_free( op2.o_req_ndn.bv_val, cp->op->o_tmpmemctx );
2604         }
2605         if ( !BER_BVISNULL( &op2.o_req_dn ) ) {
2606                 slap_sl_free( op2.o_req_dn.bv_val, cp->op->o_tmpmemctx );
2607         }
2608         if ( ludp ) {
2609                 ldap_free_urldesc( ludp );
2610         }
2611         if ( anlistp && anlistp != anlist ) {
2612                 slap_sl_free( anlistp, cp->op->o_tmpmemctx );
2613         }
2614
2615         return p.bvals;
2616 }
2617
2618 BerVarray
2619 aci_set_gather2( SetCookie *cookie, struct berval *name, AttributeDescription *desc )
2620 {
2621         AciSetCookie    *cp = (AciSetCookie *)cookie;
2622         BerVarray       bvals = NULL;
2623         struct berval   ndn;
2624         int             rc = 0;
2625
2626         /* this routine needs to return the bervals instead of
2627          * plain strings, since syntax is not known.  It should
2628          * also return the syntax or some "comparison cookie".
2629          */
2630         rc = dnNormalize( 0, NULL, NULL, name, &ndn, cp->op->o_tmpmemctx );
2631         if ( rc == LDAP_SUCCESS ) {
2632                 if ( desc == slap_schema.si_ad_entryDN ) {
2633                         bvals = (BerVarray)slap_sl_malloc( sizeof( BerValue ) * 2,
2634                                         cp->op->o_tmpmemctx );
2635                         bvals[ 0 ] = ndn;
2636                         BER_BVZERO( &bvals[ 1 ] );
2637                         BER_BVZERO( &ndn );
2638
2639                 } else {
2640                         backend_attribute( cp->op,
2641                                 cp->e, &ndn, desc, &bvals, ACL_NONE );
2642                 }
2643
2644                 if ( !BER_BVISNULL( &ndn ) ) {
2645                         slap_sl_free( ndn.bv_val, cp->op->o_tmpmemctx );
2646                 }
2647         }
2648
2649         return bvals;
2650 }
2651
2652 static int
2653 aci_match_set (
2654         struct berval *subj,
2655         Operation *op,
2656         Entry *e,
2657         int setref
2658 )
2659 {
2660         struct berval   set = BER_BVNULL;
2661         int             rc = 0;
2662         AciSetCookie    cookie;
2663
2664         if ( setref == 0 ) {
2665                 ber_dupbv_x( &set, subj, op->o_tmpmemctx );
2666
2667         } else {
2668                 struct berval           subjdn, ndn = BER_BVNULL;
2669                 struct berval           setat;
2670                 BerVarray               bvals;
2671                 const char              *text;
2672                 AttributeDescription    *desc = NULL;
2673
2674                 /* format of string is "entry/setAttrName" */
2675                 if ( aci_get_part( subj, 0, '/', &subjdn ) < 0 ) {
2676                         return 0;
2677                 }
2678
2679                 if ( aci_get_part( subj, 1, '/', &setat ) < 0 ) {
2680                         setat = aci_bv_set_attr;
2681                 }
2682
2683                 /*
2684                  * NOTE: dnNormalize honors the ber_len field
2685                  * as the length of the dn to be normalized
2686                  */
2687                 if ( slap_bv2ad( &setat, &desc, &text ) == LDAP_SUCCESS ) {
2688                         if ( dnNormalize( 0, NULL, NULL, &subjdn, &ndn, op->o_tmpmemctx ) == LDAP_SUCCESS )
2689                         {
2690                                 backend_attribute( op, e, &ndn, desc, &bvals, ACL_NONE );
2691                                 if ( bvals != NULL && !BER_BVISNULL( &bvals[0] ) ) {
2692                                         int     i;
2693
2694                                         set = bvals[0];
2695                                         BER_BVZERO( &bvals[0] );
2696                                         for ( i = 1; !BER_BVISNULL( &bvals[i] ); i++ )
2697                                                 /* count */ ;
2698                                         bvals[0].bv_val = bvals[i-1].bv_val;
2699                                         BER_BVZERO( &bvals[i-1] );
2700                                 }
2701                                 ber_bvarray_free_x( bvals, op->o_tmpmemctx );
2702                                 slap_sl_free( ndn.bv_val, op->o_tmpmemctx );
2703                         }
2704                 }
2705         }
2706
2707         if ( !BER_BVISNULL( &set ) ) {
2708                 cookie.op = op;
2709                 cookie.e = e;
2710                 rc = ( slap_set_filter( aci_set_gather, (SetCookie *)&cookie, &set,
2711                         &op->o_ndn, &e->e_nname, NULL ) > 0 );
2712                 slap_sl_free( set.bv_val, op->o_tmpmemctx );
2713         }
2714
2715         return(rc);
2716 }
2717
2718 #ifdef SLAPD_ACI_ENABLED
2719 static int
2720 aci_list_map_rights(
2721         struct berval *list )
2722 {
2723         struct berval bv;
2724         slap_access_t mask;
2725         int i;
2726
2727         ACL_INIT(mask);
2728         for (i = 0; aci_get_part(list, i, ',', &bv) >= 0; i++) {
2729                 if (bv.bv_len <= 0)
2730                         continue;
2731                 switch (*bv.bv_val) {
2732                 case 'c':
2733                         ACL_PRIV_SET(mask, ACL_PRIV_COMPARE);
2734                         break;
2735                 case 's':
2736                         /* **** NOTE: draft-ietf-ldapext-aci-model-0.3.txt defines
2737                          * the right 's' to mean "set", but in the examples states
2738                          * that the right 's' means "search".  The latter definition
2739                          * is used here.
2740                          */
2741                         ACL_PRIV_SET(mask, ACL_PRIV_SEARCH);
2742                         break;
2743                 case 'r':
2744                         ACL_PRIV_SET(mask, ACL_PRIV_READ);
2745                         break;
2746                 case 'w':
2747                         ACL_PRIV_SET(mask, ACL_PRIV_WRITE);
2748                         break;
2749                 case 'x':
2750                         /* **** NOTE: draft-ietf-ldapext-aci-model-0.3.txt does not 
2751                          * define any equivalent to the AUTH right, so I've just used
2752                          * 'x' for now.
2753                          */
2754                         ACL_PRIV_SET(mask, ACL_PRIV_AUTH);
2755                         break;
2756                 default:
2757                         break;
2758                 }
2759
2760         }
2761         return(mask);
2762 }
2763
2764 static int
2765 aci_list_has_attr(
2766         struct berval *list,
2767         const struct berval *attr,
2768         struct berval *val )
2769 {
2770         struct berval bv, left, right;
2771         int i;
2772
2773         for (i = 0; aci_get_part(list, i, ',', &bv) >= 0; i++) {
2774                 if (aci_get_part(&bv, 0, '=', &left) < 0
2775                         || aci_get_part(&bv, 1, '=', &right) < 0)
2776                 {
2777                         if (ber_bvstrcasecmp(attr, &bv) == 0)
2778                                 return(1);
2779                 } else if (val == NULL) {
2780                         if (ber_bvstrcasecmp(attr, &left) == 0)
2781                                 return(1);
2782                 } else {
2783                         if (ber_bvstrcasecmp(attr, &left) == 0) {
2784                                 /* this is experimental code that implements a
2785                                  * simple (prefix) match of the attribute value.
2786                                  * the ACI draft does not provide for aci's that
2787                                  * apply to specific values, but it would be
2788                                  * nice to have.  If the <attr> part of an aci's
2789                                  * rights list is of the form <attr>=<value>,
2790                                  * that means the aci applies only to attrs with
2791                                  * the given value.  Furthermore, if the attr is
2792                                  * of the form <attr>=<value>*, then <value> is
2793                                  * treated as a prefix, and the aci applies to 
2794                                  * any value with that prefix.
2795                                  *
2796                                  * Ideally, this would allow r.e. matches.
2797                                  */
2798                                 if (aci_get_part(&right, 0, '*', &left) < 0
2799                                         || right.bv_len <= left.bv_len)
2800                                 {
2801                                         if (ber_bvstrcasecmp(val, &right) == 0)
2802                                                 return(1);
2803                                 } else if (val->bv_len >= left.bv_len) {
2804                                         if (strncasecmp( val->bv_val, left.bv_val, left.bv_len ) == 0)
2805                                                 return(1);
2806                                 }
2807                         }
2808                 }
2809         }
2810         return(0);
2811 }
2812
2813 static slap_access_t
2814 aci_list_get_attr_rights(
2815         struct berval *list,
2816         const struct berval *attr,
2817         struct berval *val )
2818 {
2819     struct berval bv;
2820     slap_access_t mask;
2821     int i;
2822
2823         /* loop through each rights/attr pair, skip first part (action) */
2824         ACL_INIT(mask);
2825         for (i = 1; aci_get_part(list, i + 1, ';', &bv) >= 0; i += 2) {
2826                 if (aci_list_has_attr(&bv, attr, val) == 0)
2827                         continue;
2828                 if (aci_get_part(list, i, ';', &bv) < 0)
2829                         continue;
2830                 mask |= aci_list_map_rights(&bv);
2831         }
2832         return(mask);
2833 }
2834
2835 static int
2836 aci_list_get_rights(
2837         struct berval *list,
2838         const struct berval *attr,
2839         struct berval *val,
2840         slap_access_t *grant,
2841         slap_access_t *deny )
2842 {
2843     struct berval perm, actn;
2844     slap_access_t *mask;
2845     int i, found;
2846
2847         if (attr == NULL || attr->bv_len == 0 
2848                         || ber_bvstrcasecmp( attr, &aci_bv_entry ) == 0) {
2849                 attr = &aci_bv_br_entry;
2850         }
2851
2852         found = 0;
2853         ACL_INIT(*grant);
2854         ACL_INIT(*deny);
2855         /* loop through each permissions clause */
2856         for (i = 0; aci_get_part(list, i, '$', &perm) >= 0; i++) {
2857                 if (aci_get_part(&perm, 0, ';', &actn) < 0)
2858                         continue;
2859                 if (ber_bvstrcasecmp( &aci_bv_grant, &actn ) == 0) {
2860                         mask = grant;
2861                 } else if (ber_bvstrcasecmp( &aci_bv_deny, &actn ) == 0) {
2862                         mask = deny;
2863                 } else {
2864                         continue;
2865                 }
2866
2867                 found = 1;
2868                 *mask |= aci_list_get_attr_rights(&perm, attr, val);
2869                 *mask |= aci_list_get_attr_rights(&perm, &aci_bv_br_all, NULL);
2870         }
2871         return(found);
2872 }
2873
2874 static int
2875 aci_group_member (
2876         struct berval   *subj,
2877         struct berval   *defgrpoc,
2878         struct berval   *defgrpat,
2879         Operation       *op,
2880         Entry           *e,
2881         int             nmatch,
2882         regmatch_t      *matches
2883 )
2884 {
2885         struct berval subjdn;
2886         struct berval grpoc;
2887         struct berval grpat;
2888         ObjectClass *grp_oc = NULL;
2889         AttributeDescription *grp_ad = NULL;
2890         const char *text;
2891         int rc;
2892
2893         /* format of string is "group/objectClassValue/groupAttrName" */
2894         if (aci_get_part(subj, 0, '/', &subjdn) < 0) {
2895                 return(0);
2896         }
2897
2898         if (aci_get_part(subj, 1, '/', &grpoc) < 0) {
2899                 grpoc = *defgrpoc;
2900         }
2901
2902         if (aci_get_part(subj, 2, '/', &grpat) < 0) {
2903                 grpat = *defgrpat;
2904         }
2905
2906         rc = slap_bv2ad( &grpat, &grp_ad, &text );
2907         if( rc != LDAP_SUCCESS ) {
2908                 rc = 0;
2909                 goto done;
2910         }
2911         rc = 0;
2912
2913         grp_oc = oc_bvfind( &grpoc );
2914
2915         if (grp_oc != NULL && grp_ad != NULL ) {
2916                 char buf[ACL_BUF_SIZE];
2917                 struct berval bv, ndn;
2918                 bv.bv_len = sizeof( buf ) - 1;
2919                 bv.bv_val = (char *)&buf;
2920                 if ( string_expand(&bv, &subjdn,
2921                                 e->e_ndn, nmatch, matches) )
2922                 {
2923                         rc = LDAP_OTHER;
2924                         goto done;
2925                 }
2926                 if ( dnNormalize( 0, NULL, NULL, &bv, &ndn, op->o_tmpmemctx ) == LDAP_SUCCESS ) {
2927                         rc = ( backend_group( op, e, &ndn, &op->o_ndn,
2928                                 grp_oc, grp_ad ) == 0 );
2929                         slap_sl_free( ndn.bv_val, op->o_tmpmemctx );
2930                 }
2931         }
2932
2933 done:
2934         return(rc);
2935 }
2936
2937 static int
2938 aci_mask(
2939         Operation               *op,
2940         Entry                   *e,
2941         AttributeDescription    *desc,
2942         struct berval           *val,
2943         struct berval           *aci,
2944         int                     nmatch,
2945         regmatch_t              *matches,
2946         slap_access_t           *grant,
2947         slap_access_t           *deny,
2948         slap_aci_scope_t        asserted_scope
2949 )
2950 {
2951         struct berval           bv, scope, perms, type, sdn;
2952         int                     rc;
2953                 
2954
2955         assert( !BER_BVISNULL( &desc->ad_cname ) );
2956
2957         /* parse an aci of the form:
2958                 oid # scope # action;rights;attr;rights;attr 
2959                         $ action;rights;attr;rights;attr # type # subject
2960
2961            [NOTE: the following comment is very outdated,
2962            as the draft version it refers to (Ando, 2004-11-20)].
2963
2964            See draft-ietf-ldapext-aci-model-04.txt section 9.1 for
2965            a full description of the format for this attribute.
2966            Differences: "this" in the draft is "self" here, and
2967            "self" and "public" is in the position of type.
2968
2969            <scope> = {entry|children|subtree}
2970            <type> = {public|users|access-id|subtree|onelevel|children|
2971                      self|dnattr|group|role|set|set-ref}
2972
2973            This routine now supports scope={ENTRY,CHILDREN}
2974            with the semantics:
2975              - ENTRY applies to "entry" and "subtree";
2976              - CHILDREN aplies to "children" and "subtree"
2977          */
2978
2979         /* check that the aci has all 5 components */
2980         if ( aci_get_part( aci, 4, '#', NULL ) < 0 ) {
2981                 return 0;
2982         }
2983
2984         /* check that the aci family is supported */
2985         if ( aci_get_part( aci, 0, '#', &bv ) < 0 ) {
2986                 return 0;
2987         }
2988
2989         /* check that the scope matches */
2990         if ( aci_get_part( aci, 1, '#', &scope ) < 0 ) {
2991                 return 0;
2992         }
2993
2994         /* note: scope can be either ENTRY or CHILDREN;
2995          * they respectively match "entry" and "children" in bv
2996          * both match "subtree" */
2997         switch ( asserted_scope ) {
2998         case SLAP_ACI_SCOPE_ENTRY:
2999                 if ( ber_bvstrcasecmp( &scope, &aci_bv_entry ) != 0
3000                                 && ber_bvstrcasecmp( &scope, &aci_bv_subtree ) != 0 )
3001                 {
3002                         return 0;
3003                 }
3004                 break;
3005
3006         case SLAP_ACI_SCOPE_CHILDREN:
3007                 if ( ber_bvstrcasecmp( &scope, &aci_bv_children ) != 0
3008                                 && ber_bvstrcasecmp( &scope, &aci_bv_subtree ) != 0 )
3009                 {
3010                         return 0;
3011                 }
3012                 break;
3013
3014         default:
3015                 return 0;
3016         }
3017
3018         /* get the list of permissions clauses, bail if empty */
3019         if ( aci_get_part( aci, 2, '#', &perms ) <= 0 ) {
3020                 return 0;
3021         }
3022
3023         /* check if any permissions allow desired access */
3024         if ( aci_list_get_rights( &perms, &desc->ad_cname, val, grant, deny ) == 0 ) {
3025                 return 0;
3026         }
3027
3028         /* see if we have a DN match */
3029         if ( aci_get_part( aci, 3, '#', &type ) < 0 ) {
3030                 return 0;
3031         }
3032
3033         /* see if we have a public (i.e. anonymous) access */
3034         if ( ber_bvstrcasecmp( &aci_bv_public, &type ) == 0 ) {
3035                 return 1;
3036         }
3037         
3038         /* otherwise require an identity */
3039         if ( BER_BVISNULL( &op->o_ndn ) || BER_BVISEMPTY( &op->o_ndn ) ) {
3040                 return 0;
3041         }
3042
3043         /* see if we have a users access */
3044         if ( ber_bvstrcasecmp( &aci_bv_users, &type ) == 0 ) {
3045                 return 1;
3046         }
3047         
3048         /* NOTE: this may fail if a DN contains a valid '#' (unescaped);
3049          * just grab all the berval up to its end (ITS#3303).
3050          * NOTE: the problem could be solved by providing the DN with
3051          * the embedded '#' encoded as hexpairs: "cn=Foo#Bar" would 
3052          * become "cn=Foo\23Bar" and be safely used by aci_mask(). */
3053 #if 0
3054         if ( aci_get_part( aci, 4, '#', &sdn ) < 0 ) {
3055                 return 0;
3056         }
3057 #endif
3058         sdn.bv_val = type.bv_val + type.bv_len + STRLENOF( "#" );
3059         sdn.bv_len = aci->bv_len - ( sdn.bv_val - aci->bv_val );
3060
3061         if ( ber_bvstrcasecmp( &aci_bv_access_id, &type ) == 0 ) {
3062                 struct berval ndn;
3063                 
3064                 rc = dnNormalize( 0, NULL, NULL, &sdn, &ndn, op->o_tmpmemctx );
3065                 if ( rc != LDAP_SUCCESS ) {
3066                         return 0;
3067                 }
3068
3069                 if ( dn_match( &op->o_ndn, &ndn ) ) {
3070                         rc = 1;
3071                 }
3072                 slap_sl_free( ndn.bv_val, op->o_tmpmemctx );
3073
3074                 return rc;
3075
3076         } else if ( ber_bvstrcasecmp( &aci_bv_subtree, &type ) == 0 ) {
3077                 struct berval ndn;
3078                 
3079                 rc = dnNormalize( 0, NULL, NULL, &sdn, &ndn, op->o_tmpmemctx );
3080                 if ( rc != LDAP_SUCCESS ) {
3081                         return 0;
3082                 }
3083
3084                 if ( dnIsSuffix( &op->o_ndn, &ndn ) ) {
3085                         rc = 1;
3086                 }
3087                 slap_sl_free( ndn.bv_val, op->o_tmpmemctx );
3088
3089                 return rc;
3090
3091         } else if ( ber_bvstrcasecmp( &aci_bv_onelevel, &type ) == 0 ) {
3092                 struct berval ndn, pndn;
3093                 
3094                 rc = dnNormalize( 0, NULL, NULL, &sdn, &ndn, op->o_tmpmemctx );
3095                 if ( rc != LDAP_SUCCESS ) {
3096                         return 0;
3097                 }
3098
3099                 dnParent( &ndn, &pndn );
3100
3101                 if ( dn_match( &op->o_ndn, &pndn ) ) {
3102                         rc = 1;
3103                 }
3104                 slap_sl_free( ndn.bv_val, op->o_tmpmemctx );
3105
3106                 return rc;
3107
3108         } else if ( ber_bvstrcasecmp( &aci_bv_children, &type ) == 0 ) {
3109                 struct berval ndn;
3110                 
3111                 rc = dnNormalize( 0, NULL, NULL, &sdn, &ndn, op->o_tmpmemctx );
3112                 if ( rc != LDAP_SUCCESS ) {
3113                         return 0;
3114                 }
3115
3116                 if ( !dn_match( &op->o_ndn, &ndn )
3117                                 && dnIsSuffix( &op->o_ndn, &ndn ) )
3118                 {
3119                         rc = 1;
3120                 }
3121                 slap_sl_free( ndn.bv_val, op->o_tmpmemctx );
3122
3123                 return rc;
3124
3125         } else if ( ber_bvstrcasecmp( &aci_bv_self, &type ) == 0 ) {
3126                 if ( dn_match( &op->o_ndn, &e->e_nname ) ) {
3127                         return 1;
3128                 }
3129
3130         } else if ( ber_bvstrcasecmp( &aci_bv_dnattr, &type ) == 0 ) {
3131                 Attribute               *at;
3132                 AttributeDescription    *ad = NULL;
3133                 const char              *text;
3134
3135                 rc = slap_bv2ad( &sdn, &ad, &text );
3136
3137                 if( rc != LDAP_SUCCESS ) {
3138                         return 0;
3139                 }
3140
3141                 rc = 0;
3142
3143                 for ( at = attrs_find( e->e_attrs, ad );
3144                                 at != NULL;
3145                                 at = attrs_find( at->a_next, ad ) )
3146                 {
3147                         if ( value_find_ex( ad,
3148                                 SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
3149                                         SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
3150                                 at->a_nvals,
3151                                 &op->o_ndn, op->o_tmpmemctx ) == 0 )
3152                         {
3153                                 rc = 1;
3154                                 break;
3155                         }
3156                 }
3157
3158                 return rc;
3159
3160         } else if ( ber_bvstrcasecmp( &aci_bv_group, &type ) == 0 ) {
3161                 if ( aci_group_member( &sdn, &aci_bv_group_class,
3162                                 &aci_bv_group_attr, op, e, nmatch, matches ) )
3163                 {
3164                         return 1;
3165                 }
3166
3167         } else if ( ber_bvstrcasecmp( &aci_bv_role, &type ) == 0 ) {
3168                 if ( aci_group_member( &sdn, &aci_bv_role_class,
3169                                 &aci_bv_role_attr, op, e, nmatch, matches ) )
3170                 {
3171                         return 1;
3172                 }
3173
3174         } else if ( ber_bvstrcasecmp( &aci_bv_set, &type ) == 0 ) {
3175                 if ( aci_match_set( &sdn, op, e, 0 ) ) {
3176                         return 1;
3177                 }
3178
3179         } else if ( ber_bvstrcasecmp( &aci_bv_set_ref, &type ) == 0 ) {
3180                 if ( aci_match_set( &sdn, op, e, 1 ) ) {
3181                         return 1;
3182                 }
3183         }
3184
3185         return 0;
3186 }
3187
3188 #ifdef SLAP_DYNACL
3189 /*
3190  * FIXME: there is a silly dependence that makes it difficult
3191  * to move ACIs in a run-time loadable module under the "dynacl" 
3192  * umbrella, because sets share some helpers with ACIs.
3193  */
3194 static int
3195 dynacl_aci_parse( const char *fname, int lineno, slap_style_t sty, const char *right, void **privp )
3196 {
3197         AttributeDescription    *ad = NULL;
3198         const char              *text = NULL;
3199
3200         if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
3201                 fprintf( stderr, "%s: line %d: "
3202                         "inappropriate style \"%s\" in \"aci\" by clause\n",
3203                         fname, lineno, style_strings[sty] );
3204                 return -1;
3205         }
3206
3207         if ( right != NULL && *right != '\0' ) {
3208                 if ( slap_str2ad( right, &ad, &text ) != LDAP_SUCCESS ) {
3209                         fprintf( stderr,
3210                                 "%s: line %d: aci \"%s\": %s\n",
3211                                 fname, lineno, right, text );
3212                         return -1;
3213                 }
3214
3215         } else {
3216                 ad = slap_schema.si_ad_aci;
3217         }
3218
3219         if ( !is_at_syntax( ad->ad_type, SLAPD_ACI_SYNTAX) ) {
3220                 fprintf( stderr, "%s: line %d: "
3221                         "aci \"%s\": inappropriate syntax: %s\n",
3222                         fname, lineno, right,
3223                         ad->ad_type->sat_syntax_oid );
3224                 return -1;
3225         }
3226
3227         *privp = (void *)ad;
3228
3229         return 0;
3230 }
3231
3232 static int
3233 dynacl_aci_unparse( void *priv, struct berval *bv )
3234 {
3235         AttributeDescription    *ad = ( AttributeDescription * )priv;
3236         char *ptr;
3237
3238         assert( ad != NULL );
3239
3240         bv->bv_val = ch_malloc( STRLENOF(" aci=") + ad->ad_cname.bv_len + 1 );
3241         ptr = lutil_strcopy( bv->bv_val, " aci=" );
3242         ptr = lutil_strcopy( ptr, ad->ad_cname.bv_val );
3243         bv->bv_len = ptr - bv->bv_val;
3244
3245         return 0;
3246 }
3247
3248
3249 static int
3250 dynacl_aci_mask(
3251                 void                    *priv,
3252                 Operation               *op,
3253                 Entry                   *e,
3254                 AttributeDescription    *desc,
3255                 struct berval           *val,
3256                 int                     nmatch,
3257                 regmatch_t              *matches,
3258                 slap_access_t           *grantp,
3259                 slap_access_t           *denyp )
3260 {
3261         AttributeDescription    *ad = ( AttributeDescription * )priv;
3262         Attribute               *at;
3263         slap_access_t           tgrant, tdeny, grant, deny;
3264 #ifdef LDAP_DEBUG
3265         char                    accessmaskbuf[ACCESSMASK_MAXLEN];
3266         char                    accessmaskbuf1[ACCESSMASK_MAXLEN];
3267 #endif /* LDAP_DEBUG */
3268
3269         /* start out with nothing granted, nothing denied */
3270         ACL_INIT(tgrant);
3271         ACL_INIT(tdeny);
3272
3273         /* get the aci attribute */
3274         at = attr_find( e->e_attrs, ad );
3275         if ( at != NULL ) {
3276                 int             i;
3277
3278                 /* the aci is an multi-valued attribute.  The
3279                  * rights are determined by OR'ing the individual
3280                  * rights given by the acis.
3281                  */
3282                 for ( i = 0; !BER_BVISNULL( &at->a_nvals[i] ); i++ ) {
3283                         if ( aci_mask( op, e, desc, val, &at->a_nvals[i],
3284                                         nmatch, matches, &grant, &deny,
3285                                         SLAP_ACI_SCOPE_ENTRY ) != 0 )
3286                         {
3287                                 tgrant |= grant;
3288                                 tdeny |= deny;
3289                         }
3290                 }
3291                 
3292                 Debug( LDAP_DEBUG_ACL, "<= aci_mask grant %s deny %s\n",
3293                           accessmask2str( tgrant, accessmaskbuf, 1 ), 
3294                           accessmask2str( tdeny, accessmaskbuf1, 1 ), 0 );
3295         }
3296
3297         /* If the entry level aci didn't contain anything valid for the 
3298          * current operation, climb up the tree and evaluate the
3299          * acis with scope set to subtree
3300          */
3301         if ( tgrant == ACL_PRIV_NONE && tdeny == ACL_PRIV_NONE ) {
3302                 struct berval   parent_ndn;
3303
3304 #if 1
3305                 /* to solve the chicken'n'egg problem of accessing
3306                  * the OpenLDAPaci attribute, the direct access
3307                  * to the entry's attribute is unchecked; however,
3308                  * further accesses to OpenLDAPaci values in the 
3309                  * ancestors occur through backend_attribute(), i.e.
3310                  * with the identity of the operation, requiring
3311                  * further access checking.  For uniformity, this
3312                  * makes further requests occur as the rootdn, if
3313                  * any, i.e. searching for the OpenLDAPaci attribute
3314                  * is considered an internal search.  If this is not
3315                  * acceptable, then the same check needs be performed
3316                  * when accessing the entry's attribute. */
3317                 Operation       op2 = *op;
3318
3319                 if ( !BER_BVISNULL( &op->o_bd->be_rootndn ) ) {
3320                         op2.o_dn = op->o_bd->be_rootdn;
3321                         op2.o_ndn = op->o_bd->be_rootndn;
3322                 }
3323 #endif
3324
3325                 dnParent( &e->e_nname, &parent_ndn );
3326                 while ( !BER_BVISEMPTY( &parent_ndn ) ){
3327                         int             i;
3328                         BerVarray       bvals = NULL;
3329                         int             ret, stop;
3330
3331                         Debug( LDAP_DEBUG_ACL, "checking ACI of \"%s\"\n", parent_ndn.bv_val, 0, 0 );
3332                         ret = backend_attribute( &op2, NULL, &parent_ndn, ad, &bvals, ACL_AUTH );
3333
3334                         switch ( ret ) {
3335                         case LDAP_SUCCESS :
3336                                 stop = 0;
3337                                 if ( !bvals ) {
3338                                         break;
3339                                 }
3340
3341                                 for ( i = 0; !BER_BVISNULL( &bvals[i] ); i++) {
3342                                         if ( aci_mask( op, e, desc, val,
3343                                                         &bvals[i],
3344                                                         nmatch, matches,
3345                                                         &grant, &deny,
3346                                                         SLAP_ACI_SCOPE_CHILDREN ) != 0 )
3347                                         {
3348                                                 tgrant |= grant;
3349                                                 tdeny |= deny;
3350                                                 /* evaluation stops as soon as either a "deny" or a 
3351                                                  * "grant" directive matches.
3352                                                  */
3353                                                 if ( tgrant != ACL_PRIV_NONE || tdeny != ACL_PRIV_NONE ) {
3354                                                         stop = 1;
3355                                                 }
3356                                         }
3357                                         Debug( LDAP_DEBUG_ACL, "<= aci_mask grant %s deny %s\n", 
3358                                                 accessmask2str( tgrant, accessmaskbuf, 1 ),
3359                                                 accessmask2str( tdeny, accessmaskbuf1, 1 ), 0 );
3360                                 }
3361                                 break;
3362
3363                         case LDAP_NO_SUCH_ATTRIBUTE:
3364                                 /* just go on if the aci-Attribute is not present in
3365                                  * the current entry 
3366                                  */
3367                                 Debug( LDAP_DEBUG_ACL, "no such attribute\n", 0, 0, 0 );
3368                                 stop = 0;
3369                                 break;
3370
3371                         case LDAP_NO_SUCH_OBJECT:
3372                                 /* We have reached the base object */
3373                                 Debug( LDAP_DEBUG_ACL, "no such object\n", 0, 0, 0 );
3374                                 stop = 1;
3375                                 break;
3376
3377                         default:
3378                                 stop = 1;
3379                                 break;
3380                         }
3381
3382                         if ( stop ) {
3383                                 break;
3384                         }
3385                         dnParent( &parent_ndn, &parent_ndn );
3386                 }
3387         }
3388
3389         *grantp = tgrant;
3390         *denyp = tdeny;
3391
3392         return 0;
3393 }
3394
3395 /* need to register this at some point */
3396 static slap_dynacl_t    dynacl_aci = {
3397         "aci",
3398         dynacl_aci_parse,
3399         dynacl_aci_unparse,
3400         dynacl_aci_mask,
3401         NULL,
3402         NULL,
3403         NULL
3404 };
3405
3406 #endif /* SLAP_DYNACL */
3407
3408 #endif  /* SLAPD_ACI_ENABLED */
3409
3410 #ifdef SLAP_DYNACL
3411
3412 /*
3413  * dynamic ACL infrastructure
3414  */
3415 static slap_dynacl_t    *da_list = NULL;
3416
3417 int
3418 slap_dynacl_register( slap_dynacl_t *da )
3419 {
3420         slap_dynacl_t   *tmp;
3421
3422         for ( tmp = da_list; tmp; tmp = tmp->da_next ) {
3423                 if ( strcasecmp( da->da_name, tmp->da_name ) == 0 ) {
3424                         break;
3425                 }
3426         }
3427
3428         if ( tmp != NULL ) {
3429                 return -1;
3430         }
3431         
3432         if ( da->da_mask == NULL ) {
3433                 return -1;
3434         }
3435         
3436         da->da_private = NULL;
3437         da->da_next = da_list;
3438         da_list = da;
3439
3440         return 0;
3441 }
3442
3443 static slap_dynacl_t *
3444 slap_dynacl_next( slap_dynacl_t *da )
3445 {
3446         if ( da ) {
3447                 return da->da_next;
3448         }
3449         return da_list;
3450 }
3451
3452 slap_dynacl_t *
3453 slap_dynacl_get( const char *name )
3454 {
3455         slap_dynacl_t   *da;
3456
3457         for ( da = slap_dynacl_next( NULL ); da; da = slap_dynacl_next( da ) ) {
3458                 if ( strcasecmp( da->da_name, name ) == 0 ) {
3459                         break;
3460                 }
3461         }
3462
3463         return da;
3464 }
3465 #endif /* SLAP_DYNACL */
3466
3467 int
3468 acl_init( void )
3469 {
3470 #ifdef SLAP_DYNACL
3471         int             i, rc;
3472         slap_dynacl_t   *known_dynacl[] = {
3473 #ifdef SLAPD_ACI_ENABLED
3474                 &dynacl_aci,
3475 #endif  /* SLAPD_ACI_ENABLED */
3476                 NULL
3477         };
3478
3479         for ( i = 0; known_dynacl[ i ]; i++ ) {
3480                 rc = slap_dynacl_register( known_dynacl[ i ] ); 
3481                 if ( rc ) {
3482                         return rc;
3483                 }
3484         }
3485 #endif /* SLAP_DYNACL */
3486
3487         return 0;
3488 }
3489
3490 static int
3491 string_expand(
3492         struct berval   *bv,
3493         struct berval   *pat,
3494         char            *match,
3495         int             nmatch,
3496         regmatch_t      *matches)
3497 {
3498         ber_len_t       size;
3499         char   *sp;
3500         char   *dp;
3501         int     flag;
3502
3503         size = 0;
3504         bv->bv_val[0] = '\0';
3505         bv->bv_len--; /* leave space for lone $ */
3506
3507         flag = 0;
3508         for ( dp = bv->bv_val, sp = pat->bv_val; size < bv->bv_len &&
3509                 sp < pat->bv_val + pat->bv_len ; sp++ )
3510         {
3511                 /* did we previously see a $ */
3512                 if ( flag ) {
3513                         if ( flag == 1 && *sp == '$' ) {
3514                                 *dp++ = '$';
3515                                 size++;
3516                                 flag = 0;
3517
3518                         } else if ( flag == 1 && *sp == '{' /*'}'*/) {
3519                                 flag = 2;
3520
3521                         } else if ( *sp >= '0' && *sp <= '9' ) {
3522                                 int     n;
3523                                 int     i;
3524                                 int     l;
3525
3526                                 n = *sp - '0';
3527
3528                                 if ( flag == 2 ) {
3529                                         for ( sp++; *sp != '\0' && *sp != /*'{'*/ '}'; sp++ ) {
3530                                                 if ( *sp >= '0' && *sp <= '9' ) {
3531                                                         n = 10*n + ( *sp - '0' );
3532                                                 }
3533                                         }
3534
3535                                         if ( *sp != /*'{'*/ '}' ) {
3536                                                 /* FIXME: error */
3537                                                 return 1;
3538                                         }
3539                                 }
3540
3541                                 if ( n >= nmatch ) {
3542                                         /* FIXME: error */
3543                                         return 1;
3544                                 }
3545                                 
3546                                 *dp = '\0';
3547                                 i = matches[n].rm_so;
3548                                 l = matches[n].rm_eo; 
3549                                 for ( ; size < bv->bv_len && i < l; size++, i++ ) {
3550                                         *dp++ = match[i];
3551                                 }
3552                                 *dp = '\0';
3553
3554                                 flag = 0;
3555                         }
3556                 } else {
3557                         if (*sp == '$') {
3558                                 flag = 1;
3559                         } else {
3560                                 *dp++ = *sp;
3561                                 size++;
3562                         }
3563                 }
3564         }
3565
3566         if ( flag ) {
3567                 /* must have ended with a single $ */
3568                 *dp++ = '$';
3569                 size++;
3570         }
3571
3572         *dp = '\0';
3573         bv->bv_len = size;
3574
3575         Debug( LDAP_DEBUG_TRACE, "=> string_expand: pattern:  %.*s\n", (int)pat->bv_len, pat->bv_val, 0 );
3576         Debug( LDAP_DEBUG_TRACE, "=> string_expand: expanded: %s\n", bv->bv_val, 0, 0 );
3577
3578         return 0;
3579 }
3580
3581 static int
3582 regex_matches(
3583         struct berval   *pat,           /* pattern to expand and match against */
3584         char            *str,           /* string to match against pattern */
3585         char            *buf,           /* buffer with $N expansion variables */
3586         int             nmatch, /* size of the matches array */
3587         regmatch_t      *matches        /* offsets in buffer for $N expansion variables */
3588 )
3589 {
3590         regex_t re;
3591         char newbuf[ACL_BUF_SIZE];
3592         struct berval bv;
3593         int     rc;
3594
3595         bv.bv_len = sizeof( newbuf ) - 1;
3596         bv.bv_val = newbuf;
3597
3598         if (str == NULL) {
3599                 str = "";
3600         };
3601
3602         string_expand( &bv, pat, buf, nmatch, matches );
3603         rc = regcomp( &re, newbuf, REG_EXTENDED|REG_ICASE );
3604         if ( rc ) {
3605                 char error[ACL_BUF_SIZE];
3606                 regerror( rc, &re, error, sizeof( error ) );
3607
3608                 Debug( LDAP_DEBUG_TRACE,
3609                     "compile( \"%s\", \"%s\") failed %s\n",
3610                         pat->bv_val, str, error );
3611                 return( 0 );
3612         }
3613
3614         rc = regexec( &re, str, 0, NULL, 0 );
3615         regfree( &re );
3616
3617         Debug( LDAP_DEBUG_TRACE,
3618             "=> regex_matches: string:   %s\n", str, 0, 0 );
3619         Debug( LDAP_DEBUG_TRACE,
3620             "=> regex_matches: rc: %d %s\n",
3621                 rc, !rc ? "matches" : "no matches", 0 );
3622         return( !rc );
3623 }
3624