1 /* aclparse.c - routines to parse and check acl's */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 1998-2005 The OpenLDAP Foundation.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted only as authorized by the OpenLDAP
12 * A copy of this license is available in the file LICENSE in the
13 * top-level directory of the distribution or, alternatively, at
14 * <http://www.OpenLDAP.org/license.html>.
16 /* Portions Copyright (c) 1995 Regents of the University of Michigan.
17 * All rights reserved.
19 * Redistribution and use in source and binary forms are permitted
20 * provided that this notice is preserved and that due credit is given
21 * to the University of Michigan at Ann Arbor. The name of the University
22 * may not be used to endorse or promote products derived from this
23 * software without specific prior written permission. This software
24 * is provided ``as is'' without express or implied warranty.
33 #include <ac/socket.h>
34 #include <ac/string.h>
35 #include <ac/unistd.h>
41 static char *style_strings[] = {
54 static void split(char *line, int splitchar, char **left, char **right);
55 static void access_append(Access **l, Access *a);
56 static void acl_usage(void) LDAP_GCCATTR((noreturn));
58 static void acl_regex_normalized_dn(const char *src, struct berval *pat);
61 static void print_acl(Backend *be, AccessControl *a);
62 static void print_access(Access *b);
65 static int check_scope( BackendDB *be, AccessControl *a );
69 slap_dynacl_config( const char *fname, int lineno, Access *b, const char *name, slap_style_t sty, const char *right )
71 slap_dynacl_t *da, *tmp;
74 for ( da = b->a_dynacl; da; da = da->da_next ) {
75 if ( strcasecmp( da->da_name, name ) == 0 ) {
77 "%s: line %d: dynacl \"%s\" already specified.\n",
78 fname, lineno, name );
83 da = slap_dynacl_get( name );
88 tmp = ch_malloc( sizeof( slap_dynacl_t ) );
91 if ( tmp->da_parse ) {
92 rc = ( *tmp->da_parse )( fname, lineno, sty, right, &tmp->da_private );
99 tmp->da_next = b->a_dynacl;
104 #endif /* SLAP_DYNACL */
107 regtest(const char *fname, int lineno, char *pat) {
123 for (size = 0, flag = 0; (size < sizeof(buf)) && *sp; sp++) {
125 if (*sp == '$'|| (*sp >= '0' && *sp <= '9')) {
142 if ( size >= (sizeof(buf) - 1) ) {
144 "%s: line %d: regular expression \"%s\" too large\n",
145 fname, lineno, pat );
149 if ((e = regcomp(&re, buf, REG_EXTENDED|REG_ICASE))) {
151 regerror(e, &re, error, sizeof(error));
153 "%s: line %d: regular expression \"%s\" bad because of %s\n",
154 fname, lineno, pat, error );
163 * Check if the pattern of an ACL, if any, matches the scope
164 * of the backend it is defined within.
166 #define ACL_SCOPE_UNKNOWN (-2)
167 #define ACL_SCOPE_ERR (-1)
168 #define ACL_SCOPE_OK (0)
169 #define ACL_SCOPE_PARTIAL (1)
170 #define ACL_SCOPE_WARN (2)
173 check_scope( BackendDB *be, AccessControl *a )
178 dn = be->be_nsuffix[0];
180 if ( BER_BVISEMPTY( &dn ) ) {
184 if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
185 a->acl_dn_style != ACL_STYLE_REGEX )
187 slap_style_t style = a->acl_dn_style;
189 if ( style == ACL_STYLE_REGEX ) {
190 char dnbuf[SLAP_LDAPDN_MAXLEN + 2];
191 char rebuf[SLAP_LDAPDN_MAXLEN + 1];
196 /* add trailing '$' to database suffix to form
197 * a simple trial regex pattern "<suffix>$" */
198 AC_MEMCPY( dnbuf, be->be_nsuffix[0].bv_val,
199 be->be_nsuffix[0].bv_len );
200 dnbuf[be->be_nsuffix[0].bv_len] = '$';
201 dnbuf[be->be_nsuffix[0].bv_len + 1] = '\0';
203 if ( regcomp( &re, dnbuf, REG_EXTENDED|REG_ICASE ) ) {
204 return ACL_SCOPE_WARN;
207 /* remove trailing ')$', if any, from original
209 rebuflen = a->acl_dn_pat.bv_len;
210 AC_MEMCPY( rebuf, a->acl_dn_pat.bv_val, rebuflen + 1 );
211 if ( rebuf[rebuflen - 1] == '$' ) {
212 rebuf[--rebuflen] = '\0';
214 while ( rebuflen > be->be_nsuffix[0].bv_len && rebuf[rebuflen - 1] == ')' ) {
215 rebuf[--rebuflen] = '\0';
217 if ( rebuflen == be->be_nsuffix[0].bv_len ) {
222 /* not a clear indication of scoping error, though */
223 rc = regexec( &re, rebuf, 0, NULL, 0 )
224 ? ACL_SCOPE_WARN : ACL_SCOPE_OK;
231 patlen = a->acl_dn_pat.bv_len;
232 /* If backend suffix is longer than pattern,
233 * it is a potential mismatch (in the sense
234 * that a superior naming context could
236 if ( dn.bv_len > patlen ) {
237 /* base is blatantly wrong */
238 if ( style == ACL_STYLE_BASE ) return ACL_SCOPE_ERR;
240 /* a style of one can be wrong if there is
241 * more than one level between the suffix
243 if ( style == ACL_STYLE_ONE ) {
244 int rdnlen = -1, sep = 0;
247 if ( !DN_SEPARATOR( dn.bv_val[dn.bv_len - patlen - 1] )) {
248 return ACL_SCOPE_ERR;
253 rdnlen = dn_rdnlen( NULL, &dn );
254 if ( rdnlen != dn.bv_len - patlen - sep )
255 return ACL_SCOPE_ERR;
258 /* if the trailing part doesn't match,
259 * then it's an error */
260 if ( strcmp( a->acl_dn_pat.bv_val,
261 &dn.bv_val[dn.bv_len - patlen] ) != 0 )
263 return ACL_SCOPE_ERR;
266 return ACL_SCOPE_PARTIAL;
272 case ACL_STYLE_CHILDREN:
273 case ACL_STYLE_SUBTREE:
281 if ( dn.bv_len < patlen &&
282 !DN_SEPARATOR( a->acl_dn_pat.bv_val[patlen - dn.bv_len - 1] ))
284 return ACL_SCOPE_ERR;
287 if ( strcmp( &a->acl_dn_pat.bv_val[patlen - dn.bv_len], dn.bv_val )
290 return ACL_SCOPE_ERR;
296 return ACL_SCOPE_UNKNOWN;
308 char *left, *right, *style, *next;
316 for ( i = 1; i < argc; i++ ) {
317 /* to clause - select which entries are protected */
318 if ( strcasecmp( argv[i], "to" ) == 0 ) {
320 fprintf( stderr, "%s: line %d: "
321 "only one to clause allowed in access line\n",
325 a = (AccessControl *) ch_calloc( 1, sizeof(AccessControl) );
326 for ( ++i; i < argc; i++ ) {
327 if ( strcasecmp( argv[i], "by" ) == 0 ) {
332 if ( strcasecmp( argv[i], "*" ) == 0 ) {
333 if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
334 a->acl_dn_style != ACL_STYLE_REGEX )
337 "%s: line %d: dn pattern"
338 " already specified in to clause.\n",
343 ber_str2bv( "*", STRLENOF( "*" ), 1, &a->acl_dn_pat );
347 split( argv[i], '=', &left, &right );
348 split( left, '.', &left, &style );
350 if ( right == NULL ) {
351 fprintf( stderr, "%s: line %d: "
352 "missing \"=\" in \"%s\" in to clause\n",
353 fname, lineno, left );
357 if ( strcasecmp( left, "dn" ) == 0 ) {
358 if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
359 a->acl_dn_style != ACL_STYLE_REGEX )
362 "%s: line %d: dn pattern"
363 " already specified in to clause.\n",
368 if ( style == NULL || *style == '\0' ||
369 strcasecmp( style, "baseObject" ) == 0 ||
370 strcasecmp( style, "base" ) == 0 ||
371 strcasecmp( style, "exact" ) == 0 )
373 a->acl_dn_style = ACL_STYLE_BASE;
374 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
376 } else if ( strcasecmp( style, "oneLevel" ) == 0 ||
377 strcasecmp( style, "one" ) == 0 )
379 a->acl_dn_style = ACL_STYLE_ONE;
380 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
382 } else if ( strcasecmp( style, "subtree" ) == 0 ||
383 strcasecmp( style, "sub" ) == 0 )
385 if( *right == '\0' ) {
386 ber_str2bv( "*", STRLENOF( "*" ), 1, &a->acl_dn_pat );
389 a->acl_dn_style = ACL_STYLE_SUBTREE;
390 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
393 } else if ( strcasecmp( style, "children" ) == 0 ) {
394 a->acl_dn_style = ACL_STYLE_CHILDREN;
395 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
397 } else if ( strcasecmp( style, "regex" ) == 0 ) {
398 a->acl_dn_style = ACL_STYLE_REGEX;
400 if ( *right == '\0' ) {
401 /* empty regex should match empty DN */
402 a->acl_dn_style = ACL_STYLE_BASE;
403 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
405 } else if ( strcmp(right, "*") == 0
406 || strcmp(right, ".*") == 0
407 || strcmp(right, ".*$") == 0
408 || strcmp(right, "^.*") == 0
409 || strcmp(right, "^.*$") == 0
410 || strcmp(right, ".*$$") == 0
411 || strcmp(right, "^.*$$") == 0 )
413 ber_str2bv( "*", STRLENOF("*"), 1, &a->acl_dn_pat );
416 acl_regex_normalized_dn( right, &a->acl_dn_pat );
420 fprintf( stderr, "%s: line %d: "
421 "unknown dn style \"%s\" in to clause\n",
422 fname, lineno, style );
429 if ( strcasecmp( left, "filter" ) == 0 ) {
430 if ( (a->acl_filter = str2filter( right )) == NULL ) {
432 "%s: line %d: bad filter \"%s\" in to clause\n",
433 fname, lineno, right );
437 } else if ( strcasecmp( left, "attr" ) == 0
438 || strcasecmp( left, "attrs" ) == 0 ) {
439 a->acl_attrs = str2anlist( a->acl_attrs,
441 if ( a->acl_attrs == NULL ) {
443 "%s: line %d: unknown attr \"%s\" in to clause\n",
444 fname, lineno, right );
448 } else if ( strncasecmp( left, "val", 3 ) == 0 ) {
449 if ( !BER_BVISEMPTY( &a->acl_attrval ) ) {
451 "%s: line %d: attr val already specified in to clause.\n",
455 if ( a->acl_attrs == NULL || !BER_BVISEMPTY( &a->acl_attrs[1].an_name ) )
458 "%s: line %d: attr val requires a single attribute.\n",
462 ber_str2bv( right, 0, 1, &a->acl_attrval );
463 if ( style && strcasecmp( style, "regex" ) == 0 ) {
464 int e = regcomp( &a->acl_attrval_re, a->acl_attrval.bv_val,
465 REG_EXTENDED | REG_ICASE | REG_NOSUB );
468 regerror( e, &a->acl_attrval_re, buf, sizeof(buf) );
469 fprintf( stderr, "%s: line %d: "
470 "regular expression \"%s\" bad because of %s\n",
471 fname, lineno, right, buf );
474 a->acl_attrval_style = ACL_STYLE_REGEX;
476 /* FIXME: if the attribute has DN syntax, we might
477 * allow one, subtree and children styles as well */
478 if ( !strcasecmp( style, "exact" ) ) {
479 a->acl_attrval_style = ACL_STYLE_BASE;
481 } else if ( a->acl_attrs[0].an_desc->ad_type->
482 sat_syntax == slap_schema.si_syn_distinguishedName )
484 if ( !strcasecmp( style, "baseObject" ) ||
485 !strcasecmp( style, "base" ) )
487 a->acl_attrval_style = ACL_STYLE_BASE;
488 } else if ( !strcasecmp( style, "onelevel" ) ||
489 !strcasecmp( style, "one" ) )
491 a->acl_attrval_style = ACL_STYLE_ONE;
492 } else if ( !strcasecmp( style, "subtree" ) ||
493 !strcasecmp( style, "sub" ) )
495 a->acl_attrval_style = ACL_STYLE_SUBTREE;
496 } else if ( !strcasecmp( style, "children" ) ) {
497 a->acl_attrval_style = ACL_STYLE_CHILDREN;
500 "%s: line %d: unknown val.<style> \"%s\" "
501 "for attributeType \"%s\" with DN syntax; "
503 fname, lineno, style,
504 a->acl_attrs[0].an_desc->ad_cname.bv_val );
505 a->acl_attrval_style = ACL_STYLE_BASE;
510 "%s: line %d: unknown val.<style> \"%s\" "
511 "for attributeType \"%s\"; using \"exact\"\n",
512 fname, lineno, style,
513 a->acl_attrs[0].an_desc->ad_cname.bv_val );
514 a->acl_attrval_style = ACL_STYLE_BASE;
520 "%s: line %d: expecting <what> got \"%s\"\n",
521 fname, lineno, left );
526 if ( !BER_BVISNULL( &a->acl_dn_pat ) &&
527 ber_bvccmp( &a->acl_dn_pat, '*' ) )
529 free( a->acl_dn_pat.bv_val );
530 BER_BVZERO( &a->acl_dn_pat );
533 if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
534 a->acl_dn_style != ACL_STYLE_REGEX )
536 if ( a->acl_dn_style != ACL_STYLE_REGEX ) {
538 rc = dnNormalize( 0, NULL, NULL, &a->acl_dn_pat, &bv, NULL);
539 if ( rc != LDAP_SUCCESS ) {
541 "%s: line %d: bad DN \"%s\" in to DN clause\n",
542 fname, lineno, a->acl_dn_pat.bv_val );
545 free( a->acl_dn_pat.bv_val );
549 int e = regcomp( &a->acl_dn_re, a->acl_dn_pat.bv_val,
550 REG_EXTENDED | REG_ICASE );
553 regerror( e, &a->acl_dn_re, buf, sizeof(buf) );
554 fprintf( stderr, "%s: line %d: "
555 "regular expression \"%s\" bad because of %s\n",
556 fname, lineno, right, buf );
562 /* by clause - select who has what access to entries */
563 } else if ( strcasecmp( argv[i], "by" ) == 0 ) {
565 fprintf( stderr, "%s: line %d: "
566 "to clause required before by clause in access line\n",
572 * by clause consists of <who> and <access>
575 b = (Access *) ch_calloc( 1, sizeof(Access) );
577 ACL_INVALIDATE( b->a_access_mask );
581 "%s: line %d: premature eol: expecting <who>\n",
587 for ( ; i < argc; i++ ) {
588 slap_style_t sty = ACL_STYLE_REGEX;
589 char *style_modifier = NULL;
592 split( argv[i], '=', &left, &right );
593 split( left, '.', &left, &style );
595 split( style, ',', &style, &style_modifier);
598 if ( style == NULL || *style == '\0' ||
599 strcasecmp( style, "exact" ) == 0 ||
600 strcasecmp( style, "baseObject" ) == 0 ||
601 strcasecmp( style, "base" ) == 0 )
603 sty = ACL_STYLE_BASE;
605 } else if ( strcasecmp( style, "onelevel" ) == 0 ||
606 strcasecmp( style, "one" ) == 0 )
610 } else if ( strcasecmp( style, "subtree" ) == 0 ||
611 strcasecmp( style, "sub" ) == 0 )
613 sty = ACL_STYLE_SUBTREE;
615 } else if ( strcasecmp( style, "children" ) == 0 ) {
616 sty = ACL_STYLE_CHILDREN;
618 } else if ( strcasecmp( style, "regex" ) == 0 ) {
619 sty = ACL_STYLE_REGEX;
621 } else if ( strcasecmp( style, "expand" ) == 0 ) {
622 sty = ACL_STYLE_EXPAND;
624 } else if ( strcasecmp( style, "ip" ) == 0 ) {
627 } else if ( strcasecmp( style, "path" ) == 0 ) {
628 sty = ACL_STYLE_PATH;
629 #ifndef LDAP_PF_LOCAL
630 fprintf( stderr, "%s: line %d: "
631 "path style modifier is useless without local\n",
633 #endif /* LDAP_PF_LOCAL */
637 "%s: line %d: unknown style \"%s\" in by clause\n",
638 fname, lineno, style );
642 if ( style_modifier &&
643 strcasecmp( style_modifier, "expand" ) == 0 )
646 case ACL_STYLE_REGEX:
647 fprintf( stderr, "%s: line %d: "
648 "\"regex\" style implies "
649 "\"expand\" modifier (ignored)\n",
653 case ACL_STYLE_EXPAND:
655 /* FIXME: now it's legal... */
656 fprintf( stderr, "%s: line %d: "
657 "\"expand\" style used "
658 "in conjunction with "
659 "\"expand\" modifier (ignored)\n",
665 /* we'll see later if it's pertinent */
671 /* expand in <who> needs regex in <what> */
672 if ( ( sty == ACL_STYLE_EXPAND || expand )
673 && a->acl_dn_style != ACL_STYLE_REGEX )
675 fprintf( stderr, "%s: line %d: "
676 "\"expand\" style or modifier used "
677 "in conjunction with "
678 "a non-regex <what> clause\n",
682 if ( strcasecmp( argv[i], "*" ) == 0 ) {
683 ber_str2bv( "*", STRLENOF( "*" ), 1, &bv );
684 sty = ACL_STYLE_REGEX;
686 } else if ( strcasecmp( argv[i], "anonymous" ) == 0 ) {
687 ber_str2bv("anonymous", STRLENOF( "anonymous" ), 1, &bv);
688 sty = ACL_STYLE_ANONYMOUS;
690 } else if ( strcasecmp( argv[i], "users" ) == 0 ) {
691 ber_str2bv("users", STRLENOF( "users" ), 1, &bv);
692 sty = ACL_STYLE_USERS;
694 } else if ( strcasecmp( argv[i], "self" ) == 0 ) {
695 ber_str2bv("self", STRLENOF( "self" ), 1, &bv);
696 sty = ACL_STYLE_SELF;
698 } else if ( strcasecmp( left, "dn" ) == 0 ) {
699 if ( sty == ACL_STYLE_REGEX ) {
700 b->a_dn_style = ACL_STYLE_REGEX;
701 if ( right == NULL ) {
706 b->a_dn_style = ACL_STYLE_USERS;
708 } else if (*right == '\0' ) {
710 ber_str2bv("anonymous",
711 STRLENOF( "anonymous" ),
713 b->a_dn_style = ACL_STYLE_ANONYMOUS;
715 } else if ( strcmp( right, "*" ) == 0 ) {
717 /* any or users? users for now */
721 b->a_dn_style = ACL_STYLE_USERS;
723 } else if ( strcmp( right, ".+" ) == 0
724 || strcmp( right, "^.+" ) == 0
725 || strcmp( right, ".+$" ) == 0
726 || strcmp( right, "^.+$" ) == 0
727 || strcmp( right, ".+$$" ) == 0
728 || strcmp( right, "^.+$$" ) == 0 )
733 b->a_dn_style = ACL_STYLE_USERS;
735 } else if ( strcmp( right, ".*" ) == 0
736 || strcmp( right, "^.*" ) == 0
737 || strcmp( right, ".*$" ) == 0
738 || strcmp( right, "^.*$" ) == 0
739 || strcmp( right, ".*$$" ) == 0
740 || strcmp( right, "^.*$$" ) == 0 )
747 acl_regex_normalized_dn( right, &bv );
748 if ( !ber_bvccmp( &bv, '*' ) ) {
749 regtest( fname, lineno, bv.bv_val );
753 } else if ( right == NULL || *right == '\0' ) {
754 fprintf( stderr, "%s: line %d: "
755 "missing \"=\" in (or value after) \"%s\" "
757 fname, lineno, left );
761 ber_str2bv( right, 0, 1, &bv );
768 if ( !BER_BVISNULL( &bv ) ) {
769 if ( !BER_BVISEMPTY( &b->a_dn_pat ) ) {
771 "%s: line %d: dn pattern already specified.\n",
776 if ( sty != ACL_STYLE_REGEX &&
777 sty != ACL_STYLE_ANONYMOUS &&
778 sty != ACL_STYLE_USERS &&
779 sty != ACL_STYLE_SELF &&
782 rc = dnNormalize(0, NULL, NULL,
783 &bv, &b->a_dn_pat, NULL);
784 if ( rc != LDAP_SUCCESS ) {
786 "%s: line %d: bad DN \"%s\" in by DN clause\n",
787 fname, lineno, bv.bv_val );
796 b->a_dn_expand = expand;
800 if ( strcasecmp( left, "dnattr" ) == 0 ) {
801 if ( right == NULL || right[0] == '\0' ) {
802 fprintf( stderr, "%s: line %d: "
803 "missing \"=\" in (or value after) \"%s\" "
805 fname, lineno, left );
809 if( b->a_dn_at != NULL ) {
811 "%s: line %d: dnattr already specified.\n",
816 rc = slap_str2ad( right, &b->a_dn_at, &text );
818 if( rc != LDAP_SUCCESS ) {
820 "%s: line %d: dnattr \"%s\": %s\n",
821 fname, lineno, right, text );
826 if( !is_at_syntax( b->a_dn_at->ad_type,
828 !is_at_syntax( b->a_dn_at->ad_type,
829 SLAPD_NAMEUID_SYNTAX ))
832 "%s: line %d: dnattr \"%s\": "
833 "inappropriate syntax: %s\n",
834 fname, lineno, right,
835 b->a_dn_at->ad_type->sat_syntax_oid );
839 if( b->a_dn_at->ad_type->sat_equality == NULL ) {
841 "%s: line %d: dnattr \"%s\": "
842 "inappropriate matching (no EQUALITY)\n",
843 fname, lineno, right );
850 if ( strncasecmp( left, "group", STRLENOF( "group" ) ) == 0 ) {
855 case ACL_STYLE_REGEX:
856 /* legacy, tolerated */
857 fprintf( stderr, "%s: line %d: "
858 "deprecated group style \"regex\"; "
859 "use \"expand\" instead\n",
860 fname, lineno, style );
861 sty = ACL_STYLE_EXPAND;
865 /* legal, traditional */
866 case ACL_STYLE_EXPAND:
867 /* legal, substring expansion; supersedes regex */
872 fprintf( stderr, "%s: line %d: "
873 "inappropriate style \"%s\" in by clause\n",
874 fname, lineno, style );
878 if ( right == NULL || right[0] == '\0' ) {
879 fprintf( stderr, "%s: line %d: "
880 "missing \"=\" in (or value after) \"%s\" "
882 fname, lineno, left );
886 if ( !BER_BVISEMPTY( &b->a_group_pat ) ) {
888 "%s: line %d: group pattern already specified.\n",
893 /* format of string is
894 "group/objectClassValue/groupAttrName" */
895 if ( ( value = strchr(left, '/') ) != NULL ) {
897 if ( *value && ( name = strchr( value, '/' ) ) != NULL ) {
902 b->a_group_style = sty;
903 if ( sty == ACL_STYLE_EXPAND ) {
904 acl_regex_normalized_dn( right, &bv );
905 if ( !ber_bvccmp( &bv, '*' ) ) {
906 regtest( fname, lineno, bv.bv_val );
911 ber_str2bv( right, 0, 0, &bv );
912 rc = dnNormalize( 0, NULL, NULL, &bv,
913 &b->a_group_pat, NULL );
914 if ( rc != LDAP_SUCCESS ) {
916 "%s: line %d: bad DN \"%s\"\n",
917 fname, lineno, right );
922 if ( value && *value ) {
923 b->a_group_oc = oc_find( value );
926 if ( b->a_group_oc == NULL ) {
928 "%s: line %d: group objectclass "
930 fname, lineno, value );
935 b->a_group_oc = oc_find(SLAPD_GROUP_CLASS);
937 if( b->a_group_oc == NULL ) {
939 "%s: line %d: group default objectclass "
941 fname, lineno, SLAPD_GROUP_CLASS );
946 if ( is_object_subclass( slap_schema.si_oc_referral,
950 "%s: line %d: group objectclass \"%s\" "
951 "is subclass of referral\n",
952 fname, lineno, value );
956 if ( is_object_subclass( slap_schema.si_oc_alias,
960 "%s: line %d: group objectclass \"%s\" "
961 "is subclass of alias\n",
962 fname, lineno, value );
966 if ( name && *name ) {
967 rc = slap_str2ad( name, &b->a_group_at, &text );
969 if( rc != LDAP_SUCCESS ) {
971 "%s: line %d: group \"%s\": %s\n",
972 fname, lineno, right, text );
978 rc = slap_str2ad( SLAPD_GROUP_ATTR, &b->a_group_at, &text );
980 if ( rc != LDAP_SUCCESS ) {
982 "%s: line %d: group \"%s\": %s\n",
983 fname, lineno, SLAPD_GROUP_ATTR, text );
988 if ( !is_at_syntax( b->a_group_at->ad_type,
990 !is_at_syntax( b->a_group_at->ad_type,
991 SLAPD_NAMEUID_SYNTAX ) &&
992 !is_at_subtype( b->a_group_at->ad_type, slap_schema.si_ad_labeledURI->ad_type ) )
995 "%s: line %d: group \"%s\": inappropriate syntax: %s\n",
996 fname, lineno, right,
997 b->a_group_at->ad_type->sat_syntax_oid );
1004 struct berval vals[2];
1006 ber_str2bv( b->a_group_oc->soc_oid, 0, 0, &vals[0] );
1007 BER_BVZERO( &vals[1] );
1009 rc = oc_check_allowed( b->a_group_at->ad_type,
1013 fprintf( stderr, "%s: line %d: "
1014 "group: \"%s\" not allowed by \"%s\"\n",
1016 b->a_group_at->ad_cname.bv_val,
1017 b->a_group_oc->soc_oid );
1024 if ( strcasecmp( left, "peername" ) == 0 ) {
1026 case ACL_STYLE_REGEX:
1027 case ACL_STYLE_BASE:
1028 /* legal, traditional */
1029 case ACL_STYLE_EXPAND:
1030 /* cheap replacement to regex for simple expansion */
1032 case ACL_STYLE_PATH:
1033 /* legal, peername specific */
1037 fprintf( stderr, "%s: line %d: "
1038 "inappropriate style \"%s\" in by clause\n",
1039 fname, lineno, style );
1043 if ( right == NULL || right[0] == '\0' ) {
1044 fprintf( stderr, "%s: line %d: "
1045 "missing \"=\" in (or value after) \"%s\" "
1047 fname, lineno, left );
1051 if ( !BER_BVISEMPTY( &b->a_peername_pat ) ) {
1052 fprintf( stderr, "%s: line %d: "
1053 "peername pattern already specified.\n",
1058 b->a_peername_style = sty;
1059 if ( sty == ACL_STYLE_REGEX ) {
1060 acl_regex_normalized_dn( right, &bv );
1061 if ( !ber_bvccmp( &bv, '*' ) ) {
1062 regtest( fname, lineno, bv.bv_val );
1064 b->a_peername_pat = bv;
1067 ber_str2bv( right, 0, 1, &b->a_peername_pat );
1069 if ( sty == ACL_STYLE_IP ) {
1074 split( right, '{', &addr, &port );
1075 split( addr, '%', &addr, &mask );
1077 b->a_peername_addr = inet_addr( addr );
1078 if ( b->a_peername_addr == (unsigned long)(-1) ) {
1079 /* illegal address */
1080 fprintf( stderr, "%s: line %d: "
1081 "illegal peername address \"%s\".\n",
1082 fname, lineno, addr );
1086 b->a_peername_mask = (unsigned long)(-1);
1087 if ( mask != NULL ) {
1088 b->a_peername_mask = inet_addr( mask );
1089 if ( b->a_peername_mask ==
1090 (unsigned long)(-1) )
1093 fprintf( stderr, "%s: line %d: "
1094 "illegal peername address mask "
1096 fname, lineno, mask );
1101 b->a_peername_port = -1;
1105 b->a_peername_port = strtol( port, &end, 10 );
1106 if ( end[0] != '}' ) {
1108 fprintf( stderr, "%s: line %d: "
1109 "illegal peername port specification "
1111 fname, lineno, port );
1120 if ( strcasecmp( left, "sockname" ) == 0 ) {
1122 case ACL_STYLE_REGEX:
1123 case ACL_STYLE_BASE:
1124 /* legal, traditional */
1125 case ACL_STYLE_EXPAND:
1126 /* cheap replacement to regex for simple expansion */
1131 fprintf( stderr, "%s: line %d: "
1132 "inappropriate style \"%s\" in by clause\n",
1133 fname, lineno, style );
1137 if ( right == NULL || right[0] == '\0' ) {
1138 fprintf( stderr, "%s: line %d: "
1139 "missing \"=\" in (or value after) \"%s\" "
1141 fname, lineno, left );
1145 if ( !BER_BVISNULL( &b->a_sockname_pat ) ) {
1146 fprintf( stderr, "%s: line %d: "
1147 "sockname pattern already specified.\n",
1152 b->a_sockname_style = sty;
1153 if ( sty == ACL_STYLE_REGEX ) {
1154 acl_regex_normalized_dn( right, &bv );
1155 if ( !ber_bvccmp( &bv, '*' ) ) {
1156 regtest( fname, lineno, bv.bv_val );
1158 b->a_sockname_pat = bv;
1161 ber_str2bv( right, 0, 1, &b->a_sockname_pat );
1166 if ( strcasecmp( left, "domain" ) == 0 ) {
1168 case ACL_STYLE_REGEX:
1169 case ACL_STYLE_BASE:
1170 case ACL_STYLE_SUBTREE:
1171 /* legal, traditional */
1174 case ACL_STYLE_EXPAND:
1175 /* tolerated: means exact,expand */
1179 "\"expand\" modifier "
1180 "with \"expand\" style\n",
1183 sty = ACL_STYLE_BASE;
1189 fprintf( stderr, "%s: line %d: "
1190 "inappropriate style \"%s\" in by clause\n",
1191 fname, lineno, style );
1195 if ( right == NULL || right[0] == '\0' ) {
1196 fprintf( stderr, "%s: line %d: "
1197 "missing \"=\" in (or value after) \"%s\" "
1199 fname, lineno, left );
1203 if ( !BER_BVISEMPTY( &b->a_domain_pat ) ) {
1205 "%s: line %d: domain pattern already specified.\n",
1210 b->a_domain_style = sty;
1211 b->a_domain_expand = expand;
1212 if ( sty == ACL_STYLE_REGEX ) {
1213 acl_regex_normalized_dn( right, &bv );
1214 if ( !ber_bvccmp( &bv, '*' ) ) {
1215 regtest( fname, lineno, bv.bv_val );
1217 b->a_domain_pat = bv;
1220 ber_str2bv( right, 0, 1, &b->a_domain_pat );
1225 if ( strcasecmp( left, "sockurl" ) == 0 ) {
1227 case ACL_STYLE_REGEX:
1228 case ACL_STYLE_BASE:
1229 /* legal, traditional */
1230 case ACL_STYLE_EXPAND:
1231 /* cheap replacement to regex for simple expansion */
1236 fprintf( stderr, "%s: line %d: "
1237 "inappropriate style \"%s\" in by clause\n",
1238 fname, lineno, style );
1242 if ( right == NULL || right[0] == '\0' ) {
1243 fprintf( stderr, "%s: line %d: "
1244 "missing \"=\" in (or value after) \"%s\" "
1246 fname, lineno, left );
1250 if ( !BER_BVISEMPTY( &b->a_sockurl_pat ) ) {
1252 "%s: line %d: sockurl pattern already specified.\n",
1257 b->a_sockurl_style = sty;
1258 if ( sty == ACL_STYLE_REGEX ) {
1259 acl_regex_normalized_dn( right, &bv );
1260 if ( !ber_bvccmp( &bv, '*' ) ) {
1261 regtest( fname, lineno, bv.bv_val );
1263 b->a_sockurl_pat = bv;
1266 ber_str2bv( right, 0, 1, &b->a_sockurl_pat );
1271 if ( strcasecmp( left, "set" ) == 0 ) {
1274 case ACL_STYLE_REGEX:
1275 fprintf( stderr, "%s: line %d: "
1276 "deprecated set style "
1277 "\"regex\" in <by> clause; "
1278 "use \"expand\" instead\n",
1280 sty = ACL_STYLE_EXPAND;
1283 case ACL_STYLE_BASE:
1284 case ACL_STYLE_EXPAND:
1288 fprintf( stderr, "%s: line %d: "
1289 "inappropriate style \"%s\" in by clause\n",
1290 fname, lineno, style );
1294 if ( !BER_BVISEMPTY( &b->a_set_pat ) ) {
1296 "%s: line %d: set attribute already specified.\n",
1301 if ( right == NULL || *right == '\0' ) {
1303 "%s: line %d: no set is defined\n",
1308 b->a_set_style = sty;
1309 ber_str2bv( right, 0, 1, &b->a_set_pat );
1318 if ( strcasecmp( left, "aci" ) == 0 ) {
1321 } else if ( strncasecmp( left, "dynacl/", STRLENOF( "dynacl/" ) ) == 0 ) {
1322 name = &left[ STRLENOF( "dynacl/" ) ];
1326 if ( slap_dynacl_config( fname, lineno, b, name, sty, right ) ) {
1327 fprintf( stderr, "%s: line %d: "
1328 "unable to configure dynacl \"%s\"\n",
1329 fname, lineno, name );
1336 #else /* ! SLAP_DYNACL */
1338 #ifdef SLAPD_ACI_ENABLED
1339 if ( strcasecmp( left, "aci" ) == 0 ) {
1340 if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
1341 fprintf( stderr, "%s: line %d: "
1342 "inappropriate style \"%s\" in by clause\n",
1343 fname, lineno, style );
1347 if( b->a_aci_at != NULL ) {
1349 "%s: line %d: aci attribute already specified.\n",
1354 if ( right != NULL && *right != '\0' ) {
1355 rc = slap_str2ad( right, &b->a_aci_at, &text );
1357 if( rc != LDAP_SUCCESS ) {
1359 "%s: line %d: aci \"%s\": %s\n",
1360 fname, lineno, right, text );
1365 b->a_aci_at = slap_schema.si_ad_aci;
1368 if( !is_at_syntax( b->a_aci_at->ad_type,
1371 fprintf( stderr, "%s: line %d: "
1372 "aci \"%s\": inappropriate syntax: %s\n",
1373 fname, lineno, right,
1374 b->a_aci_at->ad_type->sat_syntax_oid );
1380 #endif /* SLAPD_ACI_ENABLED */
1381 #endif /* ! SLAP_DYNACL */
1383 if ( strcasecmp( left, "ssf" ) == 0 ) {
1384 if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
1385 fprintf( stderr, "%s: line %d: "
1386 "inappropriate style \"%s\" in by clause\n",
1387 fname, lineno, style );
1391 if ( b->a_authz.sai_ssf ) {
1393 "%s: line %d: ssf attribute already specified.\n",
1398 if ( right == NULL || *right == '\0' ) {
1400 "%s: line %d: no ssf is defined\n",
1405 b->a_authz.sai_ssf = strtol( right, &next, 10 );
1406 if ( next == NULL || next[0] != '\0' ) {
1408 "%s: line %d: unable to parse ssf value (%s)\n",
1409 fname, lineno, right );
1413 if ( !b->a_authz.sai_ssf ) {
1415 "%s: line %d: invalid ssf value (%s)\n",
1416 fname, lineno, right );
1422 if ( strcasecmp( left, "transport_ssf" ) == 0 ) {
1423 if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
1424 fprintf( stderr, "%s: line %d: "
1425 "inappropriate style \"%s\" in by clause\n",
1426 fname, lineno, style );
1430 if ( b->a_authz.sai_transport_ssf ) {
1431 fprintf( stderr, "%s: line %d: "
1432 "transport_ssf attribute already specified.\n",
1437 if ( right == NULL || *right == '\0' ) {
1439 "%s: line %d: no transport_ssf is defined\n",
1444 b->a_authz.sai_transport_ssf = strtol( right, &next, 10 );
1445 if ( next == NULL || next[0] != '\0' ) {
1446 fprintf( stderr, "%s: line %d: "
1447 "unable to parse transport_ssf value (%s)\n",
1448 fname, lineno, right );
1452 if ( !b->a_authz.sai_transport_ssf ) {
1454 "%s: line %d: invalid transport_ssf value (%s)\n",
1455 fname, lineno, right );
1461 if ( strcasecmp( left, "tls_ssf" ) == 0 ) {
1462 if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
1463 fprintf( stderr, "%s: line %d: "
1464 "inappropriate style \"%s\" in by clause\n",
1465 fname, lineno, style );
1469 if ( b->a_authz.sai_tls_ssf ) {
1470 fprintf( stderr, "%s: line %d: "
1471 "tls_ssf attribute already specified.\n",
1476 if ( right == NULL || *right == '\0' ) {
1478 "%s: line %d: no tls_ssf is defined\n",
1483 b->a_authz.sai_tls_ssf = strtol( right, &next, 10 );
1484 if ( next == NULL || next[0] != '\0' ) {
1485 fprintf( stderr, "%s: line %d: "
1486 "unable to parse tls_ssf value (%s)\n",
1487 fname, lineno, right );
1491 if ( !b->a_authz.sai_tls_ssf ) {
1493 "%s: line %d: invalid tls_ssf value (%s)\n",
1494 fname, lineno, right );
1500 if ( strcasecmp( left, "sasl_ssf" ) == 0 ) {
1501 if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
1502 fprintf( stderr, "%s: line %d: "
1503 "inappropriate style \"%s\" in by clause\n",
1504 fname, lineno, style );
1508 if ( b->a_authz.sai_sasl_ssf ) {
1509 fprintf( stderr, "%s: line %d: "
1510 "sasl_ssf attribute already specified.\n",
1515 if ( right == NULL || *right == '\0' ) {
1517 "%s: line %d: no sasl_ssf is defined\n",
1522 b->a_authz.sai_sasl_ssf = strtol( right, &next, 10 );
1523 if ( next == NULL || next[0] != '\0' ) {
1524 fprintf( stderr, "%s: line %d: "
1525 "unable to parse sasl_ssf value (%s)\n",
1526 fname, lineno, right );
1530 if ( !b->a_authz.sai_sasl_ssf ) {
1532 "%s: line %d: invalid sasl_ssf value (%s)\n",
1533 fname, lineno, right );
1539 if ( right != NULL ) {
1546 if ( i == argc || ( strcasecmp( left, "stop" ) == 0 ) ) {
1547 /* out of arguments or plain stop */
1549 ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
1550 b->a_type = ACL_STOP;
1552 access_append( &a->acl_access, b );
1556 if ( strcasecmp( left, "continue" ) == 0 ) {
1557 /* plain continue */
1559 ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
1560 b->a_type = ACL_CONTINUE;
1562 access_append( &a->acl_access, b );
1566 if ( strcasecmp( left, "break" ) == 0 ) {
1567 /* plain continue */
1569 ACL_PRIV_ASSIGN(b->a_access_mask, ACL_PRIV_ADDITIVE);
1570 b->a_type = ACL_BREAK;
1572 access_append( &a->acl_access, b );
1576 if ( strcasecmp( left, "by" ) == 0 ) {
1577 /* we've gone too far */
1579 ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
1580 b->a_type = ACL_STOP;
1582 access_append( &a->acl_access, b );
1587 if ( strncasecmp( left, "self", 4 ) == 0 ) {
1589 ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( &left[4] ) );
1592 ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( left ) );
1595 if ( ACL_IS_INVALID( b->a_access_mask ) ) {
1597 "%s: line %d: expecting <access> got \"%s\"\n",
1598 fname, lineno, left );
1602 b->a_type = ACL_STOP;
1604 if ( ++i == argc ) {
1605 /* out of arguments or plain stop */
1606 access_append( &a->acl_access, b );
1610 if ( strcasecmp( argv[i], "continue" ) == 0 ) {
1611 /* plain continue */
1612 b->a_type = ACL_CONTINUE;
1614 } else if ( strcasecmp( argv[i], "break" ) == 0 ) {
1615 /* plain continue */
1616 b->a_type = ACL_BREAK;
1618 } else if ( strcasecmp( argv[i], "stop" ) != 0 ) {
1623 access_append( &a->acl_access, b );
1627 "%s: line %d: expecting \"to\" "
1628 "or \"by\" got \"%s\"\n",
1629 fname, lineno, argv[i] );
1634 /* if we have no real access clause, complain and do nothing */
1636 fprintf( stderr, "%s: line %d: "
1637 "warning: no access clause(s) specified in access line\n",
1642 if ( ldap_debug & LDAP_DEBUG_ACL ) {
1647 if ( a->acl_access == NULL ) {
1648 fprintf( stderr, "%s: line %d: "
1649 "warning: no by clause(s) specified in access line\n",
1654 if ( !BER_BVISNULL( &be->be_nsuffix[ 1 ] ) ) {
1655 fprintf( stderr, "%s: line %d: warning: "
1656 "scope checking only applies to single-valued "
1657 "suffix databases\n",
1659 /* go ahead, since checking is not authoritative */
1662 switch ( check_scope( be, a ) ) {
1663 case ACL_SCOPE_UNKNOWN:
1664 fprintf( stderr, "%s: line %d: warning: "
1665 "cannot assess the validity of the ACL scope within "
1666 "backend naming context\n",
1670 case ACL_SCOPE_WARN:
1671 fprintf( stderr, "%s: line %d: warning: "
1672 "ACL could be out of scope within backend naming context\n",
1676 case ACL_SCOPE_PARTIAL:
1677 fprintf( stderr, "%s: line %d: warning: "
1678 "ACL appears to be partially out of scope within "
1679 "backend naming context\n",
1684 fprintf( stderr, "%s: line %d: warning: "
1685 "ACL appears to be out of scope within "
1686 "backend naming context\n",
1693 acl_append( &be->be_acl, a );
1696 acl_append( &frontendDB->be_acl, a );
1702 accessmask2str( slap_mask_t mask, char *buf, int debug )
1707 assert( buf != NULL );
1709 if ( ACL_IS_INVALID( mask ) ) {
1715 if ( ACL_IS_LEVEL( mask ) ) {
1716 if ( ACL_LVL_IS_NONE(mask) ) {
1717 ptr = lutil_strcopy( ptr, "none" );
1719 } else if ( ACL_LVL_IS_DISCLOSE(mask) ) {
1720 ptr = lutil_strcopy( ptr, "disclose" );
1722 } else if ( ACL_LVL_IS_AUTH(mask) ) {
1723 ptr = lutil_strcopy( ptr, "auth" );
1725 } else if ( ACL_LVL_IS_COMPARE(mask) ) {
1726 ptr = lutil_strcopy( ptr, "compare" );
1728 } else if ( ACL_LVL_IS_SEARCH(mask) ) {
1729 ptr = lutil_strcopy( ptr, "search" );
1731 } else if ( ACL_LVL_IS_READ(mask) ) {
1732 ptr = lutil_strcopy( ptr, "read" );
1734 } else if ( ACL_LVL_IS_WRITE(mask) ) {
1735 ptr = lutil_strcopy( ptr, "write" );
1737 } else if ( ACL_LVL_IS_MANAGE(mask) ) {
1738 ptr = lutil_strcopy( ptr, "manage" );
1741 ptr = lutil_strcopy( ptr, "unknown" );
1751 if( ACL_IS_ADDITIVE( mask ) ) {
1754 } else if( ACL_IS_SUBTRACTIVE( mask ) ) {
1761 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_MANAGE) ) {
1766 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_WRITE) ) {
1771 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_READ) ) {
1776 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_SEARCH) ) {
1781 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_COMPARE) ) {
1786 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_AUTH) ) {
1791 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_DISCLOSE) ) {
1796 if ( none && ACL_PRIV_ISSET(mask, ACL_PRIV_NONE) ) {
1805 if ( ACL_IS_LEVEL( mask ) ) {
1815 str2accessmask( const char *str )
1819 if( !ASCII_ALPHA(str[0]) ) {
1822 if ( str[0] == '=' ) {
1825 } else if( str[0] == '+' ) {
1826 ACL_PRIV_ASSIGN(mask, ACL_PRIV_ADDITIVE);
1828 } else if( str[0] == '-' ) {
1829 ACL_PRIV_ASSIGN(mask, ACL_PRIV_SUBSTRACTIVE);
1832 ACL_INVALIDATE(mask);
1836 for( i=1; str[i] != '\0'; i++ ) {
1837 if( TOLOWER((unsigned char) str[i]) == 'm' ) {
1838 ACL_PRIV_SET(mask, ACL_PRIV_MANAGE);
1840 } else if( TOLOWER((unsigned char) str[i]) == 'w' ) {
1841 ACL_PRIV_SET(mask, ACL_PRIV_WRITE);
1843 } else if( TOLOWER((unsigned char) str[i]) == 'r' ) {
1844 ACL_PRIV_SET(mask, ACL_PRIV_READ);
1846 } else if( TOLOWER((unsigned char) str[i]) == 's' ) {
1847 ACL_PRIV_SET(mask, ACL_PRIV_SEARCH);
1849 } else if( TOLOWER((unsigned char) str[i]) == 'c' ) {
1850 ACL_PRIV_SET(mask, ACL_PRIV_COMPARE);
1852 } else if( TOLOWER((unsigned char) str[i]) == 'x' ) {
1853 ACL_PRIV_SET(mask, ACL_PRIV_AUTH);
1855 } else if( TOLOWER((unsigned char) str[i]) == 'd' ) {
1856 ACL_PRIV_SET(mask, ACL_PRIV_DISCLOSE);
1858 } else if( str[i] != '0' ) {
1859 ACL_INVALIDATE(mask);
1867 if ( strcasecmp( str, "none" ) == 0 ) {
1868 ACL_LVL_ASSIGN_NONE(mask);
1870 } else if ( strcasecmp( str, "disclose" ) == 0 ) {
1871 ACL_LVL_ASSIGN_DISCLOSE(mask);
1873 } else if ( strcasecmp( str, "auth" ) == 0 ) {
1874 ACL_LVL_ASSIGN_AUTH(mask);
1876 } else if ( strcasecmp( str, "compare" ) == 0 ) {
1877 ACL_LVL_ASSIGN_COMPARE(mask);
1879 } else if ( strcasecmp( str, "search" ) == 0 ) {
1880 ACL_LVL_ASSIGN_SEARCH(mask);
1882 } else if ( strcasecmp( str, "read" ) == 0 ) {
1883 ACL_LVL_ASSIGN_READ(mask);
1885 } else if ( strcasecmp( str, "write" ) == 0 ) {
1886 ACL_LVL_ASSIGN_WRITE(mask);
1888 } else if ( strcasecmp( str, "manage" ) == 0 ) {
1889 ACL_LVL_ASSIGN_MANAGE(mask);
1892 ACL_INVALIDATE( mask );
1901 fprintf( stderr, "%s%s%s\n",
1902 "<access clause> ::= access to <what> "
1903 "[ by <who> <access> [ <control> ] ]+ \n"
1904 "<what> ::= * | [dn[.<dnstyle>]=<DN>] [filter=<filter>] [attrs=<attrlist>]\n"
1905 "<attrlist> ::= <attr> [val[.<attrstyle>]=<value>] | <attr> , <attrlist>\n"
1906 "<attr> ::= <attrname> | entry | children\n",
1907 "<who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ]\n"
1908 "\t[dnattr=<attrname>]\n"
1909 "\t[group[/<objectclass>[/<attrname>]][.<style>]=<group>]\n"
1910 "\t[peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>]\n"
1911 "\t[domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>]\n"
1912 #ifdef SLAPD_ACI_ENABLED
1913 "\t[aci=<attrname>]\n"
1915 "\t[ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]\n",
1916 "<style> ::= exact | regex | base(Object)\n"
1917 "<dnstyle> ::= base(Object) | one(level) | sub(tree) | children | "
1919 "<attrstyle> ::= exact | regex | base(Object) | one(level) | "
1920 "sub(tree) | children\n"
1921 "<peernamestyle> ::= exact | regex | ip | path\n"
1922 "<domainstyle> ::= exact | regex | base(Object) | sub(tree)\n"
1923 "<access> ::= [self]{<level>|<priv>}\n"
1924 "<level> ::= none|disclose|auth|compare|search|read|write|manage\n"
1925 "<priv> ::= {=|+|-}{0|d|x|c|s|r|w|m}+\n"
1926 "<control> ::= [ stop | continue | break ]\n"
1928 exit( EXIT_FAILURE );
1932 * Set pattern to a "normalized" DN from src.
1933 * At present it simply eats the (optional) space after
1934 * a RDN separator (,)
1935 * Eventually will evolve in a more complete normalization
1938 acl_regex_normalized_dn(
1940 struct berval *pattern )
1945 str = ch_strdup( src );
1946 len = strlen( src );
1948 for ( p = str; p && p[0]; p++ ) {
1950 if ( p[0] == '\\' && p[1] ) {
1952 * if escaping a hex pair we should
1953 * increment p twice; however, in that
1954 * case the second hex number does
1960 if ( p[0] == ',' && p[1] == ' ' ) {
1964 * too much space should be an error if we are pedantic
1966 for ( q = &p[2]; q[0] == ' '; q++ ) {
1969 AC_MEMCPY( p+1, q, len-(q-str)+1);
1972 pattern->bv_val = str;
1973 pattern->bv_len = p - str;
1986 if ( (*right = strchr( line, splitchar )) != NULL ) {
1987 *((*right)++) = '\0';
1992 access_append( Access **l, Access *a )
1994 for ( ; *l != NULL; l = &(*l)->a_next ) {
2002 acl_append( AccessControl **l, AccessControl *a )
2004 for ( ; *l != NULL; l = &(*l)->acl_next ) {
2012 access_free( Access *a )
2014 if ( !BER_BVISNULL( &a->a_dn_pat ) ) {
2015 free( a->a_dn_pat.bv_val );
2017 if ( !BER_BVISNULL( &a->a_peername_pat ) ) {
2018 free( a->a_peername_pat.bv_val );
2020 if ( !BER_BVISNULL( &a->a_sockname_pat ) ) {
2021 free( a->a_sockname_pat.bv_val );
2023 if ( !BER_BVISNULL( &a->a_domain_pat ) ) {
2024 free( a->a_domain_pat.bv_val );
2026 if ( !BER_BVISNULL( &a->a_sockurl_pat ) ) {
2027 free( a->a_sockurl_pat.bv_val );
2029 if ( !BER_BVISNULL( &a->a_set_pat ) ) {
2030 free( a->a_set_pat.bv_val );
2032 if ( !BER_BVISNULL( &a->a_group_pat ) ) {
2033 free( a->a_group_pat.bv_val );
2039 acl_free( AccessControl *a )
2044 if ( a->acl_filter ) {
2045 filter_free( a->acl_filter );
2047 if ( !BER_BVISNULL( &a->acl_dn_pat ) ) {
2048 free ( a->acl_dn_pat.bv_val );
2050 if ( a->acl_attrs ) {
2051 for ( an = a->acl_attrs; !BER_BVISNULL( &an->an_name ); an++ ) {
2052 free( an->an_name.bv_val );
2054 free( a->acl_attrs );
2056 for ( ; a->acl_access; a->acl_access = n ) {
2057 n = a->acl_access->a_next;
2058 access_free( a->acl_access );
2063 /* Because backend_startup uses acl_append to tack on the global_acl to
2064 * the end of each backend's acl, we cannot just take one argument and
2065 * merrily free our way to the end of the list. backend_destroy calls us
2066 * with the be_acl in arg1, and global_acl in arg2 to give us a stopping
2067 * point. config_destroy calls us with global_acl in arg1 and NULL in
2068 * arg2, so we then proceed to polish off the global_acl.
2071 acl_destroy( AccessControl *a, AccessControl *end )
2075 for (; a && a!= end; a=n) {
2082 access2str( slap_access_t access )
2084 if ( access == ACL_NONE ) {
2087 } else if ( access == ACL_DISCLOSE ) {
2090 } else if ( access == ACL_AUTH ) {
2093 } else if ( access == ACL_COMPARE ) {
2096 } else if ( access == ACL_SEARCH ) {
2099 } else if ( access == ACL_READ ) {
2102 } else if ( access == ACL_WRITE ) {
2105 } else if ( access == ACL_MANAGE ) {
2114 str2access( const char *str )
2116 if ( strcasecmp( str, "none" ) == 0 ) {
2119 } else if ( strcasecmp( str, "disclose" ) == 0 ) {
2120 return ACL_DISCLOSE;
2122 } else if ( strcasecmp( str, "auth" ) == 0 ) {
2125 } else if ( strcasecmp( str, "compare" ) == 0 ) {
2128 } else if ( strcasecmp( str, "search" ) == 0 ) {
2131 } else if ( strcasecmp( str, "read" ) == 0 ) {
2134 } else if ( strcasecmp( str, "write" ) == 0 ) {
2137 } else if ( strcasecmp( str, "manage" ) == 0 ) {
2141 return( ACL_INVALID_ACCESS );
2144 #define ACLBUF_MAXLEN 8192
2146 static char aclbuf[ACLBUF_MAXLEN];
2149 access2text( Access *b, char *ptr )
2151 char maskbuf[ACCESSMASK_MAXLEN];
2153 ptr = lutil_strcopy( ptr, "\tby" );
2155 if ( !BER_BVISEMPTY( &b->a_dn_pat ) ) {
2157 if ( ber_bvccmp( &b->a_dn_pat, '*' ) ||
2158 b->a_dn_style == ACL_STYLE_ANONYMOUS ||
2159 b->a_dn_style == ACL_STYLE_USERS ||
2160 b->a_dn_style == ACL_STYLE_SELF )
2162 ptr = lutil_strcopy( ptr, b->a_dn_pat.bv_val );
2165 ptr = lutil_strcopy( ptr, "dn." );
2166 ptr = lutil_strcopy( ptr, style_strings[b->a_dn_style] );
2169 ptr = lutil_strcopy( ptr, b->a_dn_pat.bv_val );
2174 if ( b->a_dn_at != NULL ) {
2175 ptr = lutil_strcopy( ptr, " dnattr=" );
2176 ptr = lutil_strcopy( ptr, b->a_dn_at->ad_cname.bv_val );
2179 if ( !BER_BVISEMPTY( &b->a_group_pat ) ) {
2180 ptr = lutil_strcopy( ptr, " group/" );
2181 ptr = lutil_strcopy( ptr, b->a_group_oc ?
2182 b->a_group_oc->soc_cname.bv_val : "groupOfNames" );
2184 ptr = lutil_strcopy( ptr, b->a_group_at ?
2185 b->a_group_at->ad_cname.bv_val : "member" );
2187 ptr = lutil_strcopy( ptr, style_strings[b->a_group_style] );
2190 ptr = lutil_strcopy( ptr, b->a_group_pat.bv_val );
2194 if ( !BER_BVISEMPTY( &b->a_peername_pat ) ) {
2195 ptr = lutil_strcopy( ptr, " peername=\"" );
2196 ptr = lutil_strcopy( ptr, b->a_peername_pat.bv_val );
2200 if ( !BER_BVISEMPTY( &b->a_sockname_pat ) ) {
2201 ptr = lutil_strcopy( ptr, " sockname=\"" );
2202 ptr = lutil_strcopy( ptr, b->a_sockname_pat.bv_val );
2206 if ( !BER_BVISEMPTY( &b->a_domain_pat ) ) {
2207 ptr = lutil_strcopy( ptr, " domain=" );
2208 ptr = lutil_strcopy( ptr, b->a_domain_pat.bv_val );
2211 if ( !BER_BVISEMPTY( &b->a_sockurl_pat ) ) {
2212 ptr = lutil_strcopy( ptr, " sockurl=\"" );
2213 ptr = lutil_strcopy( ptr, b->a_sockurl_pat.bv_val );
2217 if ( !BER_BVISEMPTY( &b->a_set_pat ) ) {
2218 ptr = lutil_strcopy( ptr, " set=\"" );
2219 ptr = lutil_strcopy( ptr, b->a_set_pat.bv_val );
2224 if ( b->a_dynacl ) {
2227 for ( da = b->a_dynacl; da; da = da->da_next ) {
2228 if ( da->da_unparse ) {
2230 (void)( *da->da_unparse )( da->da_private, &bv );
2231 ptr = lutil_strcopy( ptr, bv.bv_val );
2232 ch_free( bv.bv_val );
2236 #else /* ! SLAP_DYNACL */
2237 #ifdef SLAPD_ACI_ENABLED
2238 if ( b->a_aci_at != NULL ) {
2239 ptr = lutil_strcopy( ptr, " aci=" );
2240 ptr = lutil_strcopy( ptr, b->a_aci_at->ad_cname.bv_val );
2243 #endif /* SLAP_DYNACL */
2245 /* Security Strength Factors */
2246 if ( b->a_authz.sai_ssf ) {
2247 ptr += sprintf( ptr, " ssf=%u",
2248 b->a_authz.sai_ssf );
2250 if ( b->a_authz.sai_transport_ssf ) {
2251 ptr += sprintf( ptr, " transport_ssf=%u",
2252 b->a_authz.sai_transport_ssf );
2254 if ( b->a_authz.sai_tls_ssf ) {
2255 ptr += sprintf( ptr, " tls_ssf=%u",
2256 b->a_authz.sai_tls_ssf );
2258 if ( b->a_authz.sai_sasl_ssf ) {
2259 ptr += sprintf( ptr, " sasl_ssf=%u",
2260 b->a_authz.sai_sasl_ssf );
2264 if ( b->a_dn_self ) ptr = lutil_strcopy( ptr, "self" );
2265 ptr = lutil_strcopy( ptr, accessmask2str( b->a_access_mask, maskbuf, 0 ));
2266 if ( !maskbuf[0] ) ptr--;
2268 if( b->a_type == ACL_BREAK ) {
2269 ptr = lutil_strcopy( ptr, " break" );
2271 } else if( b->a_type == ACL_CONTINUE ) {
2272 ptr = lutil_strcopy( ptr, " continue" );
2274 } else if( b->a_type != ACL_STOP ) {
2275 ptr = lutil_strcopy( ptr, " unknown-control" );
2277 if ( !maskbuf[0] ) ptr = lutil_strcopy( ptr, " stop" );
2285 acl_unparse( AccessControl *a, struct berval *bv )
2292 bv->bv_val = aclbuf;
2297 ptr = lutil_strcopy( ptr, "to" );
2298 if ( !BER_BVISNULL( &a->acl_dn_pat ) ) {
2300 ptr = lutil_strcopy( ptr, " dn." );
2301 ptr = lutil_strcopy( ptr, style_strings[a->acl_dn_style] );
2304 ptr = lutil_strcopy( ptr, a->acl_dn_pat.bv_val );
2305 ptr = lutil_strcopy( ptr, "\"\n" );
2308 if ( a->acl_filter != NULL ) {
2309 struct berval bv = BER_BVNULL;
2312 filter2bv( a->acl_filter, &bv );
2313 ptr = lutil_strcopy( ptr, " filter=\"" );
2314 ptr = lutil_strcopy( ptr, bv.bv_val );
2317 ch_free( bv.bv_val );
2320 if ( a->acl_attrs != NULL ) {
2325 ptr = lutil_strcopy( ptr, " attrs=" );
2326 for ( an = a->acl_attrs; an && !BER_BVISNULL( &an->an_name ); an++ ) {
2327 if ( ! first ) *ptr++ = ',';
2329 *ptr++ = an->an_oc_exclude ? '!' : '@';
2330 ptr = lutil_strcopy( ptr, an->an_oc->soc_cname.bv_val );
2333 ptr = lutil_strcopy( ptr, an->an_name.bv_val );
2340 if ( !BER_BVISEMPTY( &a->acl_attrval ) ) {
2342 ptr = lutil_strcopy( ptr, " val." );
2343 ptr = lutil_strcopy( ptr, style_strings[a->acl_attrval_style] );
2346 ptr = lutil_strcopy( ptr, a->acl_attrval.bv_val );
2352 ptr = lutil_strcopy( ptr, " *\n" );
2355 for ( b = a->acl_access; b != NULL; b = b->a_next ) {
2356 ptr = access2text( b, ptr );
2359 bv->bv_len = ptr - bv->bv_val;
2365 print_acl( Backend *be, AccessControl *a )
2371 acl_unparse( a, &bv );
2372 fprintf( stderr, "%s ACL: access %s\n",
2373 be == NULL ? "Global" : "Backend", bv.bv_val );
2375 #endif /* LDAP_DEBUG */