git.sur5r.net Git - openldap/blob - servers/slapd/aclparse.c

   1 /* acl.c - routines to parse and check acl's */
   2 /* $OpenLDAP$ */
   3 /*
   4  * Copyright 1998-1999 The OpenLDAP Foundation, All Rights Reserved.
   5  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
   6  */
   7
   8 #include "portable.h"
   9
  10 #include <stdio.h>
  11
  12 #include <ac/ctype.h>
  13 #include <ac/regex.h>
  14 #include <ac/socket.h>
  15 #include <ac/string.h>
  16 #include <ac/unistd.h>
  17
  18 #include "slap.h"
  19
  20 static void             split(char *line, int splitchar, char **left, char **right);
  21 static void             access_append(Access **l, Access *a);
  22 static void             acl_usage(void) LDAP_GCCATTR((noreturn));
  23
  24 #ifdef LDAP_DEBUG
  25 static void             print_acl(Backend *be, AccessControl *a);
  26 static void             print_access(Access *b);
  27 #endif
  28
  29 static int
  30 regtest(const char *fname, int lineno, char *pat) {
  31         int e;
  32         regex_t re;
  33
  34         char buf[512];
  35         unsigned size;
  36
  37         char *sp;
  38         char *dp;
  39         int  flag;
  40
  41         sp = pat;
  42         dp = buf;
  43         size = 0;
  44         buf[0] = '\0';
  45
  46         for (size = 0, flag = 0; (size < sizeof(buf)) && *sp; sp++) {
  47                 if (flag) {
  48                         if (*sp == '$'|| (*sp >= '0' && *sp <= '9')) {
  49                                 *dp++ = *sp;
  50                                 size++;
  51                         }
  52                         flag = 0;
  53
  54                 } else {
  55                         if (*sp == '$') {
  56                                 flag = 1;
  57                         } else {
  58                                 *dp++ = *sp;
  59                                 size++;
  60                         }
  61                 }
  62         }
  63
  64         *dp = '\0';
  65         if ( size >= (sizeof(buf)-1) ) {
  66                 fprintf( stderr,
  67                         "%s: line %d: regular expression \"%s\" too large\n",
  68                         fname, lineno, pat );
  69                 acl_usage();
  70         }
  71
  72         if ((e = regcomp(&re, buf, REG_EXTENDED|REG_ICASE))) {
  73                 char error[512];
  74                 regerror(e, &re, error, sizeof(error));
  75                 fprintf( stderr,
  76                         "%s: line %d: regular expression \"%s\" bad because of %s\n",
  77                         fname, lineno, pat, error );
  78                 acl_usage();
  79                 return(0);
  80         }
  81         regfree(&re);
  82         return(1);
  83 }
  84
  85 void
  86 parse_acl(
  87     Backend     *be,
  88     const char  *fname,
  89     int         lineno,
  90     int         argc,
  91     char        **argv
  92 )
  93 {
  94         int             i;
  95         char            *left, *right;
  96         AccessControl   *a;
  97         Access  *b;
  98
  99         a = NULL;
 100         for ( i = 1; i < argc; i++ ) {
 101                 /* to clause - select which entries are protected */
 102                 if ( strcasecmp( argv[i], "to" ) == 0 ) {
 103                         if ( a != NULL ) {
 104                                 fprintf( stderr,
 105                 "%s: line %d: only one to clause allowed in access line\n",
 106                                     fname, lineno );
 107                                 acl_usage();
 108                         }
 109                         a = (AccessControl *) ch_calloc( 1, sizeof(AccessControl) );
 110                         a->acl_filter = NULL;
 111                         a->acl_dn_pat = NULL;
 112                         a->acl_attrs  = NULL;
 113                         a->acl_access = NULL;
 114                         a->acl_next   = NULL;
 115                         for ( ++i; i < argc; i++ ) {
 116                                 if ( strcasecmp( argv[i], "by" ) == 0 ) {
 117                                         i--;
 118                                         break;
 119                                 }
 120
 121                                 if ( strcasecmp( argv[i], "*" ) == 0 ) {
 122                                         a->acl_dn_pat = ch_strdup( ".*" );
 123                                         continue;
 124                                 }
 125
 126                                 split( argv[i], '=', &left, &right );
 127                                 if ( right == NULL || *right == '\0' ) {
 128                                         fprintf( stderr,
 129         "%s: line %d: missing \"=\" in (or value after) \"%s\" in to clause\n",
 130                                             fname, lineno, left );
 131                                         acl_usage();
 132                                 }
 133
 134                                 if ( strcasecmp( left, "filter" ) == 0 ) {
 135                                         if ( (a->acl_filter = str2filter(
 136                                             right )) == NULL ) {
 137                                                 fprintf( stderr,
 138                                 "%s: line %d: bad filter \"%s\" in to clause\n",
 139                                                     fname, lineno, right );
 140                                                 acl_usage();
 141                                         }
 142
 143                                 } else if ( strcasecmp( left, "dn" ) == 0 ) {
 144                                                 a->acl_dn_pat = ch_strdup( right );
 145
 146                                 } else if ( strncasecmp( left, "attr", 4 ) == 0 ) {
 147                                         char    **alist;
 148
 149                                         alist = str2charray( right, "," );
 150                                         charray_merge( &a->acl_attrs, alist );
 151                                         charray_free( alist );
 152
 153                                 } else {
 154                                         fprintf( stderr,
 155                                                 "%s: line %d: expecting <what> got \"%s\"\n",
 156                                             fname, lineno, left );
 157                                         acl_usage();
 158                                 }
 159                         }
 160
 161                         if ( a->acl_dn_pat != NULL ) {
 162                                 int e = regcomp( &a->acl_dn_re, a->acl_dn_pat,
 163                                                  REG_EXTENDED | REG_ICASE );
 164                                 if ( e ) {
 165                                         char buf[512];
 166                                         regerror( e, &a->acl_dn_re, buf, sizeof(buf) );
 167                                         fprintf( stderr,
 168                                 "%s: line %d: regular expression \"%s\" bad because of %s\n",
 169                                                  fname, lineno, right, buf );
 170                                         acl_usage();
 171                                 }
 172                         }
 173
 174                 /* by clause - select who has what access to entries */
 175                 } else if ( strcasecmp( argv[i], "by" ) == 0 ) {
 176                         if ( a == NULL ) {
 177                                 fprintf( stderr,
 178                                         "%s: line %d: to clause required before by clause in access line\n",
 179                                     fname, lineno );
 180                                 acl_usage();
 181                         }
 182
 183                         /*
 184                          * by clause consists of <who> and <access>
 185                          */
 186
 187                         b = (Access *) ch_calloc( 1, sizeof(Access) );
 188
 189                         ACL_INVALIDATE( b->a_mask );
 190
 191                         if ( ++i == argc ) {
 192                                 fprintf( stderr,
 193                             "%s: line %d: premature eol: expecting <who>\n",
 194                                     fname, lineno );
 195                                 acl_usage();
 196                         }
 197
 198                         /* get <who> */
 199                         for ( ; i < argc; i++ ) {
 200                                 char *pat;
 201                                 split( argv[i], '=', &left, &right );
 202
 203                                 if ( strcasecmp( argv[i], "*" ) == 0 ) {
 204                                         pat = ch_strdup( ".*" );
 205                                 } else if ( strcasecmp( argv[i], "anonymous" ) == 0 ) {
 206                                         pat = ch_strdup( "anonymous" );
 207                                 } else if ( strcasecmp( argv[i], "self" ) == 0 ) {
 208                                         pat = ch_strdup( "self" );
 209                                 } else if ( strcasecmp( left, "dn" ) == 0 ) {
 210                                         regtest(fname, lineno, right);
 211                                         pat = ch_strdup( right );
 212                                 } else {
 213                                         pat = NULL;
 214                                 }
 215
 216                                 if( pat != NULL ) {
 217                                         if( b->a_dn_pat != NULL ) {
 218                                                 fprintf( stderr,
 219                                                     "%s: line %d: dn pattern already specified.\n",
 220                                                     fname, lineno );
 221                                                 acl_usage();
 222                                         }
 223
 224                                         b->a_dn_pat = pat;
 225                                         continue;
 226                                 }
 227
 228                                 if ( strcasecmp( left, "dnattr" ) == 0 ) {
 229                                         if( b->a_dn_pat != NULL ) {
 230                                                 fprintf( stderr,
 231                                                         "%s: line %d: dnaddr already specified.\n",
 232                                                         fname, lineno );
 233                                                 acl_usage();
 234                                         }
 235
 236                                         b->a_dn_at = ch_strdup( right );
 237                                         continue;
 238                                 }
 239
 240                                 if ( strncasecmp( left, "group", sizeof("group")-1 ) == 0 ) {
 241                                         char *name = NULL;
 242                                         char *value = NULL;
 243
 244                                         if( b->a_group_pat != NULL ) {
 245                                                 fprintf( stderr,
 246                                                         "%s: line %d: group pattern already specified.\n",
 247                                                         fname, lineno );
 248                                                 acl_usage();
 249                                         }
 250
 251                                         /* format of string is "group/objectClassValue/groupAttrName" */
 252                                         if ((value = strchr(left, '/')) != NULL) {
 253                                                 *value++ = '\0';
 254                                                 if (value && *value
 255                                                         && (name = strchr(value, '/')) != NULL)
 256                                                 {
 257                                                         *name++ = '\0';
 258                                                 }
 259                                         }
 260
 261                                         regtest(fname, lineno, right);
 262                                         b->a_group_pat = ch_strdup( right );
 263
 264                                         if (value && *value) {
 265                                                 b->a_group_oc = ch_strdup(value);
 266                                                 *--value = '/';
 267                                         } else {
 268                                                 b->a_group_oc = ch_strdup("groupOfNames");
 269
 270                                                 if (name && *name) {
 271                                                         b->a_group_at = ch_strdup(name);
 272                                                         *--name = '/';
 273
 274                                                 } else {
 275                                                         b->a_group_at = ch_strdup("member");
 276                                                 }
 277                                         }
 278                                         continue;
 279                                 }
 280
 281                                 if ( strcasecmp( left, "peername" ) == 0 ) {
 282                                         if( b->a_peername_pat != NULL ) {
 283                                                 fprintf( stderr,
 284                                                         "%s: line %d: peername pattern already specified.\n",
 285                                                         fname, lineno );
 286                                                 acl_usage();
 287                                         }
 288
 289                                         regtest(fname, lineno, right);
 290                                         b->a_peername_pat = ch_strdup( right );
 291                                         continue;
 292                                 }
 293
 294                                 if ( strcasecmp( left, "sockname" ) == 0 ) {
 295                                         if( b->a_sockname_pat != NULL ) {
 296                                                 fprintf( stderr,
 297                                                         "%s: line %d: sockname pattern already specified.\n",
 298                                                         fname, lineno );
 299                                                 acl_usage();
 300                                         }
 301
 302                                         regtest(fname, lineno, right);
 303                                         b->a_sockname_pat = ch_strdup( right );
 304                                         continue;
 305                                 }
 306
 307                                 if ( strcasecmp( left, "domain" ) == 0 ) {
 308                                         if( b->a_domain_pat != NULL ) {
 309                                                 fprintf( stderr,
 310                                                         "%s: line %d: domain pattern already specified.\n",
 311                                                         fname, lineno );
 312                                                 acl_usage();
 313                                         }
 314
 315                                         regtest(fname, lineno, right);
 316                                         b->a_domain_pat = ch_strdup( right );
 317                                         continue;
 318                                 }
 319
 320                                 if ( strcasecmp( left, "sockurl" ) == 0 ) {
 321                                         if( b->a_sockurl_pat != NULL ) {
 322                                                 fprintf( stderr,
 323                                                         "%s: line %d: sockurl pattern already specified.\n",
 324                                                         fname, lineno );
 325                                                 acl_usage();
 326                                         }
 327
 328                                         regtest(fname, lineno, right);
 329                                         b->a_sockurl_pat = ch_strdup( right );
 330                                         continue;
 331                                 }
 332
 333 #ifdef SLAPD_ACI_ENABLED
 334                                 if ( strcasecmp( left, "aci" ) == 0 ) {
 335                                         if( b->a_aci_at != NULL ) {
 336                                                 fprintf( stderr,
 337                                                         "%s: line %d: aci attribute already specified.\n",
 338                                                         fname, lineno );
 339                                                 acl_usage();
 340                                         }
 341
 342                                         if ( right != NULL && *right != '\0' )
 343                                                 b->a_aci_at = ch_strdup( right );
 344                                         else
 345                                                 b->a_aci_at = ch_strdup( SLAPD_ACI_DEFAULT_ATTR );
 346                                         continue;
 347                                 }
 348 #endif
 349
 350                                 if( right != NULL ) {
 351                                         /* unsplit */
 352                                         right[-1] = '=';
 353                                 }
 354                                 break;
 355                         }
 356
 357                         if( i == argc || ( strcasecmp( left, "stop" ) == 0 )) {
 358                                 /* out of arguments or plain stop */
 359
 360                                 ACL_PRIV_ASSIGN(b->a_mask, ACL_NONE);
 361                                 b->a_type = ACL_STOP;
 362
 363                                 access_append( &a->acl_access, b );
 364                                 continue;
 365                         }
 366
 367                         if( strcasecmp( left, "continue" ) == 0 ) {
 368                                 /* plain continue */
 369
 370                                 ACL_PRIV_ASSIGN(b->a_mask, ACL_NONE);
 371                                 b->a_type = ACL_CONTINUE;
 372
 373                                 access_append( &a->acl_access, b );
 374                                 continue;
 375                         }
 376
 377                         if( strcasecmp( left, "break" ) == 0 ) {
 378                                 /* plain continue */
 379
 380                                 ACL_PRIV_ASSIGN(b->a_mask, ACL_NONE);
 381                                 b->a_type = ACL_BREAK;
 382
 383                                 access_append( &a->acl_access, b );
 384                                 continue;
 385                         }
 386
 387                         if ( strcasecmp( left, "by" ) == 0 ) {
 388                                 /* we've gone too far */
 389                                 --i;
 390                                 ACL_PRIV_ASSIGN(b->a_mask, ACL_NONE);
 391                                 b->a_type = ACL_STOP;
 392
 393                                 access_append( &a->acl_access, b );
 394                                 continue;
 395                         }
 396
 397                         /* get <access> */
 398                         if( strncasecmp( left, "self", 4 ) == 0 ) {
 399                                 b->a_dn_self = 1;
 400                                 ACL_PRIV_ASSIGN( b->a_mask, str2accessmask( &left[4] ) );
 401
 402                         } else {
 403                                 ACL_PRIV_ASSIGN( b->a_mask, str2accessmask( left ) );
 404                         }
 405
 406                         if( ACL_IS_INVALID( b->a_mask ) ) {
 407                                 fprintf( stderr,
 408                                         "%s: line %d: expecting <access> got \"%s\"\n",
 409                                         fname, lineno, left );
 410                                 acl_usage();
 411                         }
 412
 413                         b->a_type = ACL_STOP;
 414
 415                         if( ++i == argc ) {
 416                                 /* out of arguments or plain stop */
 417                                 access_append( &a->acl_access, b );
 418                                 continue;
 419                         }
 420
 421                         if( strcasecmp( argv[i], "continue" ) == 0 ) {
 422                                 /* plain continue */
 423                                 b->a_type = ACL_CONTINUE;
 424
 425                         } else if( strcasecmp( argv[i], "break" ) == 0 ) {
 426                                 /* plain continue */
 427                                 b->a_type = ACL_BREAK;
 428
 429                         } else if ( strcasecmp( argv[i], "stop" ) != 0 ) {
 430                                 /* gone to far */
 431                                 i--;
 432                         }
 433
 434                         access_append( &a->acl_access, b );
 435
 436                 } else {
 437                         fprintf( stderr,
 438                     "%s: line %d: expecting \"to\" or \"by\" got \"%s\"\n",
 439                             fname, lineno, argv[i] );
 440                         acl_usage();
 441                 }
 442         }
 443
 444         /* if we have no real access clause, complain and do nothing */
 445         if ( a == NULL ) {
 446                         fprintf( stderr,
 447                                 "%s: line %d: warning: no access clause(s) specified in access line\n",
 448                             fname, lineno );
 449
 450         } else {
 451
 452 #ifdef LDAP_DEBUG
 453                 if (ldap_debug & LDAP_DEBUG_ACL)
 454                     print_acl(be, a);
 455 #endif
 456
 457                 if ( a->acl_access == NULL ) {
 458                         fprintf( stderr,
 459                         "%s: line %d: warning: no by clause(s) specified in access line\n",
 460                             fname, lineno );
 461                 }
 462
 463                 if ( be != NULL ) {
 464                         acl_append( &be->be_acl, a );
 465                 } else {
 466                         acl_append( &global_acl, a );
 467                 }
 468         }
 469 }
 470
 471 char *
 472 accessmask2str( slap_access_mask_t mask )
 473 {
 474         static char     buf[sizeof("unknown (+wrsca0)")];
 475         int none=1;
 476
 477         if ( ACL_IS_INVALID( mask ) ) {
 478                 return "invalid";
 479         }
 480
 481         buf[0] = '\0';
 482
 483         if ( ACL_IS_LEVEL( mask ) ) {
 484                 if ( ACL_LVL_IS_NONE(mask) ) {
 485                         strcat( buf, "none" );
 486
 487                 } else if ( ACL_LVL_IS_AUTH(mask) ) {
 488                         strcat( buf, "auth" );
 489
 490                 } else if ( ACL_LVL_IS_COMPARE(mask) ) {
 491                         strcat( buf, "compare" );
 492
 493                 } else if ( ACL_LVL_IS_SEARCH(mask) ) {
 494                         strcat( buf, "search" );
 495
 496                 } else if ( ACL_LVL_IS_READ(mask) ) {
 497                         strcat( buf, "read" );
 498
 499                 } else if ( ACL_LVL_IS_WRITE(mask) ) {
 500                         strcat( buf, "write" );
 501                 } else {
 502                         strcat( buf, "unknown" );
 503                 }
 504
 505                 strcat(buf, " (");
 506         }
 507
 508         if( ACL_IS_ADDITIVE( mask ) ) {
 509                 strcat( buf, "+" );
 510
 511         } else if( ACL_IS_SUBTRACTIVE( mask ) ) {
 512                 strcat( buf, "-" );
 513
 514         } else {
 515                 strcat( buf, "=" );
 516         }
 517
 518         if ( ACL_PRIV_ISSET(mask, ACL_PRIV_WRITE) ) {
 519                 none = 0;
 520                 strcat( buf, "w" );
 521         }
 522
 523         if ( ACL_PRIV_ISSET(mask, ACL_PRIV_READ) ) {
 524                 none = 0;
 525                 strcat( buf, "r" );
 526         }
 527
 528         if ( ACL_PRIV_ISSET(mask, ACL_PRIV_SEARCH) ) {
 529                 none = 0;
 530                 strcat( buf, "s" );
 531         }
 532
 533         if ( ACL_PRIV_ISSET(mask, ACL_PRIV_COMPARE) ) {
 534                 none = 0;
 535                 strcat( buf, "c" );
 536         }
 537
 538         if ( ACL_PRIV_ISSET(mask, ACL_PRIV_AUTH) ) {
 539                 none = 0;
 540                 strcat( buf, "x" );
 541         }
 542
 543         if ( none && ACL_PRIV_ISSET(mask, ACL_PRIV_NONE) ) {
 544                 strcat( buf, "0" );
 545         }
 546
 547         if ( ACL_IS_LEVEL( mask ) ) {
 548                 strcat(buf, ")");
 549         }
 550         return buf;
 551 }
 552
 553 slap_access_mask_t
 554 str2accessmask( const char *str )
 555 {
 556         slap_access_mask_t      mask;
 557
 558         if( !isalpha(str[0]) ) {
 559                 int i;
 560
 561                 if ( str[0] == '=' ) {
 562                         ACL_INIT(mask);
 563
 564                 } else if( str[0] == '+' ) {
 565                         ACL_PRIV_ASSIGN(mask, ACL_PRIV_ADDITIVE);
 566
 567                 } else if( str[0] == '-' ) {
 568                         ACL_PRIV_ASSIGN(mask, ACL_PRIV_SUBSTRACTIVE);
 569
 570                 } else {
 571                         ACL_INVALIDATE(mask);
 572                         return mask;
 573                 }
 574
 575                 for( i=1; str[i] != '\0'; i++ ) {
 576                         if( TOLOWER(str[i]) == 'w' ) {
 577                                 ACL_PRIV_SET(mask, ACL_PRIV_WRITE);
 578
 579                         } else if( TOLOWER(str[i]) == 'r' ) {
 580                                 ACL_PRIV_SET(mask, ACL_PRIV_READ);
 581
 582                         } else if( TOLOWER(str[i]) == 's' ) {
 583                                 ACL_PRIV_SET(mask, ACL_PRIV_SEARCH);
 584
 585                         } else if( TOLOWER(str[i]) == 'c' ) {
 586                                 ACL_PRIV_SET(mask, ACL_PRIV_COMPARE);
 587
 588                         } else if( TOLOWER(str[i]) == 'x' ) {
 589                                 ACL_PRIV_SET(mask, ACL_PRIV_AUTH);
 590
 591                         } else {
 592                                 ACL_INVALIDATE(mask);
 593                                 return mask;
 594                         }
 595                 }
 596
 597                 return mask;
 598         }
 599
 600         if ( strcasecmp( str, "none" ) == 0 ) {
 601                 ACL_LVL_ASSIGN_NONE(mask);
 602
 603         } else if ( strcasecmp( str, "auth" ) == 0 ) {
 604                 ACL_LVL_ASSIGN_AUTH(mask);
 605
 606         } else if ( strcasecmp( str, "compare" ) == 0 ) {
 607                 ACL_LVL_ASSIGN_COMPARE(mask);
 608
 609         } else if ( strcasecmp( str, "search" ) == 0 ) {
 610                 ACL_LVL_ASSIGN_SEARCH(mask);
 611
 612         } else if ( strcasecmp( str, "read" ) == 0 ) {
 613                 ACL_LVL_ASSIGN_READ(mask);
 614
 615         } else if ( strcasecmp( str, "write" ) == 0 ) {
 616                 ACL_LVL_ASSIGN_WRITE(mask);
 617
 618         } else {
 619                 ACL_INVALIDATE( mask );
 620         }
 621
 622         return mask;
 623 }
 624
 625 static void
 626 acl_usage( void )
 627 {
 628         fprintf( stderr, "\n"
 629                 "<access clause> ::= access to <what> "
 630                                 "[ by <who> <access> <control> ]+ \n"
 631                 "<what> ::= * | [dn=<regex>] [filter=<ldapfilter>] [attrs=<attrlist>]\n"
 632                 "<attrlist> ::= <attr> | <attr> , <attrlist>\n"
 633                 "<attr> ::= <attrname> | entry | children\n"
 634                 "<who> ::= [ * | anonymous | self | dn=<regex> ]\n"
 635                         "\t[dnattr=<attrname>]\n"
 636                         "\t[group[/<objectclass>[/<attrname>]]=<regex>]\n"
 637                         "\t[peername=<regex>] [sockname=<regex>]\n"
 638                         "\t[domain=<regex>] [sockurl=<regex>]\n"
 639 #ifdef SLAPD_ACI_ENABLED
 640                         "\t[aci=<attrname>]\n"
 641 #endif
 642                 "<access> ::= [self]{<level>|<priv>}\n"
 643                 "<level> ::= none | auth | compare | search | read | write\n"
 644                 "<priv> ::= {=|+|-}{w|r|s|c|x}+\n"
 645                 "<control> ::= [ stop | continue | break ]\n"
 646                 );
 647         exit( EXIT_FAILURE );
 648 }
 649
 650 static void
 651 split(
 652     char        *line,
 653     int         splitchar,
 654     char        **left,
 655     char        **right
 656 )
 657 {
 658         *left = line;
 659         if ( (*right = strchr( line, splitchar )) != NULL ) {
 660                 *((*right)++) = '\0';
 661         }
 662 }
 663
 664 static void
 665 access_append( Access **l, Access *a )
 666 {
 667         for ( ; *l != NULL; l = &(*l)->a_next )
 668                 ;       /* NULL */
 669
 670         *l = a;
 671 }
 672
 673 void
 674 acl_append( AccessControl **l, AccessControl *a )
 675 {
 676         for ( ; *l != NULL; l = &(*l)->acl_next )
 677                 ;       /* NULL */
 678
 679         *l = a;
 680 }
 681
 682 #ifdef LDAP_DEBUG
 683
 684 static void
 685 print_access( Access *b )
 686 {
 687         fprintf( stderr, "\tby" );
 688
 689         if ( b->a_dn_pat != NULL ) {
 690                 if( strcmp(b->a_dn_pat, "anonymous") == 0 ) {
 691                         fprintf( stderr, " anonymous" );
 692
 693                 } else if( strcmp(b->a_dn_pat, "self") == 0 ) {
 694                         fprintf( stderr, " self" );
 695
 696                 } else {
 697                         fprintf( stderr, " dn=%s", b->a_dn_pat );
 698                 }
 699         }
 700
 701         if ( b->a_dn_at != NULL ) {
 702                 fprintf( stderr, " dnattr=%s", b->a_dn_at );
 703         }
 704
 705         if ( b->a_group_pat != NULL ) {
 706                 fprintf( stderr, " group: %s", b->a_group_pat );
 707
 708                 if ( b->a_group_oc ) {
 709                         fprintf( stderr, " objectClass: %s", b->a_group_oc );
 710
 711                         if ( b->a_group_at ) {
 712                                 fprintf( stderr, " attributeType: %s", b->a_group_at );
 713                         }
 714                 }
 715     }
 716
 717         if ( b->a_peername_pat != NULL ) {
 718                 fprintf( stderr, " peername=%s", b->a_peername_pat );
 719         }
 720
 721         if ( b->a_sockname_pat != NULL ) {
 722                 fprintf( stderr, " sockname=%s", b->a_sockname_pat );
 723         }
 724
 725         if ( b->a_domain_pat != NULL ) {
 726                 fprintf( stderr, " domain=%s", b->a_domain_pat );
 727         }
 728
 729         if ( b->a_sockurl_pat != NULL ) {
 730                 fprintf( stderr, " sockurl=%s", b->a_sockurl_pat );
 731         }
 732
 733 #ifdef SLAPD_ACI_ENABLED
 734         if ( b->a_aci_at != NULL ) {
 735                 fprintf( stderr, " aci=%s", b->a_aci_at );
 736         }
 737 #endif
 738
 739         fprintf( stderr, " %s%s",
 740                 b->a_dn_self ? "self" : "",
 741                 accessmask2str( b->a_mask ) );
 742
 743         fprintf( stderr, "\n" );
 744 }
 745
 746 char *
 747 access2str( slap_access_t access )
 748 {
 749         if ( access == ACL_NONE ) {
 750                 return "none";
 751
 752         } else if ( access == ACL_AUTH ) {
 753                 return "auth";
 754
 755         } else if ( access == ACL_COMPARE ) {
 756                 return "compare";
 757
 758         } else if ( access == ACL_SEARCH ) {
 759                 return "search";
 760
 761         } else if ( access == ACL_READ ) {
 762                 return "read";
 763
 764         } else if ( access == ACL_WRITE ) {
 765                 return "write";
 766         }
 767
 768         return "unknown";
 769 }
 770
 771 slap_access_t
 772 str2access( const char *str )
 773 {
 774         if ( strcasecmp( str, "none" ) == 0 ) {
 775                 return ACL_NONE;
 776
 777         } else if ( strcasecmp( str, "auth" ) == 0 ) {
 778                 return ACL_AUTH;
 779
 780         } else if ( strcasecmp( str, "compare" ) == 0 ) {
 781                 return ACL_COMPARE;
 782
 783         } else if ( strcasecmp( str, "search" ) == 0 ) {
 784                 return ACL_SEARCH;
 785
 786         } else if ( strcasecmp( str, "read" ) == 0 ) {
 787                 return ACL_READ;
 788
 789         } else if ( strcasecmp( str, "write" ) == 0 ) {
 790                 return ACL_WRITE;
 791         }
 792
 793         return( ACL_INVALID_ACCESS );
 794 }
 795
 796
 797 static void
 798 print_acl( Backend *be, AccessControl *a )
 799 {
 800         int             to = 0;
 801         Access  *b;
 802
 803         fprintf( stderr, "%s ACL: access to",
 804                 be == NULL ? "Global" : "Backend" );
 805
 806         if ( a->acl_dn_pat != NULL ) {
 807                 to++;
 808                 fprintf( stderr, " dn=%s\n",
 809                         a->acl_dn_pat );
 810         }
 811
 812         if ( a->acl_filter != NULL ) {
 813                 to++;
 814                 fprintf( stderr, " filter=" );
 815                 filter_print( a->acl_filter );
 816                 fprintf( stderr, "\n" );
 817         }
 818
 819         if ( a->acl_attrs != NULL ) {
 820                 int     i, first = 1;
 821                 to++;
 822
 823                 fprintf( stderr, " attrs=" );
 824                 for ( i = 0; a->acl_attrs[i] != NULL; i++ ) {
 825                         if ( ! first ) {
 826                                 fprintf( stderr, "," );
 827                         }
 828                         fprintf( stderr, a->acl_attrs[i] );
 829                         first = 0;
 830                 }
 831                 fprintf(  stderr, "\n" );
 832         }
 833
 834         if( !to ) {
 835                 fprintf( stderr, " *\n" );
 836         }
 837
 838         for ( b = a->acl_access; b != NULL; b = b->a_next ) {
 839                 print_access( b );
 840         }
 841
 842         fprintf( stderr, "\n" );
 843 }
 844
 845 #endif /* LDAP_DEBUG */