1 /* aclparse.c - routines to parse and check acl's */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 1998-2005 The OpenLDAP Foundation.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted only as authorized by the OpenLDAP
12 * A copy of this license is available in the file LICENSE in the
13 * top-level directory of the distribution or, alternatively, at
14 * <http://www.OpenLDAP.org/license.html>.
16 /* Portions Copyright (c) 1995 Regents of the University of Michigan.
17 * All rights reserved.
19 * Redistribution and use in source and binary forms are permitted
20 * provided that this notice is preserved and that due credit is given
21 * to the University of Michigan at Ann Arbor. The name of the University
22 * may not be used to endorse or promote products derived from this
23 * software without specific prior written permission. This software
24 * is provided ``as is'' without express or implied warranty.
33 #include <ac/socket.h>
34 #include <ac/string.h>
35 #include <ac/unistd.h>
41 static char *style_strings[] = {
54 static void split(char *line, int splitchar, char **left, char **right);
55 static void access_append(Access **l, Access *a);
56 static void acl_usage(void) LDAP_GCCATTR((noreturn));
58 static void acl_regex_normalized_dn(const char *src, struct berval *pat);
61 static void print_acl(Backend *be, AccessControl *a);
62 static void print_access(Access *b);
65 static int check_scope( BackendDB *be, AccessControl *a );
69 slap_dynacl_config( const char *fname, int lineno, Access *b, const char *name, slap_style_t sty, const char *right )
71 slap_dynacl_t *da, *tmp;
74 for ( da = b->a_dynacl; da; da = da->da_next ) {
75 if ( strcasecmp( da->da_name, name ) == 0 ) {
77 "%s: line %d: dynacl \"%s\" already specified.\n",
78 fname, lineno, name );
83 da = slap_dynacl_get( name );
88 tmp = ch_malloc( sizeof( slap_dynacl_t ) );
91 if ( tmp->da_parse ) {
92 rc = ( *tmp->da_parse )( fname, lineno, sty, right, &tmp->da_private );
99 tmp->da_next = b->a_dynacl;
104 #endif /* SLAP_DYNACL */
107 regtest(const char *fname, int lineno, char *pat) {
123 for (size = 0, flag = 0; (size < sizeof(buf)) && *sp; sp++) {
125 if (*sp == '$'|| (*sp >= '0' && *sp <= '9')) {
142 if ( size >= (sizeof(buf) - 1) ) {
144 "%s: line %d: regular expression \"%s\" too large\n",
145 fname, lineno, pat );
149 if ((e = regcomp(&re, buf, REG_EXTENDED|REG_ICASE))) {
151 regerror(e, &re, error, sizeof(error));
153 "%s: line %d: regular expression \"%s\" bad because of %s\n",
154 fname, lineno, pat, error );
163 * Check if the pattern of an ACL, if any, matches the scope
164 * of the backend it is defined within.
166 #define ACL_SCOPE_UNKNOWN (-2)
167 #define ACL_SCOPE_ERR (-1)
168 #define ACL_SCOPE_OK (0)
169 #define ACL_SCOPE_PARTIAL (1)
170 #define ACL_SCOPE_WARN (2)
173 check_scope( BackendDB *be, AccessControl *a )
178 dn = be->be_nsuffix[0];
180 if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
181 a->acl_dn_style != ACL_STYLE_REGEX )
183 slap_style_t style = a->acl_dn_style;
185 if ( style == ACL_STYLE_REGEX ) {
186 char dnbuf[SLAP_LDAPDN_MAXLEN + 2];
187 char rebuf[SLAP_LDAPDN_MAXLEN + 1];
192 /* add trailing '$' to database suffix to form
193 * a simple trial regex pattern "<suffix>$" */
194 AC_MEMCPY( dnbuf, be->be_nsuffix[0].bv_val,
195 be->be_nsuffix[0].bv_len );
196 dnbuf[be->be_nsuffix[0].bv_len] = '$';
197 dnbuf[be->be_nsuffix[0].bv_len + 1] = '\0';
199 if ( regcomp( &re, dnbuf, REG_EXTENDED|REG_ICASE ) ) {
200 return ACL_SCOPE_WARN;
203 /* remove trailing ')$', if any, from original
205 rebuflen = a->acl_dn_pat.bv_len;
206 AC_MEMCPY( rebuf, a->acl_dn_pat.bv_val, rebuflen + 1 );
207 if ( rebuf[rebuflen - 1] == '$' ) {
208 rebuf[--rebuflen] = '\0';
210 while ( rebuflen > be->be_nsuffix[0].bv_len && rebuf[rebuflen - 1] == ')' ) {
211 rebuf[--rebuflen] = '\0';
213 if ( rebuflen == be->be_nsuffix[0].bv_len ) {
218 /* not a clear indication of scoping error, though */
219 rc = regexec( &re, rebuf, 0, NULL, 0 )
220 ? ACL_SCOPE_WARN : ACL_SCOPE_OK;
227 patlen = a->acl_dn_pat.bv_len;
228 /* If backend suffix is longer than pattern,
229 * it is a potential mismatch (in the sense
230 * that a superior naming context could
232 if ( dn.bv_len > patlen ) {
233 /* base is blatantly wrong */
234 if ( style == ACL_STYLE_BASE ) return ACL_SCOPE_ERR;
236 /* a style of one can be wrong if there is
237 * more than one level between the suffix
239 if ( style == ACL_STYLE_ONE ) {
240 int rdnlen = -1, sep = 0;
243 if ( !DN_SEPARATOR( dn.bv_val[dn.bv_len - patlen - 1] )) {
244 return ACL_SCOPE_ERR;
249 rdnlen = dn_rdnlen( NULL, &dn );
250 if ( rdnlen != dn.bv_len - patlen - sep )
251 return ACL_SCOPE_ERR;
254 /* if the trailing part doesn't match,
255 * then it's an error */
256 if ( strcmp( a->acl_dn_pat.bv_val,
257 &dn.bv_val[dn.bv_len - patlen] ) != 0 )
259 return ACL_SCOPE_ERR;
262 return ACL_SCOPE_PARTIAL;
268 case ACL_STYLE_CHILDREN:
269 case ACL_STYLE_SUBTREE:
277 if ( dn.bv_len < patlen &&
278 !DN_SEPARATOR( a->acl_dn_pat.bv_val[patlen - dn.bv_len - 1] ))
280 return ACL_SCOPE_ERR;
283 if ( strcmp( &a->acl_dn_pat.bv_val[patlen - dn.bv_len], dn.bv_val )
286 return ACL_SCOPE_ERR;
292 return ACL_SCOPE_UNKNOWN;
304 char *left, *right, *style, *next;
312 for ( i = 1; i < argc; i++ ) {
313 /* to clause - select which entries are protected */
314 if ( strcasecmp( argv[i], "to" ) == 0 ) {
316 fprintf( stderr, "%s: line %d: "
317 "only one to clause allowed in access line\n",
321 a = (AccessControl *) ch_calloc( 1, sizeof(AccessControl) );
322 for ( ++i; i < argc; i++ ) {
323 if ( strcasecmp( argv[i], "by" ) == 0 ) {
328 if ( strcasecmp( argv[i], "*" ) == 0 ) {
329 if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
330 a->acl_dn_style != ACL_STYLE_REGEX )
333 "%s: line %d: dn pattern"
334 " already specified in to clause.\n",
339 ber_str2bv( "*", STRLENOF( "*" ), 1, &a->acl_dn_pat );
343 split( argv[i], '=', &left, &right );
344 split( left, '.', &left, &style );
346 if ( right == NULL ) {
347 fprintf( stderr, "%s: line %d: "
348 "missing \"=\" in \"%s\" in to clause\n",
349 fname, lineno, left );
353 if ( strcasecmp( left, "dn" ) == 0 ) {
354 if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
355 a->acl_dn_style != ACL_STYLE_REGEX )
358 "%s: line %d: dn pattern"
359 " already specified in to clause.\n",
364 if ( style == NULL || *style == '\0' ||
365 strcasecmp( style, "baseObject" ) == 0 ||
366 strcasecmp( style, "base" ) == 0 ||
367 strcasecmp( style, "exact" ) == 0 )
369 a->acl_dn_style = ACL_STYLE_BASE;
370 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
372 } else if ( strcasecmp( style, "oneLevel" ) == 0 ||
373 strcasecmp( style, "one" ) == 0 )
375 a->acl_dn_style = ACL_STYLE_ONE;
376 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
378 } else if ( strcasecmp( style, "subtree" ) == 0 ||
379 strcasecmp( style, "sub" ) == 0 )
381 if( *right == '\0' ) {
382 ber_str2bv( "*", STRLENOF( "*" ), 1, &a->acl_dn_pat );
385 a->acl_dn_style = ACL_STYLE_SUBTREE;
386 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
389 } else if ( strcasecmp( style, "children" ) == 0 ) {
390 a->acl_dn_style = ACL_STYLE_CHILDREN;
391 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
393 } else if ( strcasecmp( style, "regex" ) == 0 ) {
394 a->acl_dn_style = ACL_STYLE_REGEX;
396 if ( *right == '\0' ) {
397 /* empty regex should match empty DN */
398 a->acl_dn_style = ACL_STYLE_BASE;
399 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
401 } else if ( strcmp(right, "*") == 0
402 || strcmp(right, ".*") == 0
403 || strcmp(right, ".*$") == 0
404 || strcmp(right, "^.*") == 0
405 || strcmp(right, "^.*$") == 0
406 || strcmp(right, ".*$$") == 0
407 || strcmp(right, "^.*$$") == 0 )
409 ber_str2bv( "*", STRLENOF("*"), 1, &a->acl_dn_pat );
412 acl_regex_normalized_dn( right, &a->acl_dn_pat );
416 fprintf( stderr, "%s: line %d: "
417 "unknown dn style \"%s\" in to clause\n",
418 fname, lineno, style );
425 if ( strcasecmp( left, "filter" ) == 0 ) {
426 if ( (a->acl_filter = str2filter( right )) == NULL ) {
428 "%s: line %d: bad filter \"%s\" in to clause\n",
429 fname, lineno, right );
433 } else if ( strcasecmp( left, "attr" ) == 0
434 || strcasecmp( left, "attrs" ) == 0 ) {
435 a->acl_attrs = str2anlist( a->acl_attrs,
437 if ( a->acl_attrs == NULL ) {
439 "%s: line %d: unknown attr \"%s\" in to clause\n",
440 fname, lineno, right );
444 } else if ( strncasecmp( left, "val", 3 ) == 0 ) {
445 if ( !BER_BVISEMPTY( &a->acl_attrval ) ) {
447 "%s: line %d: attr val already specified in to clause.\n",
451 if ( a->acl_attrs == NULL || !BER_BVISEMPTY( &a->acl_attrs[1].an_name ) )
454 "%s: line %d: attr val requires a single attribute.\n",
458 ber_str2bv( right, 0, 1, &a->acl_attrval );
459 if ( style && strcasecmp( style, "regex" ) == 0 ) {
460 int e = regcomp( &a->acl_attrval_re, a->acl_attrval.bv_val,
461 REG_EXTENDED | REG_ICASE | REG_NOSUB );
464 regerror( e, &a->acl_attrval_re, buf, sizeof(buf) );
465 fprintf( stderr, "%s: line %d: "
466 "regular expression \"%s\" bad because of %s\n",
467 fname, lineno, right, buf );
470 a->acl_attrval_style = ACL_STYLE_REGEX;
472 /* FIXME: if the attribute has DN syntax, we might
473 * allow one, subtree and children styles as well */
474 if ( !strcasecmp( style, "exact" ) ) {
475 a->acl_attrval_style = ACL_STYLE_BASE;
477 } else if ( a->acl_attrs[0].an_desc->ad_type->
478 sat_syntax == slap_schema.si_syn_distinguishedName )
480 if ( !strcasecmp( style, "baseObject" ) ||
481 !strcasecmp( style, "base" ) )
483 a->acl_attrval_style = ACL_STYLE_BASE;
484 } else if ( !strcasecmp( style, "onelevel" ) ||
485 !strcasecmp( style, "one" ) )
487 a->acl_attrval_style = ACL_STYLE_ONE;
488 } else if ( !strcasecmp( style, "subtree" ) ||
489 !strcasecmp( style, "sub" ) )
491 a->acl_attrval_style = ACL_STYLE_SUBTREE;
492 } else if ( !strcasecmp( style, "children" ) ) {
493 a->acl_attrval_style = ACL_STYLE_CHILDREN;
496 "%s: line %d: unknown val.<style> \"%s\" "
497 "for attributeType \"%s\" with DN syntax; "
499 fname, lineno, style,
500 a->acl_attrs[0].an_desc->ad_cname.bv_val );
501 a->acl_attrval_style = ACL_STYLE_BASE;
506 "%s: line %d: unknown val.<style> \"%s\" "
507 "for attributeType \"%s\"; using \"exact\"\n",
508 fname, lineno, style,
509 a->acl_attrs[0].an_desc->ad_cname.bv_val );
510 a->acl_attrval_style = ACL_STYLE_BASE;
516 "%s: line %d: expecting <what> got \"%s\"\n",
517 fname, lineno, left );
522 if ( !BER_BVISNULL( &a->acl_dn_pat ) &&
523 ber_bvccmp( &a->acl_dn_pat, '*' ) )
525 free( a->acl_dn_pat.bv_val );
526 BER_BVZERO( &a->acl_dn_pat );
529 if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
530 a->acl_dn_style != ACL_STYLE_REGEX )
532 if ( a->acl_dn_style != ACL_STYLE_REGEX ) {
534 rc = dnNormalize( 0, NULL, NULL, &a->acl_dn_pat, &bv, NULL);
535 if ( rc != LDAP_SUCCESS ) {
537 "%s: line %d: bad DN \"%s\" in to DN clause\n",
538 fname, lineno, a->acl_dn_pat.bv_val );
541 free( a->acl_dn_pat.bv_val );
545 int e = regcomp( &a->acl_dn_re, a->acl_dn_pat.bv_val,
546 REG_EXTENDED | REG_ICASE );
549 regerror( e, &a->acl_dn_re, buf, sizeof(buf) );
550 fprintf( stderr, "%s: line %d: "
551 "regular expression \"%s\" bad because of %s\n",
552 fname, lineno, right, buf );
558 /* by clause - select who has what access to entries */
559 } else if ( strcasecmp( argv[i], "by" ) == 0 ) {
561 fprintf( stderr, "%s: line %d: "
562 "to clause required before by clause in access line\n",
568 * by clause consists of <who> and <access>
571 b = (Access *) ch_calloc( 1, sizeof(Access) );
573 ACL_INVALIDATE( b->a_access_mask );
577 "%s: line %d: premature eol: expecting <who>\n",
583 for ( ; i < argc; i++ ) {
584 slap_style_t sty = ACL_STYLE_REGEX;
585 char *style_modifier = NULL;
588 split( argv[i], '=', &left, &right );
589 split( left, '.', &left, &style );
591 split( style, ',', &style, &style_modifier);
594 if ( style == NULL || *style == '\0' ||
595 strcasecmp( style, "exact" ) == 0 ||
596 strcasecmp( style, "baseObject" ) == 0 ||
597 strcasecmp( style, "base" ) == 0 )
599 sty = ACL_STYLE_BASE;
601 } else if ( strcasecmp( style, "onelevel" ) == 0 ||
602 strcasecmp( style, "one" ) == 0 )
606 } else if ( strcasecmp( style, "subtree" ) == 0 ||
607 strcasecmp( style, "sub" ) == 0 )
609 sty = ACL_STYLE_SUBTREE;
611 } else if ( strcasecmp( style, "children" ) == 0 ) {
612 sty = ACL_STYLE_CHILDREN;
614 } else if ( strcasecmp( style, "regex" ) == 0 ) {
615 sty = ACL_STYLE_REGEX;
617 } else if ( strcasecmp( style, "expand" ) == 0 ) {
618 sty = ACL_STYLE_EXPAND;
620 } else if ( strcasecmp( style, "ip" ) == 0 ) {
623 } else if ( strcasecmp( style, "path" ) == 0 ) {
624 sty = ACL_STYLE_PATH;
625 #ifndef LDAP_PF_LOCAL
626 fprintf( stderr, "%s: line %d: "
627 "path style modifier is useless without local\n",
629 #endif /* LDAP_PF_LOCAL */
633 "%s: line %d: unknown style \"%s\" in by clause\n",
634 fname, lineno, style );
638 if ( style_modifier &&
639 strcasecmp( style_modifier, "expand" ) == 0 )
642 case ACL_STYLE_REGEX:
643 fprintf( stderr, "%s: line %d: "
644 "\"regex\" style implies "
645 "\"expand\" modifier (ignored)\n",
649 case ACL_STYLE_EXPAND:
651 /* FIXME: now it's legal... */
652 fprintf( stderr, "%s: line %d: "
653 "\"expand\" style used "
654 "in conjunction with "
655 "\"expand\" modifier (ignored)\n",
661 /* we'll see later if it's pertinent */
667 /* expand in <who> needs regex in <what> */
668 if ( ( sty == ACL_STYLE_EXPAND || expand )
669 && a->acl_dn_style != ACL_STYLE_REGEX )
671 fprintf( stderr, "%s: line %d: "
672 "\"expand\" style or modifier used "
673 "in conjunction with "
674 "a non-regex <what> clause\n",
678 if ( strcasecmp( argv[i], "*" ) == 0 ) {
679 ber_str2bv( "*", STRLENOF( "*" ), 1, &bv );
680 sty = ACL_STYLE_REGEX;
682 } else if ( strcasecmp( argv[i], "anonymous" ) == 0 ) {
683 ber_str2bv("anonymous", STRLENOF( "anonymous" ), 1, &bv);
684 sty = ACL_STYLE_ANONYMOUS;
686 } else if ( strcasecmp( argv[i], "users" ) == 0 ) {
687 ber_str2bv("users", STRLENOF( "users" ), 1, &bv);
688 sty = ACL_STYLE_USERS;
690 } else if ( strcasecmp( argv[i], "self" ) == 0 ) {
691 ber_str2bv("self", STRLENOF( "self" ), 1, &bv);
692 sty = ACL_STYLE_SELF;
694 } else if ( strcasecmp( left, "dn" ) == 0 ) {
695 if ( sty == ACL_STYLE_REGEX ) {
696 b->a_dn_style = ACL_STYLE_REGEX;
697 if ( right == NULL ) {
702 b->a_dn_style = ACL_STYLE_USERS;
704 } else if (*right == '\0' ) {
706 ber_str2bv("anonymous",
707 STRLENOF( "anonymous" ),
709 b->a_dn_style = ACL_STYLE_ANONYMOUS;
711 } else if ( strcmp( right, "*" ) == 0 ) {
713 /* any or users? users for now */
717 b->a_dn_style = ACL_STYLE_USERS;
719 } else if ( strcmp( right, ".+" ) == 0
720 || strcmp( right, "^.+" ) == 0
721 || strcmp( right, ".+$" ) == 0
722 || strcmp( right, "^.+$" ) == 0
723 || strcmp( right, ".+$$" ) == 0
724 || strcmp( right, "^.+$$" ) == 0 )
729 b->a_dn_style = ACL_STYLE_USERS;
731 } else if ( strcmp( right, ".*" ) == 0
732 || strcmp( right, "^.*" ) == 0
733 || strcmp( right, ".*$" ) == 0
734 || strcmp( right, "^.*$" ) == 0
735 || strcmp( right, ".*$$" ) == 0
736 || strcmp( right, "^.*$$" ) == 0 )
743 acl_regex_normalized_dn( right, &bv );
744 if ( !ber_bvccmp( &bv, '*' ) ) {
745 regtest( fname, lineno, bv.bv_val );
749 } else if ( right == NULL || *right == '\0' ) {
750 fprintf( stderr, "%s: line %d: "
751 "missing \"=\" in (or value after) \"%s\" "
753 fname, lineno, left );
757 ber_str2bv( right, 0, 1, &bv );
764 if ( !BER_BVISNULL( &bv ) ) {
765 if ( !BER_BVISEMPTY( &b->a_dn_pat ) ) {
767 "%s: line %d: dn pattern already specified.\n",
772 if ( sty != ACL_STYLE_REGEX &&
773 sty != ACL_STYLE_ANONYMOUS &&
774 sty != ACL_STYLE_USERS &&
775 sty != ACL_STYLE_SELF &&
778 rc = dnNormalize(0, NULL, NULL,
779 &bv, &b->a_dn_pat, NULL);
780 if ( rc != LDAP_SUCCESS ) {
782 "%s: line %d: bad DN \"%s\" in by DN clause\n",
783 fname, lineno, bv.bv_val );
792 b->a_dn_expand = expand;
796 if ( strcasecmp( left, "dnattr" ) == 0 ) {
797 if ( right == NULL || right[0] == '\0' ) {
798 fprintf( stderr, "%s: line %d: "
799 "missing \"=\" in (or value after) \"%s\" "
801 fname, lineno, left );
805 if( b->a_dn_at != NULL ) {
807 "%s: line %d: dnattr already specified.\n",
812 rc = slap_str2ad( right, &b->a_dn_at, &text );
814 if( rc != LDAP_SUCCESS ) {
816 "%s: line %d: dnattr \"%s\": %s\n",
817 fname, lineno, right, text );
822 if( !is_at_syntax( b->a_dn_at->ad_type,
824 !is_at_syntax( b->a_dn_at->ad_type,
825 SLAPD_NAMEUID_SYNTAX ))
828 "%s: line %d: dnattr \"%s\": "
829 "inappropriate syntax: %s\n",
830 fname, lineno, right,
831 b->a_dn_at->ad_type->sat_syntax_oid );
835 if( b->a_dn_at->ad_type->sat_equality == NULL ) {
837 "%s: line %d: dnattr \"%s\": "
838 "inappropriate matching (no EQUALITY)\n",
839 fname, lineno, right );
846 if ( strncasecmp( left, "group", STRLENOF( "group" ) ) == 0 ) {
851 case ACL_STYLE_REGEX:
852 /* legacy, tolerated */
853 fprintf( stderr, "%s: line %d: "
854 "deprecated group style \"regex\"; "
855 "use \"expand\" instead\n",
856 fname, lineno, style );
857 sty = ACL_STYLE_EXPAND;
861 /* legal, traditional */
862 case ACL_STYLE_EXPAND:
863 /* legal, substring expansion; supersedes regex */
868 fprintf( stderr, "%s: line %d: "
869 "inappropriate style \"%s\" in by clause\n",
870 fname, lineno, style );
874 if ( right == NULL || right[0] == '\0' ) {
875 fprintf( stderr, "%s: line %d: "
876 "missing \"=\" in (or value after) \"%s\" "
878 fname, lineno, left );
882 if ( !BER_BVISEMPTY( &b->a_group_pat ) ) {
884 "%s: line %d: group pattern already specified.\n",
889 /* format of string is
890 "group/objectClassValue/groupAttrName" */
891 if ( ( value = strchr(left, '/') ) != NULL ) {
893 if ( *value && ( name = strchr( value, '/' ) ) != NULL ) {
898 b->a_group_style = sty;
899 if ( sty == ACL_STYLE_EXPAND ) {
900 acl_regex_normalized_dn( right, &bv );
901 if ( !ber_bvccmp( &bv, '*' ) ) {
902 regtest( fname, lineno, bv.bv_val );
907 ber_str2bv( right, 0, 0, &bv );
908 rc = dnNormalize( 0, NULL, NULL, &bv,
909 &b->a_group_pat, NULL );
910 if ( rc != LDAP_SUCCESS ) {
912 "%s: line %d: bad DN \"%s\"\n",
913 fname, lineno, right );
918 if ( value && *value ) {
919 b->a_group_oc = oc_find( value );
922 if ( b->a_group_oc == NULL ) {
924 "%s: line %d: group objectclass "
926 fname, lineno, value );
931 b->a_group_oc = oc_find(SLAPD_GROUP_CLASS);
933 if( b->a_group_oc == NULL ) {
935 "%s: line %d: group default objectclass "
937 fname, lineno, SLAPD_GROUP_CLASS );
942 if ( is_object_subclass( slap_schema.si_oc_referral,
946 "%s: line %d: group objectclass \"%s\" "
947 "is subclass of referral\n",
948 fname, lineno, value );
952 if ( is_object_subclass( slap_schema.si_oc_alias,
956 "%s: line %d: group objectclass \"%s\" "
957 "is subclass of alias\n",
958 fname, lineno, value );
962 if ( name && *name ) {
963 rc = slap_str2ad( name, &b->a_group_at, &text );
965 if( rc != LDAP_SUCCESS ) {
967 "%s: line %d: group \"%s\": %s\n",
968 fname, lineno, right, text );
974 rc = slap_str2ad( SLAPD_GROUP_ATTR, &b->a_group_at, &text );
976 if ( rc != LDAP_SUCCESS ) {
978 "%s: line %d: group \"%s\": %s\n",
979 fname, lineno, SLAPD_GROUP_ATTR, text );
984 if ( !is_at_syntax( b->a_group_at->ad_type,
986 !is_at_syntax( b->a_group_at->ad_type,
987 SLAPD_NAMEUID_SYNTAX ) &&
988 !is_at_subtype( b->a_group_at->ad_type, slap_schema.si_ad_labeledURI->ad_type ) )
991 "%s: line %d: group \"%s\": inappropriate syntax: %s\n",
992 fname, lineno, right,
993 b->a_group_at->ad_type->sat_syntax_oid );
1000 struct berval vals[2];
1002 ber_str2bv( b->a_group_oc->soc_oid, 0, 0, &vals[0] );
1003 BER_BVZERO( &vals[1] );
1005 rc = oc_check_allowed( b->a_group_at->ad_type,
1009 fprintf( stderr, "%s: line %d: "
1010 "group: \"%s\" not allowed by \"%s\"\n",
1012 b->a_group_at->ad_cname.bv_val,
1013 b->a_group_oc->soc_oid );
1020 if ( strcasecmp( left, "peername" ) == 0 ) {
1022 case ACL_STYLE_REGEX:
1023 case ACL_STYLE_BASE:
1024 /* legal, traditional */
1025 case ACL_STYLE_EXPAND:
1026 /* cheap replacement to regex for simple expansion */
1028 case ACL_STYLE_PATH:
1029 /* legal, peername specific */
1033 fprintf( stderr, "%s: line %d: "
1034 "inappropriate style \"%s\" in by clause\n",
1035 fname, lineno, style );
1039 if ( right == NULL || right[0] == '\0' ) {
1040 fprintf( stderr, "%s: line %d: "
1041 "missing \"=\" in (or value after) \"%s\" "
1043 fname, lineno, left );
1047 if ( !BER_BVISEMPTY( &b->a_peername_pat ) ) {
1048 fprintf( stderr, "%s: line %d: "
1049 "peername pattern already specified.\n",
1054 b->a_peername_style = sty;
1055 if ( sty == ACL_STYLE_REGEX ) {
1056 acl_regex_normalized_dn( right, &bv );
1057 if ( !ber_bvccmp( &bv, '*' ) ) {
1058 regtest( fname, lineno, bv.bv_val );
1060 b->a_peername_pat = bv;
1063 ber_str2bv( right, 0, 1, &b->a_peername_pat );
1065 if ( sty == ACL_STYLE_IP ) {
1070 split( right, '{', &addr, &port );
1071 split( addr, '%', &addr, &mask );
1073 b->a_peername_addr = inet_addr( addr );
1074 if ( b->a_peername_addr == (unsigned long)(-1) ) {
1075 /* illegal address */
1076 fprintf( stderr, "%s: line %d: "
1077 "illegal peername address \"%s\".\n",
1078 fname, lineno, addr );
1082 b->a_peername_mask = (unsigned long)(-1);
1083 if ( mask != NULL ) {
1084 b->a_peername_mask = inet_addr( mask );
1085 if ( b->a_peername_mask ==
1086 (unsigned long)(-1) )
1089 fprintf( stderr, "%s: line %d: "
1090 "illegal peername address mask "
1092 fname, lineno, mask );
1097 b->a_peername_port = -1;
1101 b->a_peername_port = strtol( port, &end, 10 );
1102 if ( end[0] != '}' ) {
1104 fprintf( stderr, "%s: line %d: "
1105 "illegal peername port specification "
1107 fname, lineno, port );
1116 if ( strcasecmp( left, "sockname" ) == 0 ) {
1118 case ACL_STYLE_REGEX:
1119 case ACL_STYLE_BASE:
1120 /* legal, traditional */
1121 case ACL_STYLE_EXPAND:
1122 /* cheap replacement to regex for simple expansion */
1127 fprintf( stderr, "%s: line %d: "
1128 "inappropriate style \"%s\" in by clause\n",
1129 fname, lineno, style );
1133 if ( right == NULL || right[0] == '\0' ) {
1134 fprintf( stderr, "%s: line %d: "
1135 "missing \"=\" in (or value after) \"%s\" "
1137 fname, lineno, left );
1141 if ( !BER_BVISNULL( &b->a_sockname_pat ) ) {
1142 fprintf( stderr, "%s: line %d: "
1143 "sockname pattern already specified.\n",
1148 b->a_sockname_style = sty;
1149 if ( sty == ACL_STYLE_REGEX ) {
1150 acl_regex_normalized_dn( right, &bv );
1151 if ( !ber_bvccmp( &bv, '*' ) ) {
1152 regtest( fname, lineno, bv.bv_val );
1154 b->a_sockname_pat = bv;
1157 ber_str2bv( right, 0, 1, &b->a_sockname_pat );
1162 if ( strcasecmp( left, "domain" ) == 0 ) {
1164 case ACL_STYLE_REGEX:
1165 case ACL_STYLE_BASE:
1166 case ACL_STYLE_SUBTREE:
1167 /* legal, traditional */
1170 case ACL_STYLE_EXPAND:
1171 /* tolerated: means exact,expand */
1175 "\"expand\" modifier "
1176 "with \"expand\" style\n",
1179 sty = ACL_STYLE_BASE;
1185 fprintf( stderr, "%s: line %d: "
1186 "inappropriate style \"%s\" in by clause\n",
1187 fname, lineno, style );
1191 if ( right == NULL || right[0] == '\0' ) {
1192 fprintf( stderr, "%s: line %d: "
1193 "missing \"=\" in (or value after) \"%s\" "
1195 fname, lineno, left );
1199 if ( !BER_BVISEMPTY( &b->a_domain_pat ) ) {
1201 "%s: line %d: domain pattern already specified.\n",
1206 b->a_domain_style = sty;
1207 b->a_domain_expand = expand;
1208 if ( sty == ACL_STYLE_REGEX ) {
1209 acl_regex_normalized_dn( right, &bv );
1210 if ( !ber_bvccmp( &bv, '*' ) ) {
1211 regtest( fname, lineno, bv.bv_val );
1213 b->a_domain_pat = bv;
1216 ber_str2bv( right, 0, 1, &b->a_domain_pat );
1221 if ( strcasecmp( left, "sockurl" ) == 0 ) {
1223 case ACL_STYLE_REGEX:
1224 case ACL_STYLE_BASE:
1225 /* legal, traditional */
1226 case ACL_STYLE_EXPAND:
1227 /* cheap replacement to regex for simple expansion */
1232 fprintf( stderr, "%s: line %d: "
1233 "inappropriate style \"%s\" in by clause\n",
1234 fname, lineno, style );
1238 if ( right == NULL || right[0] == '\0' ) {
1239 fprintf( stderr, "%s: line %d: "
1240 "missing \"=\" in (or value after) \"%s\" "
1242 fname, lineno, left );
1246 if ( !BER_BVISEMPTY( &b->a_sockurl_pat ) ) {
1248 "%s: line %d: sockurl pattern already specified.\n",
1253 b->a_sockurl_style = sty;
1254 if ( sty == ACL_STYLE_REGEX ) {
1255 acl_regex_normalized_dn( right, &bv );
1256 if ( !ber_bvccmp( &bv, '*' ) ) {
1257 regtest( fname, lineno, bv.bv_val );
1259 b->a_sockurl_pat = bv;
1262 ber_str2bv( right, 0, 1, &b->a_sockurl_pat );
1267 if ( strcasecmp( left, "set" ) == 0 ) {
1270 case ACL_STYLE_REGEX:
1271 fprintf( stderr, "%s: line %d: "
1272 "deprecated set style "
1273 "\"regex\" in <by> clause; "
1274 "use \"expand\" instead\n",
1276 sty = ACL_STYLE_EXPAND;
1279 case ACL_STYLE_BASE:
1280 case ACL_STYLE_EXPAND:
1284 fprintf( stderr, "%s: line %d: "
1285 "inappropriate style \"%s\" in by clause\n",
1286 fname, lineno, style );
1290 if ( !BER_BVISEMPTY( &b->a_set_pat ) ) {
1292 "%s: line %d: set attribute already specified.\n",
1297 if ( right == NULL || *right == '\0' ) {
1299 "%s: line %d: no set is defined\n",
1304 b->a_set_style = sty;
1305 ber_str2bv( right, 0, 1, &b->a_set_pat );
1314 if ( strcasecmp( left, "aci" ) == 0 ) {
1317 } else if ( strncasecmp( left, "dynacl/", STRLENOF( "dynacl/" ) ) == 0 ) {
1318 name = &left[ STRLENOF( "dynacl/" ) ];
1322 if ( slap_dynacl_config( fname, lineno, b, name, sty, right ) ) {
1323 fprintf( stderr, "%s: line %d: "
1324 "unable to configure dynacl \"%s\"\n",
1325 fname, lineno, name );
1332 #else /* ! SLAP_DYNACL */
1334 #ifdef SLAPD_ACI_ENABLED
1335 if ( strcasecmp( left, "aci" ) == 0 ) {
1336 if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
1337 fprintf( stderr, "%s: line %d: "
1338 "inappropriate style \"%s\" in by clause\n",
1339 fname, lineno, style );
1343 if( b->a_aci_at != NULL ) {
1345 "%s: line %d: aci attribute already specified.\n",
1350 if ( right != NULL && *right != '\0' ) {
1351 rc = slap_str2ad( right, &b->a_aci_at, &text );
1353 if( rc != LDAP_SUCCESS ) {
1355 "%s: line %d: aci \"%s\": %s\n",
1356 fname, lineno, right, text );
1361 b->a_aci_at = slap_schema.si_ad_aci;
1364 if( !is_at_syntax( b->a_aci_at->ad_type,
1367 fprintf( stderr, "%s: line %d: "
1368 "aci \"%s\": inappropriate syntax: %s\n",
1369 fname, lineno, right,
1370 b->a_aci_at->ad_type->sat_syntax_oid );
1376 #endif /* SLAPD_ACI_ENABLED */
1377 #endif /* ! SLAP_DYNACL */
1379 if ( strcasecmp( left, "ssf" ) == 0 ) {
1380 if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
1381 fprintf( stderr, "%s: line %d: "
1382 "inappropriate style \"%s\" in by clause\n",
1383 fname, lineno, style );
1387 if ( b->a_authz.sai_ssf ) {
1389 "%s: line %d: ssf attribute already specified.\n",
1394 if ( right == NULL || *right == '\0' ) {
1396 "%s: line %d: no ssf is defined\n",
1401 b->a_authz.sai_ssf = strtol( right, &next, 10 );
1402 if ( next == NULL || next[0] != '\0' ) {
1404 "%s: line %d: unable to parse ssf value (%s)\n",
1405 fname, lineno, right );
1409 if ( !b->a_authz.sai_ssf ) {
1411 "%s: line %d: invalid ssf value (%s)\n",
1412 fname, lineno, right );
1418 if ( strcasecmp( left, "transport_ssf" ) == 0 ) {
1419 if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
1420 fprintf( stderr, "%s: line %d: "
1421 "inappropriate style \"%s\" in by clause\n",
1422 fname, lineno, style );
1426 if ( b->a_authz.sai_transport_ssf ) {
1427 fprintf( stderr, "%s: line %d: "
1428 "transport_ssf attribute already specified.\n",
1433 if ( right == NULL || *right == '\0' ) {
1435 "%s: line %d: no transport_ssf is defined\n",
1440 b->a_authz.sai_transport_ssf = strtol( right, &next, 10 );
1441 if ( next == NULL || next[0] != '\0' ) {
1442 fprintf( stderr, "%s: line %d: "
1443 "unable to parse transport_ssf value (%s)\n",
1444 fname, lineno, right );
1448 if ( !b->a_authz.sai_transport_ssf ) {
1450 "%s: line %d: invalid transport_ssf value (%s)\n",
1451 fname, lineno, right );
1457 if ( strcasecmp( left, "tls_ssf" ) == 0 ) {
1458 if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
1459 fprintf( stderr, "%s: line %d: "
1460 "inappropriate style \"%s\" in by clause\n",
1461 fname, lineno, style );
1465 if ( b->a_authz.sai_tls_ssf ) {
1466 fprintf( stderr, "%s: line %d: "
1467 "tls_ssf attribute already specified.\n",
1472 if ( right == NULL || *right == '\0' ) {
1474 "%s: line %d: no tls_ssf is defined\n",
1479 b->a_authz.sai_tls_ssf = strtol( right, &next, 10 );
1480 if ( next == NULL || next[0] != '\0' ) {
1481 fprintf( stderr, "%s: line %d: "
1482 "unable to parse tls_ssf value (%s)\n",
1483 fname, lineno, right );
1487 if ( !b->a_authz.sai_tls_ssf ) {
1489 "%s: line %d: invalid tls_ssf value (%s)\n",
1490 fname, lineno, right );
1496 if ( strcasecmp( left, "sasl_ssf" ) == 0 ) {
1497 if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
1498 fprintf( stderr, "%s: line %d: "
1499 "inappropriate style \"%s\" in by clause\n",
1500 fname, lineno, style );
1504 if ( b->a_authz.sai_sasl_ssf ) {
1505 fprintf( stderr, "%s: line %d: "
1506 "sasl_ssf attribute already specified.\n",
1511 if ( right == NULL || *right == '\0' ) {
1513 "%s: line %d: no sasl_ssf is defined\n",
1518 b->a_authz.sai_sasl_ssf = strtol( right, &next, 10 );
1519 if ( next == NULL || next[0] != '\0' ) {
1520 fprintf( stderr, "%s: line %d: "
1521 "unable to parse sasl_ssf value (%s)\n",
1522 fname, lineno, right );
1526 if ( !b->a_authz.sai_sasl_ssf ) {
1528 "%s: line %d: invalid sasl_ssf value (%s)\n",
1529 fname, lineno, right );
1535 if ( right != NULL ) {
1542 if ( i == argc || ( strcasecmp( left, "stop" ) == 0 ) ) {
1543 /* out of arguments or plain stop */
1545 ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
1546 b->a_type = ACL_STOP;
1548 access_append( &a->acl_access, b );
1552 if ( strcasecmp( left, "continue" ) == 0 ) {
1553 /* plain continue */
1555 ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
1556 b->a_type = ACL_CONTINUE;
1558 access_append( &a->acl_access, b );
1562 if ( strcasecmp( left, "break" ) == 0 ) {
1563 /* plain continue */
1565 ACL_PRIV_ASSIGN(b->a_access_mask, ACL_PRIV_ADDITIVE);
1566 b->a_type = ACL_BREAK;
1568 access_append( &a->acl_access, b );
1572 if ( strcasecmp( left, "by" ) == 0 ) {
1573 /* we've gone too far */
1575 ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
1576 b->a_type = ACL_STOP;
1578 access_append( &a->acl_access, b );
1583 if ( strncasecmp( left, "self", 4 ) == 0 ) {
1585 ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( &left[4] ) );
1588 ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( left ) );
1591 if ( ACL_IS_INVALID( b->a_access_mask ) ) {
1593 "%s: line %d: expecting <access> got \"%s\"\n",
1594 fname, lineno, left );
1598 b->a_type = ACL_STOP;
1600 if ( ++i == argc ) {
1601 /* out of arguments or plain stop */
1602 access_append( &a->acl_access, b );
1606 if ( strcasecmp( argv[i], "continue" ) == 0 ) {
1607 /* plain continue */
1608 b->a_type = ACL_CONTINUE;
1610 } else if ( strcasecmp( argv[i], "break" ) == 0 ) {
1611 /* plain continue */
1612 b->a_type = ACL_BREAK;
1614 } else if ( strcasecmp( argv[i], "stop" ) != 0 ) {
1619 access_append( &a->acl_access, b );
1623 "%s: line %d: expecting \"to\" "
1624 "or \"by\" got \"%s\"\n",
1625 fname, lineno, argv[i] );
1630 /* if we have no real access clause, complain and do nothing */
1632 fprintf( stderr, "%s: line %d: "
1633 "warning: no access clause(s) specified in access line\n",
1638 if ( ldap_debug & LDAP_DEBUG_ACL ) {
1643 if ( a->acl_access == NULL ) {
1644 fprintf( stderr, "%s: line %d: "
1645 "warning: no by clause(s) specified in access line\n",
1650 if ( !BER_BVISNULL( &be->be_nsuffix[ 1 ] ) ) {
1651 fprintf( stderr, "%s: line %d: warning: "
1652 "scope checking only applies to single-valued "
1653 "suffix databases\n",
1655 /* go ahead, since checking is not authoritative */
1658 switch ( check_scope( be, a ) ) {
1659 case ACL_SCOPE_UNKNOWN:
1660 fprintf( stderr, "%s: line %d: warning: "
1661 "cannot assess the validity of the ACL scope within "
1662 "backend naming context\n",
1666 case ACL_SCOPE_WARN:
1667 fprintf( stderr, "%s: line %d: warning: "
1668 "ACL could be out of scope within backend naming context\n",
1672 case ACL_SCOPE_PARTIAL:
1673 fprintf( stderr, "%s: line %d: warning: "
1674 "ACL appears to be partially out of scope within "
1675 "backend naming context\n",
1680 fprintf( stderr, "%s: line %d: warning: "
1681 "ACL appears to be out of scope within "
1682 "backend naming context\n",
1689 acl_append( &be->be_acl, a );
1692 acl_append( &frontendDB->be_acl, a );
1698 accessmask2str( slap_mask_t mask, char *buf )
1703 assert( buf != NULL );
1705 if ( ACL_IS_INVALID( mask ) ) {
1711 if ( ACL_IS_LEVEL( mask ) ) {
1712 if ( ACL_LVL_IS_NONE(mask) ) {
1713 ptr = lutil_strcopy( ptr, "none" );
1715 } else if ( ACL_LVL_IS_DISCLOSE(mask) ) {
1716 ptr = lutil_strcopy( ptr, "disclose" );
1718 } else if ( ACL_LVL_IS_AUTH(mask) ) {
1719 ptr = lutil_strcopy( ptr, "auth" );
1721 } else if ( ACL_LVL_IS_COMPARE(mask) ) {
1722 ptr = lutil_strcopy( ptr, "compare" );
1724 } else if ( ACL_LVL_IS_SEARCH(mask) ) {
1725 ptr = lutil_strcopy( ptr, "search" );
1727 } else if ( ACL_LVL_IS_READ(mask) ) {
1728 ptr = lutil_strcopy( ptr, "read" );
1730 } else if ( ACL_LVL_IS_WRITE(mask) ) {
1731 ptr = lutil_strcopy( ptr, "write" );
1733 } else if ( ACL_LVL_IS_MANAGE(mask) ) {
1734 ptr = lutil_strcopy( ptr, "manage" );
1737 ptr = lutil_strcopy( ptr, "unknown" );
1743 if( ACL_IS_ADDITIVE( mask ) ) {
1746 } else if( ACL_IS_SUBTRACTIVE( mask ) ) {
1753 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_MANAGE) ) {
1758 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_WRITE) ) {
1763 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_READ) ) {
1768 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_SEARCH) ) {
1773 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_COMPARE) ) {
1778 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_AUTH) ) {
1783 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_DISCLOSE) ) {
1788 if ( none && ACL_PRIV_ISSET(mask, ACL_PRIV_NONE) ) {
1797 if ( ACL_IS_LEVEL( mask ) ) {
1807 str2accessmask( const char *str )
1811 if( !ASCII_ALPHA(str[0]) ) {
1814 if ( str[0] == '=' ) {
1817 } else if( str[0] == '+' ) {
1818 ACL_PRIV_ASSIGN(mask, ACL_PRIV_ADDITIVE);
1820 } else if( str[0] == '-' ) {
1821 ACL_PRIV_ASSIGN(mask, ACL_PRIV_SUBSTRACTIVE);
1824 ACL_INVALIDATE(mask);
1828 for( i=1; str[i] != '\0'; i++ ) {
1829 if( TOLOWER((unsigned char) str[i]) == 'm' ) {
1830 ACL_PRIV_SET(mask, ACL_PRIV_MANAGE);
1832 } else if( TOLOWER((unsigned char) str[i]) == 'w' ) {
1833 ACL_PRIV_SET(mask, ACL_PRIV_WRITE);
1835 } else if( TOLOWER((unsigned char) str[i]) == 'r' ) {
1836 ACL_PRIV_SET(mask, ACL_PRIV_READ);
1838 } else if( TOLOWER((unsigned char) str[i]) == 's' ) {
1839 ACL_PRIV_SET(mask, ACL_PRIV_SEARCH);
1841 } else if( TOLOWER((unsigned char) str[i]) == 'c' ) {
1842 ACL_PRIV_SET(mask, ACL_PRIV_COMPARE);
1844 } else if( TOLOWER((unsigned char) str[i]) == 'x' ) {
1845 ACL_PRIV_SET(mask, ACL_PRIV_AUTH);
1847 } else if( TOLOWER((unsigned char) str[i]) == 'd' ) {
1848 ACL_PRIV_SET(mask, ACL_PRIV_DISCLOSE);
1850 } else if( str[i] != '0' ) {
1851 ACL_INVALIDATE(mask);
1859 if ( strcasecmp( str, "none" ) == 0 ) {
1860 ACL_LVL_ASSIGN_NONE(mask);
1862 } else if ( strcasecmp( str, "disclose" ) == 0 ) {
1863 ACL_LVL_ASSIGN_DISCLOSE(mask);
1865 } else if ( strcasecmp( str, "auth" ) == 0 ) {
1866 ACL_LVL_ASSIGN_AUTH(mask);
1868 } else if ( strcasecmp( str, "compare" ) == 0 ) {
1869 ACL_LVL_ASSIGN_COMPARE(mask);
1871 } else if ( strcasecmp( str, "search" ) == 0 ) {
1872 ACL_LVL_ASSIGN_SEARCH(mask);
1874 } else if ( strcasecmp( str, "read" ) == 0 ) {
1875 ACL_LVL_ASSIGN_READ(mask);
1877 } else if ( strcasecmp( str, "write" ) == 0 ) {
1878 ACL_LVL_ASSIGN_WRITE(mask);
1880 } else if ( strcasecmp( str, "manage" ) == 0 ) {
1881 ACL_LVL_ASSIGN_MANAGE(mask);
1884 ACL_INVALIDATE( mask );
1893 fprintf( stderr, "%s%s%s\n",
1894 "<access clause> ::= access to <what> "
1895 "[ by <who> <access> [ <control> ] ]+ \n"
1896 "<what> ::= * | [dn[.<dnstyle>]=<DN>] [filter=<filter>] [attrs=<attrlist>]\n"
1897 "<attrlist> ::= <attr> [val[.<style>]=<value>] | <attr> , <attrlist>\n"
1898 "<attr> ::= <attrname> | entry | children\n",
1899 "<who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ]\n"
1900 "\t[dnattr=<attrname>]\n"
1901 "\t[group[/<objectclass>[/<attrname>]][.<style>]=<group>]\n"
1902 "\t[peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>]\n"
1903 "\t[domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>]\n"
1904 #ifdef SLAPD_ACI_ENABLED
1905 "\t[aci=<attrname>]\n"
1907 "\t[ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]\n",
1908 "<dnstyle> ::= base(Object) | one(level) | sub(tree) | children | "
1910 "<style> ::= exact | regex | base(Object)\n"
1911 "<peernamestyle> ::= exact | regex | ip | path\n"
1912 "<domainstyle> ::= exact | regex | base(Object) | sub(tree)\n"
1913 "<access> ::= [self]{<level>|<priv>}\n"
1914 "<level> ::= none|disclose|auth|compare|search|read|write|manage\n"
1915 "<priv> ::= {=|+|-}{0|d|x|c|s|r|w|m}+\n"
1916 "<control> ::= [ stop | continue | break ]\n"
1918 exit( EXIT_FAILURE );
1922 * Set pattern to a "normalized" DN from src.
1923 * At present it simply eats the (optional) space after
1924 * a RDN separator (,)
1925 * Eventually will evolve in a more complete normalization
1928 acl_regex_normalized_dn(
1930 struct berval *pattern )
1935 str = ch_strdup( src );
1936 len = strlen( src );
1938 for ( p = str; p && p[0]; p++ ) {
1940 if ( p[0] == '\\' && p[1] ) {
1942 * if escaping a hex pair we should
1943 * increment p twice; however, in that
1944 * case the second hex number does
1950 if ( p[0] == ',' && p[1] == ' ' ) {
1954 * too much space should be an error if we are pedantic
1956 for ( q = &p[2]; q[0] == ' '; q++ ) {
1959 AC_MEMCPY( p+1, q, len-(q-str)+1);
1962 pattern->bv_val = str;
1963 pattern->bv_len = p - str;
1976 if ( (*right = strchr( line, splitchar )) != NULL ) {
1977 *((*right)++) = '\0';
1982 access_append( Access **l, Access *a )
1984 for ( ; *l != NULL; l = &(*l)->a_next ) {
1992 acl_append( AccessControl **l, AccessControl *a )
1994 for ( ; *l != NULL; l = &(*l)->acl_next ) {
2002 access_free( Access *a )
2004 if ( !BER_BVISNULL( &a->a_dn_pat ) ) {
2005 free( a->a_dn_pat.bv_val );
2007 if ( !BER_BVISNULL( &a->a_peername_pat ) ) {
2008 free( a->a_peername_pat.bv_val );
2010 if ( !BER_BVISNULL( &a->a_sockname_pat ) ) {
2011 free( a->a_sockname_pat.bv_val );
2013 if ( !BER_BVISNULL( &a->a_domain_pat ) ) {
2014 free( a->a_domain_pat.bv_val );
2016 if ( !BER_BVISNULL( &a->a_sockurl_pat ) ) {
2017 free( a->a_sockurl_pat.bv_val );
2019 if ( !BER_BVISNULL( &a->a_set_pat ) ) {
2020 free( a->a_set_pat.bv_val );
2022 if ( !BER_BVISNULL( &a->a_group_pat ) ) {
2023 free( a->a_group_pat.bv_val );
2029 acl_free( AccessControl *a )
2034 if ( a->acl_filter ) {
2035 filter_free( a->acl_filter );
2037 if ( !BER_BVISNULL( &a->acl_dn_pat ) ) {
2038 free ( a->acl_dn_pat.bv_val );
2040 if ( a->acl_attrs ) {
2041 for ( an = a->acl_attrs; !BER_BVISNULL( &an->an_name ); an++ ) {
2042 free( an->an_name.bv_val );
2044 free( a->acl_attrs );
2046 for ( ; a->acl_access; a->acl_access = n ) {
2047 n = a->acl_access->a_next;
2048 access_free( a->acl_access );
2053 /* Because backend_startup uses acl_append to tack on the global_acl to
2054 * the end of each backend's acl, we cannot just take one argument and
2055 * merrily free our way to the end of the list. backend_destroy calls us
2056 * with the be_acl in arg1, and global_acl in arg2 to give us a stopping
2057 * point. config_destroy calls us with global_acl in arg1 and NULL in
2058 * arg2, so we then proceed to polish off the global_acl.
2061 acl_destroy( AccessControl *a, AccessControl *end )
2065 for (; a && a!= end; a=n) {
2072 access2str( slap_access_t access )
2074 if ( access == ACL_NONE ) {
2077 } else if ( access == ACL_DISCLOSE ) {
2080 } else if ( access == ACL_AUTH ) {
2083 } else if ( access == ACL_COMPARE ) {
2086 } else if ( access == ACL_SEARCH ) {
2089 } else if ( access == ACL_READ ) {
2092 } else if ( access == ACL_WRITE ) {
2095 } else if ( access == ACL_MANAGE ) {
2104 str2access( const char *str )
2106 if ( strcasecmp( str, "none" ) == 0 ) {
2109 } else if ( strcasecmp( str, "disclose" ) == 0 ) {
2110 return ACL_DISCLOSE;
2112 } else if ( strcasecmp( str, "auth" ) == 0 ) {
2115 } else if ( strcasecmp( str, "compare" ) == 0 ) {
2118 } else if ( strcasecmp( str, "search" ) == 0 ) {
2121 } else if ( strcasecmp( str, "read" ) == 0 ) {
2124 } else if ( strcasecmp( str, "write" ) == 0 ) {
2127 } else if ( strcasecmp( str, "manage" ) == 0 ) {
2131 return( ACL_INVALID_ACCESS );
2137 print_access( Access *b )
2139 char maskbuf[ACCESSMASK_MAXLEN];
2141 fprintf( stderr, "\tby" );
2143 if ( !BER_BVISEMPTY( &b->a_dn_pat ) ) {
2144 if ( ber_bvccmp( &b->a_dn_pat, '*' ) ||
2145 b->a_dn_style == ACL_STYLE_ANONYMOUS /* strcmp( b->a_dn_pat.bv_val, "anonymous" ) == 0 */ ||
2146 b->a_dn_style == ACL_STYLE_USERS /* strcmp( b->a_dn_pat.bv_val, "users" ) == 0 */ ||
2147 b->a_dn_style == ACL_STYLE_SELF /* strcmp( b->a_dn_pat.bv_val, "self" ) == 0 */ )
2149 fprintf( stderr, " %s", b->a_dn_pat.bv_val );
2152 fprintf( stderr, " dn.%s=\"%s\"",
2153 style_strings[b->a_dn_style], b->a_dn_pat.bv_val );
2157 if ( b->a_dn_at != NULL ) {
2158 fprintf( stderr, " dnattr=%s", b->a_dn_at->ad_cname.bv_val );
2161 if ( !BER_BVISEMPTY( &b->a_group_pat ) ) {
2162 fprintf( stderr, " group/%s/%s.%s=\"%s\"",
2163 b->a_group_oc ? b->a_group_oc->soc_cname.bv_val : "groupOfNames",
2164 b->a_group_at ? b->a_group_at->ad_cname.bv_val : "member",
2165 style_strings[b->a_group_style],
2166 b->a_group_pat.bv_val );
2169 if ( !BER_BVISEMPTY( &b->a_peername_pat ) ) {
2170 fprintf( stderr, " peername=\"%s\"", b->a_peername_pat.bv_val );
2173 if ( !BER_BVISEMPTY( &b->a_sockname_pat ) ) {
2174 fprintf( stderr, " sockname=\"%s\"", b->a_sockname_pat.bv_val );
2177 if ( !BER_BVISEMPTY( &b->a_domain_pat ) ) {
2178 fprintf( stderr, " domain=%s", b->a_domain_pat.bv_val );
2181 if ( !BER_BVISEMPTY( &b->a_sockurl_pat ) ) {
2182 fprintf( stderr, " sockurl=\"%s\"", b->a_sockurl_pat.bv_val );
2185 if ( !BER_BVISEMPTY( &b->a_set_pat ) ) {
2186 fprintf( stderr, " set=\"%s\"", b->a_set_pat.bv_val );
2190 if ( b->a_dynacl ) {
2193 for ( da = b->a_dynacl; da; da = da->da_next ) {
2194 if ( da->da_print ) {
2195 (void)( *da->da_print )( da->da_private );
2199 #else /* ! SLAP_DYNACL */
2200 #ifdef SLAPD_ACI_ENABLED
2201 if ( b->a_aci_at != NULL ) {
2202 fprintf( stderr, " aci=%s", b->a_aci_at->ad_cname.bv_val );
2205 #endif /* SLAP_DYNACL */
2207 /* Security Strength Factors */
2208 if ( b->a_authz.sai_ssf ) {
2209 fprintf( stderr, " ssf=%u",
2210 b->a_authz.sai_ssf );
2212 if ( b->a_authz.sai_transport_ssf ) {
2213 fprintf( stderr, " transport_ssf=%u",
2214 b->a_authz.sai_transport_ssf );
2216 if ( b->a_authz.sai_tls_ssf ) {
2217 fprintf( stderr, " tls_ssf=%u",
2218 b->a_authz.sai_tls_ssf );
2220 if ( b->a_authz.sai_sasl_ssf ) {
2221 fprintf( stderr, " sasl_ssf=%u",
2222 b->a_authz.sai_sasl_ssf );
2225 fprintf( stderr, " %s%s",
2226 b->a_dn_self ? "self" : "",
2227 accessmask2str( b->a_access_mask, maskbuf ) );
2229 if( b->a_type == ACL_BREAK ) {
2230 fprintf( stderr, " break" );
2232 } else if( b->a_type == ACL_CONTINUE ) {
2233 fprintf( stderr, " continue" );
2235 } else if( b->a_type != ACL_STOP ) {
2236 fprintf( stderr, " unknown-control" );
2239 fprintf( stderr, "\n" );
2244 print_acl( Backend *be, AccessControl *a )
2249 fprintf( stderr, "%s ACL: access to",
2250 be == NULL ? "Global" : "Backend" );
2252 if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ) {
2254 fprintf( stderr, " dn.%s=\"%s\"\n",
2255 style_strings[a->acl_dn_style], a->acl_dn_pat.bv_val );
2258 if ( a->acl_filter != NULL ) {
2259 struct berval bv = BER_BVNULL;
2262 filter2bv( a->acl_filter, &bv );
2263 fprintf( stderr, " filter=%s\n", bv.bv_val );
2264 ch_free( bv.bv_val );
2267 if ( a->acl_attrs != NULL ) {
2272 fprintf( stderr, " attrs=" );
2273 for ( an = a->acl_attrs; an && !BER_BVISNULL( &an->an_name ); an++ ) {
2274 if ( ! first ) fprintf( stderr, "," );
2276 fputc( an->an_oc_exclude ? '!' : '@', stderr);
2277 fputs( an->an_oc->soc_cname.bv_val, stderr );
2280 fputs( an->an_name.bv_val, stderr );
2284 fprintf( stderr, "\n" );
2287 if ( !BER_BVISEMPTY( &a->acl_attrval ) ) {
2289 fprintf( stderr, " val.%s=\"%s\"\n",
2290 style_strings[a->acl_attrval_style], a->acl_attrval.bv_val );
2294 if( !to ) fprintf( stderr, " *\n" );
2296 for ( b = a->acl_access; b != NULL; b = b->a_next ) {
2300 fprintf( stderr, "\n" );
2302 #endif /* LDAP_DEBUG */