1 /* aclparse.c - routines to parse and check acl's */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 1998-2005 The OpenLDAP Foundation.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted only as authorized by the OpenLDAP
12 * A copy of this license is available in the file LICENSE in the
13 * top-level directory of the distribution or, alternatively, at
14 * <http://www.OpenLDAP.org/license.html>.
16 /* Portions Copyright (c) 1995 Regents of the University of Michigan.
17 * All rights reserved.
19 * Redistribution and use in source and binary forms are permitted
20 * provided that this notice is preserved and that due credit is given
21 * to the University of Michigan at Ann Arbor. The name of the University
22 * may not be used to endorse or promote products derived from this
23 * software without specific prior written permission. This software
24 * is provided ``as is'' without express or implied warranty.
33 #include <ac/socket.h>
34 #include <ac/string.h>
35 #include <ac/unistd.h>
41 static char *style_strings[] = {
58 static void split(char *line, int splitchar, char **left, char **right);
59 static void access_append(Access **l, Access *a);
60 static void acl_usage(void) LDAP_GCCATTR((noreturn));
62 static void acl_regex_normalized_dn(const char *src, struct berval *pat);
65 static void print_acl(Backend *be, AccessControl *a);
68 static int check_scope( BackendDB *be, AccessControl *a );
72 slap_dynacl_config( const char *fname, int lineno, Access *b, const char *name, slap_style_t sty, const char *right )
74 slap_dynacl_t *da, *tmp;
77 for ( da = b->a_dynacl; da; da = da->da_next ) {
78 if ( strcasecmp( da->da_name, name ) == 0 ) {
80 "%s: line %d: dynacl \"%s\" already specified.\n",
81 fname, lineno, name );
86 da = slap_dynacl_get( name );
91 tmp = ch_malloc( sizeof( slap_dynacl_t ) );
94 if ( tmp->da_parse ) {
95 rc = ( *tmp->da_parse )( fname, lineno, sty, right, &tmp->da_private );
102 tmp->da_next = b->a_dynacl;
107 #endif /* SLAP_DYNACL */
110 regtest(const char *fname, int lineno, char *pat) {
126 for (size = 0, flag = 0; (size < sizeof(buf)) && *sp; sp++) {
128 if (*sp == '$'|| (*sp >= '0' && *sp <= '9')) {
145 if ( size >= (sizeof(buf) - 1) ) {
147 "%s: line %d: regular expression \"%s\" too large\n",
148 fname, lineno, pat );
152 if ((e = regcomp(&re, buf, REG_EXTENDED|REG_ICASE))) {
154 regerror(e, &re, error, sizeof(error));
156 "%s: line %d: regular expression \"%s\" bad because of %s\n",
157 fname, lineno, pat, error );
166 * Check if the pattern of an ACL, if any, matches the scope
167 * of the backend it is defined within.
169 #define ACL_SCOPE_UNKNOWN (-2)
170 #define ACL_SCOPE_ERR (-1)
171 #define ACL_SCOPE_OK (0)
172 #define ACL_SCOPE_PARTIAL (1)
173 #define ACL_SCOPE_WARN (2)
176 check_scope( BackendDB *be, AccessControl *a )
181 dn = be->be_nsuffix[0];
183 if ( BER_BVISEMPTY( &dn ) ) {
187 if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
188 a->acl_dn_style != ACL_STYLE_REGEX )
190 slap_style_t style = a->acl_dn_style;
192 if ( style == ACL_STYLE_REGEX ) {
193 char dnbuf[SLAP_LDAPDN_MAXLEN + 2];
194 char rebuf[SLAP_LDAPDN_MAXLEN + 1];
199 /* add trailing '$' to database suffix to form
200 * a simple trial regex pattern "<suffix>$" */
201 AC_MEMCPY( dnbuf, be->be_nsuffix[0].bv_val,
202 be->be_nsuffix[0].bv_len );
203 dnbuf[be->be_nsuffix[0].bv_len] = '$';
204 dnbuf[be->be_nsuffix[0].bv_len + 1] = '\0';
206 if ( regcomp( &re, dnbuf, REG_EXTENDED|REG_ICASE ) ) {
207 return ACL_SCOPE_WARN;
210 /* remove trailing ')$', if any, from original
212 rebuflen = a->acl_dn_pat.bv_len;
213 AC_MEMCPY( rebuf, a->acl_dn_pat.bv_val, rebuflen + 1 );
214 if ( rebuf[rebuflen - 1] == '$' ) {
215 rebuf[--rebuflen] = '\0';
217 while ( rebuflen > be->be_nsuffix[0].bv_len && rebuf[rebuflen - 1] == ')' ) {
218 rebuf[--rebuflen] = '\0';
220 if ( rebuflen == be->be_nsuffix[0].bv_len ) {
225 /* not a clear indication of scoping error, though */
226 rc = regexec( &re, rebuf, 0, NULL, 0 )
227 ? ACL_SCOPE_WARN : ACL_SCOPE_OK;
234 patlen = a->acl_dn_pat.bv_len;
235 /* If backend suffix is longer than pattern,
236 * it is a potential mismatch (in the sense
237 * that a superior naming context could
239 if ( dn.bv_len > patlen ) {
240 /* base is blatantly wrong */
241 if ( style == ACL_STYLE_BASE ) return ACL_SCOPE_ERR;
243 /* a style of one can be wrong if there is
244 * more than one level between the suffix
246 if ( style == ACL_STYLE_ONE ) {
247 int rdnlen = -1, sep = 0;
250 if ( !DN_SEPARATOR( dn.bv_val[dn.bv_len - patlen - 1] )) {
251 return ACL_SCOPE_ERR;
256 rdnlen = dn_rdnlen( NULL, &dn );
257 if ( rdnlen != dn.bv_len - patlen - sep )
258 return ACL_SCOPE_ERR;
261 /* if the trailing part doesn't match,
262 * then it's an error */
263 if ( strcmp( a->acl_dn_pat.bv_val,
264 &dn.bv_val[dn.bv_len - patlen] ) != 0 )
266 return ACL_SCOPE_ERR;
269 return ACL_SCOPE_PARTIAL;
275 case ACL_STYLE_CHILDREN:
276 case ACL_STYLE_SUBTREE:
284 if ( dn.bv_len < patlen &&
285 !DN_SEPARATOR( a->acl_dn_pat.bv_val[patlen - dn.bv_len - 1] ))
287 return ACL_SCOPE_ERR;
290 if ( strcmp( &a->acl_dn_pat.bv_val[patlen - dn.bv_len], dn.bv_val )
293 return ACL_SCOPE_ERR;
299 return ACL_SCOPE_UNKNOWN;
312 char *left, *right, *style, *next;
320 for ( i = 1; i < argc; i++ ) {
321 /* to clause - select which entries are protected */
322 if ( strcasecmp( argv[i], "to" ) == 0 ) {
324 fprintf( stderr, "%s: line %d: "
325 "only one to clause allowed in access line\n",
329 a = (AccessControl *) ch_calloc( 1, sizeof(AccessControl) );
330 for ( ++i; i < argc; i++ ) {
331 if ( strcasecmp( argv[i], "by" ) == 0 ) {
336 if ( strcasecmp( argv[i], "*" ) == 0 ) {
337 if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
338 a->acl_dn_style != ACL_STYLE_REGEX )
341 "%s: line %d: dn pattern"
342 " already specified in to clause.\n",
347 ber_str2bv( "*", STRLENOF( "*" ), 1, &a->acl_dn_pat );
351 split( argv[i], '=', &left, &right );
352 split( left, '.', &left, &style );
354 if ( right == NULL ) {
355 fprintf( stderr, "%s: line %d: "
356 "missing \"=\" in \"%s\" in to clause\n",
357 fname, lineno, left );
361 if ( strcasecmp( left, "dn" ) == 0 ) {
362 if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
363 a->acl_dn_style != ACL_STYLE_REGEX )
366 "%s: line %d: dn pattern"
367 " already specified in to clause.\n",
372 if ( style == NULL || *style == '\0' ||
373 strcasecmp( style, "baseObject" ) == 0 ||
374 strcasecmp( style, "base" ) == 0 ||
375 strcasecmp( style, "exact" ) == 0 )
377 a->acl_dn_style = ACL_STYLE_BASE;
378 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
380 } else if ( strcasecmp( style, "oneLevel" ) == 0 ||
381 strcasecmp( style, "one" ) == 0 )
383 a->acl_dn_style = ACL_STYLE_ONE;
384 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
386 } else if ( strcasecmp( style, "subtree" ) == 0 ||
387 strcasecmp( style, "sub" ) == 0 )
389 if( *right == '\0' ) {
390 ber_str2bv( "*", STRLENOF( "*" ), 1, &a->acl_dn_pat );
393 a->acl_dn_style = ACL_STYLE_SUBTREE;
394 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
397 } else if ( strcasecmp( style, "children" ) == 0 ) {
398 a->acl_dn_style = ACL_STYLE_CHILDREN;
399 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
401 } else if ( strcasecmp( style, "regex" ) == 0 ) {
402 a->acl_dn_style = ACL_STYLE_REGEX;
404 if ( *right == '\0' ) {
405 /* empty regex should match empty DN */
406 a->acl_dn_style = ACL_STYLE_BASE;
407 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
409 } else if ( strcmp(right, "*") == 0
410 || strcmp(right, ".*") == 0
411 || strcmp(right, ".*$") == 0
412 || strcmp(right, "^.*") == 0
413 || strcmp(right, "^.*$") == 0
414 || strcmp(right, ".*$$") == 0
415 || strcmp(right, "^.*$$") == 0 )
417 ber_str2bv( "*", STRLENOF("*"), 1, &a->acl_dn_pat );
420 acl_regex_normalized_dn( right, &a->acl_dn_pat );
424 fprintf( stderr, "%s: line %d: "
425 "unknown dn style \"%s\" in to clause\n",
426 fname, lineno, style );
433 if ( strcasecmp( left, "filter" ) == 0 ) {
434 if ( (a->acl_filter = str2filter( right )) == NULL ) {
436 "%s: line %d: bad filter \"%s\" in to clause\n",
437 fname, lineno, right );
441 } else if ( strcasecmp( left, "attr" ) == 0 /* TOLERATED */
442 || strcasecmp( left, "attrs" ) == 0 ) /* DOCUMENTED */
444 a->acl_attrs = str2anlist( a->acl_attrs,
446 if ( a->acl_attrs == NULL ) {
448 "%s: line %d: unknown attr \"%s\" in to clause\n",
449 fname, lineno, right );
453 } else if ( strncasecmp( left, "val", 3 ) == 0 ) {
454 if ( !BER_BVISEMPTY( &a->acl_attrval ) ) {
456 "%s: line %d: attr val already specified in to clause.\n",
460 if ( a->acl_attrs == NULL || !BER_BVISEMPTY( &a->acl_attrs[1].an_name ) )
463 "%s: line %d: attr val requires a single attribute.\n",
467 ber_str2bv( right, 0, 1, &a->acl_attrval );
468 a->acl_attrval_style = ACL_STYLE_BASE;
469 if ( style != NULL ) {
470 if ( strcasecmp( style, "regex" ) == 0 ) {
471 int e = regcomp( &a->acl_attrval_re, a->acl_attrval.bv_val,
472 REG_EXTENDED | REG_ICASE | REG_NOSUB );
475 regerror( e, &a->acl_attrval_re, buf, sizeof(buf) );
476 fprintf( stderr, "%s: line %d: "
477 "regular expression \"%s\" bad because of %s\n",
478 fname, lineno, right, buf );
481 a->acl_attrval_style = ACL_STYLE_REGEX;
484 /* FIXME: if the attribute has DN syntax, we might
485 * allow one, subtree and children styles as well */
486 if ( !strcasecmp( style, "base" ) ||
487 !strcasecmp( style, "exact" ) ) {
488 a->acl_attrval_style = ACL_STYLE_BASE;
490 } else if ( a->acl_attrs[0].an_desc->ad_type->
491 sat_syntax == slap_schema.si_syn_distinguishedName )
493 if ( !strcasecmp( style, "baseObject" ) ||
494 !strcasecmp( style, "base" ) )
496 a->acl_attrval_style = ACL_STYLE_BASE;
497 } else if ( !strcasecmp( style, "onelevel" ) ||
498 !strcasecmp( style, "one" ) )
500 a->acl_attrval_style = ACL_STYLE_ONE;
501 } else if ( !strcasecmp( style, "subtree" ) ||
502 !strcasecmp( style, "sub" ) )
504 a->acl_attrval_style = ACL_STYLE_SUBTREE;
505 } else if ( !strcasecmp( style, "children" ) ) {
506 a->acl_attrval_style = ACL_STYLE_CHILDREN;
509 "%s: line %d: unknown val.<style> \"%s\" "
510 "for attributeType \"%s\" with DN syntax; "
512 fname, lineno, style,
513 a->acl_attrs[0].an_desc->ad_cname.bv_val );
514 a->acl_attrval_style = ACL_STYLE_BASE;
519 "%s: line %d: unknown val.<style> \"%s\" "
520 "for attributeType \"%s\"; using \"exact\"\n",
521 fname, lineno, style,
522 a->acl_attrs[0].an_desc->ad_cname.bv_val );
523 a->acl_attrval_style = ACL_STYLE_BASE;
530 "%s: line %d: expecting <what> got \"%s\"\n",
531 fname, lineno, left );
536 if ( !BER_BVISNULL( &a->acl_dn_pat ) &&
537 ber_bvccmp( &a->acl_dn_pat, '*' ) )
539 free( a->acl_dn_pat.bv_val );
540 BER_BVZERO( &a->acl_dn_pat );
543 if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
544 a->acl_dn_style != ACL_STYLE_REGEX )
546 if ( a->acl_dn_style != ACL_STYLE_REGEX ) {
548 rc = dnNormalize( 0, NULL, NULL, &a->acl_dn_pat, &bv, NULL);
549 if ( rc != LDAP_SUCCESS ) {
551 "%s: line %d: bad DN \"%s\" in to DN clause\n",
552 fname, lineno, a->acl_dn_pat.bv_val );
555 free( a->acl_dn_pat.bv_val );
559 int e = regcomp( &a->acl_dn_re, a->acl_dn_pat.bv_val,
560 REG_EXTENDED | REG_ICASE );
563 regerror( e, &a->acl_dn_re, buf, sizeof(buf) );
564 fprintf( stderr, "%s: line %d: "
565 "regular expression \"%s\" bad because of %s\n",
566 fname, lineno, right, buf );
572 /* by clause - select who has what access to entries */
573 } else if ( strcasecmp( argv[i], "by" ) == 0 ) {
575 fprintf( stderr, "%s: line %d: "
576 "to clause required before by clause in access line\n",
582 * by clause consists of <who> and <access>
585 b = (Access *) ch_calloc( 1, sizeof(Access) );
587 ACL_INVALIDATE( b->a_access_mask );
591 "%s: line %d: premature eol: expecting <who>\n",
597 for ( ; i < argc; i++ ) {
598 slap_style_t sty = ACL_STYLE_REGEX;
599 char *style_modifier = NULL;
600 char *style_level = NULL;
603 slap_dn_access *bdn = &b->a_dn;
606 split( argv[i], '=', &left, &right );
607 split( left, '.', &left, &style );
609 split( style, ',', &style, &style_modifier );
611 if ( strncasecmp( style, "level", STRLENOF( "level" ) ) == 0 ) {
612 split( style, '{', &style, &style_level );
613 if ( style_level != NULL ) {
614 char *p = strchr( style_level, '}' );
617 "%s: line %d: premature eol: "
618 "expecting closing '}' in \"level{n}\"\n",
621 } else if ( p == style_level ) {
623 "%s: line %d: empty level "
633 if ( style == NULL || *style == '\0' ||
634 strcasecmp( style, "exact" ) == 0 ||
635 strcasecmp( style, "baseObject" ) == 0 ||
636 strcasecmp( style, "base" ) == 0 )
638 sty = ACL_STYLE_BASE;
640 } else if ( strcasecmp( style, "onelevel" ) == 0 ||
641 strcasecmp( style, "one" ) == 0 )
645 } else if ( strcasecmp( style, "subtree" ) == 0 ||
646 strcasecmp( style, "sub" ) == 0 )
648 sty = ACL_STYLE_SUBTREE;
650 } else if ( strcasecmp( style, "children" ) == 0 ) {
651 sty = ACL_STYLE_CHILDREN;
653 } else if ( strcasecmp( style, "level" ) == 0 )
657 level = strtol( style_level, &next, 10 );
658 if ( next[0] != '\0' ) {
660 "%s: line %d: unable to parse level "
666 sty = ACL_STYLE_LEVEL;
668 } else if ( strcasecmp( style, "regex" ) == 0 ) {
669 sty = ACL_STYLE_REGEX;
671 } else if ( strcasecmp( style, "expand" ) == 0 ) {
672 sty = ACL_STYLE_EXPAND;
674 } else if ( strcasecmp( style, "ip" ) == 0 ) {
677 } else if ( strcasecmp( style, "path" ) == 0 ) {
678 sty = ACL_STYLE_PATH;
679 #ifndef LDAP_PF_LOCAL
680 fprintf( stderr, "%s: line %d: "
681 "path style modifier is useless without local\n",
683 #endif /* LDAP_PF_LOCAL */
687 "%s: line %d: unknown style \"%s\" in by clause\n",
688 fname, lineno, style );
692 if ( style_modifier &&
693 strcasecmp( style_modifier, "expand" ) == 0 )
696 case ACL_STYLE_REGEX:
697 fprintf( stderr, "%s: line %d: "
698 "\"regex\" style implies "
699 "\"expand\" modifier"
700 SLAPD_CONF_UNKNOWN_IGNORED ".\n",
702 #ifdef SLAPD_CONF_UNKNOWN_BAILOUT
704 #endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
707 case ACL_STYLE_EXPAND:
709 /* FIXME: now it's legal... */
710 fprintf( stderr, "%s: line %d: "
711 "\"expand\" style used "
712 "in conjunction with "
713 "\"expand\" modifier"
714 SLAPD_CONF_UNKNOWN_IGNORED ".\n",
716 #ifdef SLAPD_CONF_UNKNOWN_BAILOUT
718 #endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
723 /* we'll see later if it's pertinent */
729 /* expand in <who> needs regex in <what> */
730 if ( ( sty == ACL_STYLE_EXPAND || expand )
731 && a->acl_dn_style != ACL_STYLE_REGEX )
733 fprintf( stderr, "%s: line %d: "
734 "\"expand\" style or modifier used "
735 "in conjunction with "
736 "a non-regex <what> clause\n",
740 if ( strncasecmp( left, "real", STRLENOF( "real" ) ) == 0 ) {
743 left += STRLENOF( "real" );
746 if ( strcasecmp( left, "*" ) == 0 ) {
751 ber_str2bv( "*", STRLENOF( "*" ), 1, &bv );
752 sty = ACL_STYLE_REGEX;
754 } else if ( strcasecmp( left, "anonymous" ) == 0 ) {
755 ber_str2bv("anonymous", STRLENOF( "anonymous" ), 1, &bv);
756 sty = ACL_STYLE_ANONYMOUS;
758 } else if ( strcasecmp( left, "users" ) == 0 ) {
759 ber_str2bv("users", STRLENOF( "users" ), 1, &bv);
760 sty = ACL_STYLE_USERS;
762 } else if ( strcasecmp( left, "self" ) == 0 ) {
763 ber_str2bv("self", STRLENOF( "self" ), 1, &bv);
764 sty = ACL_STYLE_SELF;
766 } else if ( strcasecmp( left, "dn" ) == 0 ) {
767 if ( sty == ACL_STYLE_REGEX ) {
768 bdn->a_style = ACL_STYLE_REGEX;
769 if ( right == NULL ) {
774 bdn->a_style = ACL_STYLE_USERS;
776 } else if (*right == '\0' ) {
778 ber_str2bv("anonymous",
779 STRLENOF( "anonymous" ),
781 bdn->a_style = ACL_STYLE_ANONYMOUS;
783 } else if ( strcmp( right, "*" ) == 0 ) {
785 /* any or users? users for now */
789 bdn->a_style = ACL_STYLE_USERS;
791 } else if ( strcmp( right, ".+" ) == 0
792 || strcmp( right, "^.+" ) == 0
793 || strcmp( right, ".+$" ) == 0
794 || strcmp( right, "^.+$" ) == 0
795 || strcmp( right, ".+$$" ) == 0
796 || strcmp( right, "^.+$$" ) == 0 )
801 bdn->a_style = ACL_STYLE_USERS;
803 } else if ( strcmp( right, ".*" ) == 0
804 || strcmp( right, "^.*" ) == 0
805 || strcmp( right, ".*$" ) == 0
806 || strcmp( right, "^.*$" ) == 0
807 || strcmp( right, ".*$$" ) == 0
808 || strcmp( right, "^.*$$" ) == 0 )
815 acl_regex_normalized_dn( right, &bv );
816 if ( !ber_bvccmp( &bv, '*' ) ) {
817 regtest( fname, lineno, bv.bv_val );
821 } else if ( right == NULL || *right == '\0' ) {
822 fprintf( stderr, "%s: line %d: "
823 "missing \"=\" in (or value after) \"%s\" "
825 fname, lineno, left );
829 ber_str2bv( right, 0, 1, &bv );
836 if ( !BER_BVISNULL( &bv ) ) {
837 if ( !BER_BVISEMPTY( &bdn->a_pat ) ) {
839 "%s: line %d: dn pattern already specified.\n",
844 if ( sty != ACL_STYLE_REGEX &&
845 sty != ACL_STYLE_ANONYMOUS &&
846 sty != ACL_STYLE_USERS &&
847 sty != ACL_STYLE_SELF &&
850 rc = dnNormalize(0, NULL, NULL,
851 &bv, &bdn->a_pat, NULL);
852 if ( rc != LDAP_SUCCESS ) {
854 "%s: line %d: bad DN \"%s\" in by DN clause\n",
855 fname, lineno, bv.bv_val );
868 for ( exp = strchr( bdn->a_pat.bv_val, '$' );
869 exp && exp - bdn->a_pat.bv_val < bdn->a_pat.bv_len;
870 exp = strchr( exp, '$' ) )
872 if ( isdigit( exp[ 1 ] ) ) {
879 bdn->a_expand = expand;
883 "%s: line %d: \"expand\" used "
884 "with no expansions in \"pattern\""
885 SLAPD_CONF_UNKNOWN_IGNORED ".\n",
887 #ifdef SLAPD_CONF_UNKNOWN_BAILOUT
889 #endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
892 if ( sty == ACL_STYLE_SELF ) {
893 bdn->a_self_level = level;
898 "%s: line %d: bad negative level \"%d\" "
900 fname, lineno, level );
902 } else if ( level == 1 ) {
904 "%s: line %d: \"onelevel\" should be used "
905 "instead of \"level{1}\" in by DN clause\n",
907 } else if ( level == 0 && sty == ACL_STYLE_LEVEL ) {
909 "%s: line %d: \"base\" should be used "
910 "instead of \"level{0}\" in by DN clause\n",
914 bdn->a_level = level;
919 if ( strcasecmp( left, "dnattr" ) == 0 ) {
920 if ( right == NULL || right[0] == '\0' ) {
921 fprintf( stderr, "%s: line %d: "
922 "missing \"=\" in (or value after) \"%s\" "
924 fname, lineno, left );
928 if( bdn->a_at != NULL ) {
930 "%s: line %d: dnattr already specified.\n",
935 rc = slap_str2ad( right, &bdn->a_at, &text );
937 if( rc != LDAP_SUCCESS ) {
939 "%s: line %d: dnattr \"%s\": %s\n",
940 fname, lineno, right, text );
945 if( !is_at_syntax( bdn->a_at->ad_type,
947 !is_at_syntax( bdn->a_at->ad_type,
948 SLAPD_NAMEUID_SYNTAX ))
951 "%s: line %d: dnattr \"%s\": "
952 "inappropriate syntax: %s\n",
953 fname, lineno, right,
954 bdn->a_at->ad_type->sat_syntax_oid );
958 if( bdn->a_at->ad_type->sat_equality == NULL ) {
960 "%s: line %d: dnattr \"%s\": "
961 "inappropriate matching (no EQUALITY)\n",
962 fname, lineno, right );
969 if ( strncasecmp( left, "group", STRLENOF( "group" ) ) == 0 ) {
974 case ACL_STYLE_REGEX:
975 /* legacy, tolerated */
976 fprintf( stderr, "%s: line %d: "
977 "deprecated group style \"regex\"; "
978 "use \"expand\" instead\n",
979 fname, lineno, style );
980 sty = ACL_STYLE_EXPAND;
984 /* legal, traditional */
985 case ACL_STYLE_EXPAND:
986 /* legal, substring expansion; supersedes regex */
991 fprintf( stderr, "%s: line %d: "
992 "inappropriate style \"%s\" in by clause\n",
993 fname, lineno, style );
997 if ( right == NULL || right[0] == '\0' ) {
998 fprintf( stderr, "%s: line %d: "
999 "missing \"=\" in (or value after) \"%s\" "
1001 fname, lineno, left );
1005 if ( !BER_BVISEMPTY( &b->a_group_pat ) ) {
1007 "%s: line %d: group pattern already specified.\n",
1012 /* format of string is
1013 "group/objectClassValue/groupAttrName" */
1014 if ( ( value = strchr(left, '/') ) != NULL ) {
1016 if ( *value && ( name = strchr( value, '/' ) ) != NULL ) {
1021 b->a_group_style = sty;
1022 if ( sty == ACL_STYLE_EXPAND ) {
1023 acl_regex_normalized_dn( right, &bv );
1024 if ( !ber_bvccmp( &bv, '*' ) ) {
1025 regtest( fname, lineno, bv.bv_val );
1027 b->a_group_pat = bv;
1030 ber_str2bv( right, 0, 0, &bv );
1031 rc = dnNormalize( 0, NULL, NULL, &bv,
1032 &b->a_group_pat, NULL );
1033 if ( rc != LDAP_SUCCESS ) {
1035 "%s: line %d: bad DN \"%s\"\n",
1036 fname, lineno, right );
1041 if ( value && *value ) {
1042 b->a_group_oc = oc_find( value );
1045 if ( b->a_group_oc == NULL ) {
1047 "%s: line %d: group objectclass "
1049 fname, lineno, value );
1054 b->a_group_oc = oc_find(SLAPD_GROUP_CLASS);
1056 if( b->a_group_oc == NULL ) {
1058 "%s: line %d: group default objectclass "
1060 fname, lineno, SLAPD_GROUP_CLASS );
1065 if ( is_object_subclass( slap_schema.si_oc_referral,
1069 "%s: line %d: group objectclass \"%s\" "
1070 "is subclass of referral\n",
1071 fname, lineno, value );
1075 if ( is_object_subclass( slap_schema.si_oc_alias,
1079 "%s: line %d: group objectclass \"%s\" "
1080 "is subclass of alias\n",
1081 fname, lineno, value );
1085 if ( name && *name ) {
1086 rc = slap_str2ad( name, &b->a_group_at, &text );
1088 if( rc != LDAP_SUCCESS ) {
1090 "%s: line %d: group \"%s\": %s\n",
1091 fname, lineno, right, text );
1097 rc = slap_str2ad( SLAPD_GROUP_ATTR, &b->a_group_at, &text );
1099 if ( rc != LDAP_SUCCESS ) {
1101 "%s: line %d: group \"%s\": %s\n",
1102 fname, lineno, SLAPD_GROUP_ATTR, text );
1107 if ( !is_at_syntax( b->a_group_at->ad_type,
1108 SLAPD_DN_SYNTAX ) &&
1109 !is_at_syntax( b->a_group_at->ad_type,
1110 SLAPD_NAMEUID_SYNTAX ) &&
1111 !is_at_subtype( b->a_group_at->ad_type, slap_schema.si_ad_labeledURI->ad_type ) )
1114 "%s: line %d: group \"%s\": inappropriate syntax: %s\n",
1115 fname, lineno, right,
1116 b->a_group_at->ad_type->sat_syntax_oid );
1123 struct berval vals[2];
1125 ber_str2bv( b->a_group_oc->soc_oid, 0, 0, &vals[0] );
1126 BER_BVZERO( &vals[1] );
1128 rc = oc_check_allowed( b->a_group_at->ad_type,
1132 fprintf( stderr, "%s: line %d: "
1133 "group: \"%s\" not allowed by \"%s\"\n",
1135 b->a_group_at->ad_cname.bv_val,
1136 b->a_group_oc->soc_oid );
1143 if ( strcasecmp( left, "peername" ) == 0 ) {
1145 case ACL_STYLE_REGEX:
1146 case ACL_STYLE_BASE:
1147 /* legal, traditional */
1148 case ACL_STYLE_EXPAND:
1149 /* cheap replacement to regex for simple expansion */
1151 case ACL_STYLE_PATH:
1152 /* legal, peername specific */
1156 fprintf( stderr, "%s: line %d: "
1157 "inappropriate style \"%s\" in by clause\n",
1158 fname, lineno, style );
1162 if ( right == NULL || right[0] == '\0' ) {
1163 fprintf( stderr, "%s: line %d: "
1164 "missing \"=\" in (or value after) \"%s\" "
1166 fname, lineno, left );
1170 if ( !BER_BVISEMPTY( &b->a_peername_pat ) ) {
1171 fprintf( stderr, "%s: line %d: "
1172 "peername pattern already specified.\n",
1177 b->a_peername_style = sty;
1178 if ( sty == ACL_STYLE_REGEX ) {
1179 acl_regex_normalized_dn( right, &bv );
1180 if ( !ber_bvccmp( &bv, '*' ) ) {
1181 regtest( fname, lineno, bv.bv_val );
1183 b->a_peername_pat = bv;
1186 ber_str2bv( right, 0, 1, &b->a_peername_pat );
1188 if ( sty == ACL_STYLE_IP ) {
1193 split( right, '{', &addr, &port );
1194 split( addr, '%', &addr, &mask );
1196 b->a_peername_addr = inet_addr( addr );
1197 if ( b->a_peername_addr == (unsigned long)(-1) ) {
1198 /* illegal address */
1199 fprintf( stderr, "%s: line %d: "
1200 "illegal peername address \"%s\".\n",
1201 fname, lineno, addr );
1205 b->a_peername_mask = (unsigned long)(-1);
1206 if ( mask != NULL ) {
1207 b->a_peername_mask = inet_addr( mask );
1208 if ( b->a_peername_mask ==
1209 (unsigned long)(-1) )
1212 fprintf( stderr, "%s: line %d: "
1213 "illegal peername address mask "
1215 fname, lineno, mask );
1220 b->a_peername_port = -1;
1224 b->a_peername_port = strtol( port, &end, 10 );
1225 if ( end[0] != '}' ) {
1227 fprintf( stderr, "%s: line %d: "
1228 "illegal peername port specification "
1230 fname, lineno, port );
1239 if ( strcasecmp( left, "sockname" ) == 0 ) {
1241 case ACL_STYLE_REGEX:
1242 case ACL_STYLE_BASE:
1243 /* legal, traditional */
1244 case ACL_STYLE_EXPAND:
1245 /* cheap replacement to regex for simple expansion */
1250 fprintf( stderr, "%s: line %d: "
1251 "inappropriate style \"%s\" in by clause\n",
1252 fname, lineno, style );
1256 if ( right == NULL || right[0] == '\0' ) {
1257 fprintf( stderr, "%s: line %d: "
1258 "missing \"=\" in (or value after) \"%s\" "
1260 fname, lineno, left );
1264 if ( !BER_BVISNULL( &b->a_sockname_pat ) ) {
1265 fprintf( stderr, "%s: line %d: "
1266 "sockname pattern already specified.\n",
1271 b->a_sockname_style = sty;
1272 if ( sty == ACL_STYLE_REGEX ) {
1273 acl_regex_normalized_dn( right, &bv );
1274 if ( !ber_bvccmp( &bv, '*' ) ) {
1275 regtest( fname, lineno, bv.bv_val );
1277 b->a_sockname_pat = bv;
1280 ber_str2bv( right, 0, 1, &b->a_sockname_pat );
1285 if ( strcasecmp( left, "domain" ) == 0 ) {
1287 case ACL_STYLE_REGEX:
1288 case ACL_STYLE_BASE:
1289 case ACL_STYLE_SUBTREE:
1290 /* legal, traditional */
1293 case ACL_STYLE_EXPAND:
1294 /* tolerated: means exact,expand */
1298 "\"expand\" modifier "
1299 "with \"expand\" style\n",
1302 sty = ACL_STYLE_BASE;
1308 fprintf( stderr, "%s: line %d: "
1309 "inappropriate style \"%s\" in by clause\n",
1310 fname, lineno, style );
1314 if ( right == NULL || right[0] == '\0' ) {
1315 fprintf( stderr, "%s: line %d: "
1316 "missing \"=\" in (or value after) \"%s\" "
1318 fname, lineno, left );
1322 if ( !BER_BVISEMPTY( &b->a_domain_pat ) ) {
1324 "%s: line %d: domain pattern already specified.\n",
1329 b->a_domain_style = sty;
1330 b->a_domain_expand = expand;
1331 if ( sty == ACL_STYLE_REGEX ) {
1332 acl_regex_normalized_dn( right, &bv );
1333 if ( !ber_bvccmp( &bv, '*' ) ) {
1334 regtest( fname, lineno, bv.bv_val );
1336 b->a_domain_pat = bv;
1339 ber_str2bv( right, 0, 1, &b->a_domain_pat );
1344 if ( strcasecmp( left, "sockurl" ) == 0 ) {
1346 case ACL_STYLE_REGEX:
1347 case ACL_STYLE_BASE:
1348 /* legal, traditional */
1349 case ACL_STYLE_EXPAND:
1350 /* cheap replacement to regex for simple expansion */
1355 fprintf( stderr, "%s: line %d: "
1356 "inappropriate style \"%s\" in by clause\n",
1357 fname, lineno, style );
1361 if ( right == NULL || right[0] == '\0' ) {
1362 fprintf( stderr, "%s: line %d: "
1363 "missing \"=\" in (or value after) \"%s\" "
1365 fname, lineno, left );
1369 if ( !BER_BVISEMPTY( &b->a_sockurl_pat ) ) {
1371 "%s: line %d: sockurl pattern already specified.\n",
1376 b->a_sockurl_style = sty;
1377 if ( sty == ACL_STYLE_REGEX ) {
1378 acl_regex_normalized_dn( right, &bv );
1379 if ( !ber_bvccmp( &bv, '*' ) ) {
1380 regtest( fname, lineno, bv.bv_val );
1382 b->a_sockurl_pat = bv;
1385 ber_str2bv( right, 0, 1, &b->a_sockurl_pat );
1390 if ( strcasecmp( left, "set" ) == 0 ) {
1393 case ACL_STYLE_REGEX:
1394 fprintf( stderr, "%s: line %d: "
1395 "deprecated set style "
1396 "\"regex\" in <by> clause; "
1397 "use \"expand\" instead\n",
1399 sty = ACL_STYLE_EXPAND;
1402 case ACL_STYLE_BASE:
1403 case ACL_STYLE_EXPAND:
1407 fprintf( stderr, "%s: line %d: "
1408 "inappropriate style \"%s\" in by clause\n",
1409 fname, lineno, style );
1413 if ( !BER_BVISEMPTY( &b->a_set_pat ) ) {
1415 "%s: line %d: set attribute already specified.\n",
1420 if ( right == NULL || *right == '\0' ) {
1422 "%s: line %d: no set is defined\n",
1427 b->a_set_style = sty;
1428 ber_str2bv( right, 0, 1, &b->a_set_pat );
1437 if ( strcasecmp( left, "aci" ) == 0 ) {
1440 } else if ( strncasecmp( left, "dynacl/", STRLENOF( "dynacl/" ) ) == 0 ) {
1441 name = &left[ STRLENOF( "dynacl/" ) ];
1445 if ( slap_dynacl_config( fname, lineno, b, name, sty, right ) ) {
1446 fprintf( stderr, "%s: line %d: "
1447 "unable to configure dynacl \"%s\"\n",
1448 fname, lineno, name );
1455 #else /* ! SLAP_DYNACL */
1457 #ifdef SLAPD_ACI_ENABLED
1458 if ( strcasecmp( left, "aci" ) == 0 ) {
1459 if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
1460 fprintf( stderr, "%s: line %d: "
1461 "inappropriate style \"%s\" in by clause\n",
1462 fname, lineno, style );
1466 if( b->a_aci_at != NULL ) {
1468 "%s: line %d: aci attribute already specified.\n",
1473 if ( right != NULL && *right != '\0' ) {
1474 rc = slap_str2ad( right, &b->a_aci_at, &text );
1476 if( rc != LDAP_SUCCESS ) {
1478 "%s: line %d: aci \"%s\": %s\n",
1479 fname, lineno, right, text );
1484 b->a_aci_at = slap_schema.si_ad_aci;
1487 if( !is_at_syntax( b->a_aci_at->ad_type,
1490 fprintf( stderr, "%s: line %d: "
1491 "aci \"%s\": inappropriate syntax: %s\n",
1492 fname, lineno, right,
1493 b->a_aci_at->ad_type->sat_syntax_oid );
1499 #endif /* SLAPD_ACI_ENABLED */
1500 #endif /* ! SLAP_DYNACL */
1502 if ( strcasecmp( left, "ssf" ) == 0 ) {
1503 if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
1504 fprintf( stderr, "%s: line %d: "
1505 "inappropriate style \"%s\" in by clause\n",
1506 fname, lineno, style );
1510 if ( b->a_authz.sai_ssf ) {
1512 "%s: line %d: ssf attribute already specified.\n",
1517 if ( right == NULL || *right == '\0' ) {
1519 "%s: line %d: no ssf is defined\n",
1524 b->a_authz.sai_ssf = strtol( right, &next, 10 );
1525 if ( next == NULL || next[0] != '\0' ) {
1527 "%s: line %d: unable to parse ssf value (%s)\n",
1528 fname, lineno, right );
1532 if ( !b->a_authz.sai_ssf ) {
1534 "%s: line %d: invalid ssf value (%s)\n",
1535 fname, lineno, right );
1541 if ( strcasecmp( left, "transport_ssf" ) == 0 ) {
1542 if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
1543 fprintf( stderr, "%s: line %d: "
1544 "inappropriate style \"%s\" in by clause\n",
1545 fname, lineno, style );
1549 if ( b->a_authz.sai_transport_ssf ) {
1550 fprintf( stderr, "%s: line %d: "
1551 "transport_ssf attribute already specified.\n",
1556 if ( right == NULL || *right == '\0' ) {
1558 "%s: line %d: no transport_ssf is defined\n",
1563 b->a_authz.sai_transport_ssf = strtol( right, &next, 10 );
1564 if ( next == NULL || next[0] != '\0' ) {
1565 fprintf( stderr, "%s: line %d: "
1566 "unable to parse transport_ssf value (%s)\n",
1567 fname, lineno, right );
1571 if ( !b->a_authz.sai_transport_ssf ) {
1573 "%s: line %d: invalid transport_ssf value (%s)\n",
1574 fname, lineno, right );
1580 if ( strcasecmp( left, "tls_ssf" ) == 0 ) {
1581 if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
1582 fprintf( stderr, "%s: line %d: "
1583 "inappropriate style \"%s\" in by clause\n",
1584 fname, lineno, style );
1588 if ( b->a_authz.sai_tls_ssf ) {
1589 fprintf( stderr, "%s: line %d: "
1590 "tls_ssf attribute already specified.\n",
1595 if ( right == NULL || *right == '\0' ) {
1597 "%s: line %d: no tls_ssf is defined\n",
1602 b->a_authz.sai_tls_ssf = strtol( right, &next, 10 );
1603 if ( next == NULL || next[0] != '\0' ) {
1604 fprintf( stderr, "%s: line %d: "
1605 "unable to parse tls_ssf value (%s)\n",
1606 fname, lineno, right );
1610 if ( !b->a_authz.sai_tls_ssf ) {
1612 "%s: line %d: invalid tls_ssf value (%s)\n",
1613 fname, lineno, right );
1619 if ( strcasecmp( left, "sasl_ssf" ) == 0 ) {
1620 if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
1621 fprintf( stderr, "%s: line %d: "
1622 "inappropriate style \"%s\" in by clause\n",
1623 fname, lineno, style );
1627 if ( b->a_authz.sai_sasl_ssf ) {
1628 fprintf( stderr, "%s: line %d: "
1629 "sasl_ssf attribute already specified.\n",
1634 if ( right == NULL || *right == '\0' ) {
1636 "%s: line %d: no sasl_ssf is defined\n",
1641 b->a_authz.sai_sasl_ssf = strtol( right, &next, 10 );
1642 if ( next == NULL || next[0] != '\0' ) {
1643 fprintf( stderr, "%s: line %d: "
1644 "unable to parse sasl_ssf value (%s)\n",
1645 fname, lineno, right );
1649 if ( !b->a_authz.sai_sasl_ssf ) {
1651 "%s: line %d: invalid sasl_ssf value (%s)\n",
1652 fname, lineno, right );
1658 if ( right != NULL ) {
1665 if ( i == argc || ( strcasecmp( left, "stop" ) == 0 ) ) {
1666 /* out of arguments or plain stop */
1668 ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
1669 b->a_type = ACL_STOP;
1671 access_append( &a->acl_access, b );
1675 if ( strcasecmp( left, "continue" ) == 0 ) {
1676 /* plain continue */
1678 ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
1679 b->a_type = ACL_CONTINUE;
1681 access_append( &a->acl_access, b );
1685 if ( strcasecmp( left, "break" ) == 0 ) {
1686 /* plain continue */
1688 ACL_PRIV_ASSIGN(b->a_access_mask, ACL_PRIV_ADDITIVE);
1689 b->a_type = ACL_BREAK;
1691 access_append( &a->acl_access, b );
1695 if ( strcasecmp( left, "by" ) == 0 ) {
1696 /* we've gone too far */
1698 ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
1699 b->a_type = ACL_STOP;
1701 access_append( &a->acl_access, b );
1706 if ( strncasecmp( left, "self", STRLENOF( "self" ) ) == 0 ) {
1708 ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( &left[ STRLENOF( "self" ) ] ) );
1710 } else if ( strncasecmp( left, "realself", STRLENOF( "realself" ) ) == 0 ) {
1711 b->a_realdn_self = 1;
1712 ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( &left[ STRLENOF( "realself" ) ] ) );
1715 ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( left ) );
1718 if ( ACL_IS_INVALID( b->a_access_mask ) ) {
1720 "%s: line %d: expecting <access> got \"%s\"\n",
1721 fname, lineno, left );
1725 b->a_type = ACL_STOP;
1727 if ( ++i == argc ) {
1728 /* out of arguments or plain stop */
1729 access_append( &a->acl_access, b );
1733 if ( strcasecmp( argv[i], "continue" ) == 0 ) {
1734 /* plain continue */
1735 b->a_type = ACL_CONTINUE;
1737 } else if ( strcasecmp( argv[i], "break" ) == 0 ) {
1738 /* plain continue */
1739 b->a_type = ACL_BREAK;
1741 } else if ( strcasecmp( argv[i], "stop" ) != 0 ) {
1746 access_append( &a->acl_access, b );
1750 "%s: line %d: expecting \"to\" "
1751 "or \"by\" got \"%s\"\n",
1752 fname, lineno, argv[i] );
1757 /* if we have no real access clause, complain and do nothing */
1759 fprintf( stderr, "%s: line %d: "
1760 "warning: no access clause(s) specified in access line\n",
1765 if ( ldap_debug & LDAP_DEBUG_ACL ) {
1770 if ( a->acl_access == NULL ) {
1771 fprintf( stderr, "%s: line %d: "
1772 "warning: no by clause(s) specified in access line\n",
1777 if ( !BER_BVISNULL( &be->be_nsuffix[ 1 ] ) ) {
1778 fprintf( stderr, "%s: line %d: warning: "
1779 "scope checking only applies to single-valued "
1780 "suffix databases\n",
1782 /* go ahead, since checking is not authoritative */
1785 switch ( check_scope( be, a ) ) {
1786 case ACL_SCOPE_UNKNOWN:
1787 fprintf( stderr, "%s: line %d: warning: "
1788 "cannot assess the validity of the ACL scope within "
1789 "backend naming context\n",
1793 case ACL_SCOPE_WARN:
1794 fprintf( stderr, "%s: line %d: warning: "
1795 "ACL could be out of scope within backend naming context\n",
1799 case ACL_SCOPE_PARTIAL:
1800 fprintf( stderr, "%s: line %d: warning: "
1801 "ACL appears to be partially out of scope within "
1802 "backend naming context\n",
1807 fprintf( stderr, "%s: line %d: warning: "
1808 "ACL appears to be out of scope within "
1809 "backend naming context\n",
1816 acl_append( &be->be_acl, a, pos );
1819 acl_append( &frontendDB->be_acl, a, pos );
1825 accessmask2str( slap_mask_t mask, char *buf, int debug )
1830 assert( buf != NULL );
1832 if ( ACL_IS_INVALID( mask ) ) {
1838 if ( ACL_IS_LEVEL( mask ) ) {
1839 if ( ACL_LVL_IS_NONE(mask) ) {
1840 ptr = lutil_strcopy( ptr, "none" );
1842 } else if ( ACL_LVL_IS_DISCLOSE(mask) ) {
1843 ptr = lutil_strcopy( ptr, "disclose" );
1845 } else if ( ACL_LVL_IS_AUTH(mask) ) {
1846 ptr = lutil_strcopy( ptr, "auth" );
1848 } else if ( ACL_LVL_IS_COMPARE(mask) ) {
1849 ptr = lutil_strcopy( ptr, "compare" );
1851 } else if ( ACL_LVL_IS_SEARCH(mask) ) {
1852 ptr = lutil_strcopy( ptr, "search" );
1854 } else if ( ACL_LVL_IS_READ(mask) ) {
1855 ptr = lutil_strcopy( ptr, "read" );
1857 } else if ( ACL_LVL_IS_WRITE(mask) ) {
1858 ptr = lutil_strcopy( ptr, "write" );
1860 } else if ( ACL_LVL_IS_WADD(mask) ) {
1861 ptr = lutil_strcopy( ptr, "add" );
1863 } else if ( ACL_LVL_IS_WDEL(mask) ) {
1864 ptr = lutil_strcopy( ptr, "delete" );
1866 } else if ( ACL_LVL_IS_MANAGE(mask) ) {
1867 ptr = lutil_strcopy( ptr, "manage" );
1870 ptr = lutil_strcopy( ptr, "unknown" );
1880 if( ACL_IS_ADDITIVE( mask ) ) {
1883 } else if( ACL_IS_SUBTRACTIVE( mask ) ) {
1890 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_MANAGE) ) {
1895 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_WRITE) ) {
1899 } else if ( ACL_PRIV_ISSET(mask, ACL_PRIV_WADD) ) {
1903 } else if ( ACL_PRIV_ISSET(mask, ACL_PRIV_WDEL) ) {
1908 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_READ) ) {
1913 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_SEARCH) ) {
1918 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_COMPARE) ) {
1923 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_AUTH) ) {
1928 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_DISCLOSE) ) {
1933 if ( none && ACL_PRIV_ISSET(mask, ACL_PRIV_NONE) ) {
1942 if ( ACL_IS_LEVEL( mask ) ) {
1952 str2accessmask( const char *str )
1956 if( !ASCII_ALPHA(str[0]) ) {
1959 if ( str[0] == '=' ) {
1962 } else if( str[0] == '+' ) {
1963 ACL_PRIV_ASSIGN(mask, ACL_PRIV_ADDITIVE);
1965 } else if( str[0] == '-' ) {
1966 ACL_PRIV_ASSIGN(mask, ACL_PRIV_SUBSTRACTIVE);
1969 ACL_INVALIDATE(mask);
1973 for( i=1; str[i] != '\0'; i++ ) {
1974 if( TOLOWER((unsigned char) str[i]) == 'm' ) {
1975 ACL_PRIV_SET(mask, ACL_PRIV_MANAGE);
1977 } else if( TOLOWER((unsigned char) str[i]) == 'w' ) {
1978 ACL_PRIV_SET(mask, ACL_PRIV_WRITE);
1980 } else if( TOLOWER((unsigned char) str[i]) == 'a' ) {
1981 ACL_PRIV_SET(mask, ACL_PRIV_WADD);
1983 } else if( TOLOWER((unsigned char) str[i]) == 'z' ) {
1984 ACL_PRIV_SET(mask, ACL_PRIV_WDEL);
1986 } else if( TOLOWER((unsigned char) str[i]) == 'r' ) {
1987 ACL_PRIV_SET(mask, ACL_PRIV_READ);
1989 } else if( TOLOWER((unsigned char) str[i]) == 's' ) {
1990 ACL_PRIV_SET(mask, ACL_PRIV_SEARCH);
1992 } else if( TOLOWER((unsigned char) str[i]) == 'c' ) {
1993 ACL_PRIV_SET(mask, ACL_PRIV_COMPARE);
1995 } else if( TOLOWER((unsigned char) str[i]) == 'x' ) {
1996 ACL_PRIV_SET(mask, ACL_PRIV_AUTH);
1998 } else if( TOLOWER((unsigned char) str[i]) == 'd' ) {
1999 ACL_PRIV_SET(mask, ACL_PRIV_DISCLOSE);
2001 } else if( str[i] != '0' ) {
2002 ACL_INVALIDATE(mask);
2010 if ( strcasecmp( str, "none" ) == 0 ) {
2011 ACL_LVL_ASSIGN_NONE(mask);
2013 } else if ( strcasecmp( str, "disclose" ) == 0 ) {
2014 ACL_LVL_ASSIGN_DISCLOSE(mask);
2016 } else if ( strcasecmp( str, "auth" ) == 0 ) {
2017 ACL_LVL_ASSIGN_AUTH(mask);
2019 } else if ( strcasecmp( str, "compare" ) == 0 ) {
2020 ACL_LVL_ASSIGN_COMPARE(mask);
2022 } else if ( strcasecmp( str, "search" ) == 0 ) {
2023 ACL_LVL_ASSIGN_SEARCH(mask);
2025 } else if ( strcasecmp( str, "read" ) == 0 ) {
2026 ACL_LVL_ASSIGN_READ(mask);
2028 } else if ( strcasecmp( str, "add" ) == 0 ) {
2029 ACL_LVL_ASSIGN_WADD(mask);
2031 } else if ( strcasecmp( str, "delete" ) == 0 ) {
2032 ACL_LVL_ASSIGN_WDEL(mask);
2034 } else if ( strcasecmp( str, "write" ) == 0 ) {
2035 ACL_LVL_ASSIGN_WRITE(mask);
2037 } else if ( strcasecmp( str, "manage" ) == 0 ) {
2038 ACL_LVL_ASSIGN_MANAGE(mask);
2041 ACL_INVALIDATE( mask );
2050 fprintf( stderr, "%s%s%s\n",
2051 "<access clause> ::= access to <what> "
2052 "[ by <who> <access> [ <control> ] ]+ \n"
2053 "<what> ::= * | [dn[.<dnstyle>]=<DN>] [filter=<filter>] [attrs=<attrlist>]\n"
2054 "<attrlist> ::= <attr> [val[.<attrstyle>]=<value>] | <attr> , <attrlist>\n"
2055 "<attr> ::= <attrname> | entry | children\n",
2056 "<who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ]\n"
2057 "\t[ realanonymous | realusers | realself | realdn[.<dnstyle>]=<DN> ]\n"
2058 "\t[dnattr=<attrname>]\n"
2059 "\t[realdnattr=<attrname>]\n"
2060 "\t[group[/<objectclass>[/<attrname>]][.<style>]=<group>]\n"
2061 "\t[peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>]\n"
2062 "\t[domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>]\n"
2063 #ifdef SLAPD_ACI_ENABLED
2064 "\t[aci=[<attrname>]]\n"
2067 "\t[dynacl/<name>[.<dynstyle>][=<pattern>]]\n"
2068 #endif /* SLAP_DYNACL */
2069 "\t[ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]\n",
2070 "<style> ::= exact | regex | base(Object)\n"
2071 "<dnstyle> ::= base(Object) | one(level) | sub(tree) | children | "
2073 "<attrstyle> ::= exact | regex | base(Object) | one(level) | "
2074 "sub(tree) | children\n"
2075 "<peernamestyle> ::= exact | regex | ip | path\n"
2076 "<domainstyle> ::= exact | regex | base(Object) | sub(tree)\n"
2077 "<access> ::= [[real]self]{<level>|<priv>}\n"
2078 "<level> ::= none|disclose|auth|compare|search|read|{write|add|delete}|manage\n"
2079 "<priv> ::= {=|+|-}{0|d|x|c|s|r|{w|a|z}|m}+\n"
2080 "<control> ::= [ stop | continue | break ]\n"
2082 exit( EXIT_FAILURE );
2086 * Set pattern to a "normalized" DN from src.
2087 * At present it simply eats the (optional) space after
2088 * a RDN separator (,)
2089 * Eventually will evolve in a more complete normalization
2092 acl_regex_normalized_dn(
2094 struct berval *pattern )
2099 str = ch_strdup( src );
2100 len = strlen( src );
2102 for ( p = str; p && p[0]; p++ ) {
2104 if ( p[0] == '\\' && p[1] ) {
2106 * if escaping a hex pair we should
2107 * increment p twice; however, in that
2108 * case the second hex number does
2114 if ( p[0] == ',' && p[1] == ' ' ) {
2118 * too much space should be an error if we are pedantic
2120 for ( q = &p[2]; q[0] == ' '; q++ ) {
2123 AC_MEMCPY( p+1, q, len-(q-str)+1);
2126 pattern->bv_val = str;
2127 pattern->bv_len = p - str;
2140 if ( (*right = strchr( line, splitchar )) != NULL ) {
2141 *((*right)++) = '\0';
2146 access_append( Access **l, Access *a )
2148 for ( ; *l != NULL; l = &(*l)->a_next ) {
2156 acl_append( AccessControl **l, AccessControl *a, int pos )
2160 for (i=0 ; i != pos && *l != NULL; l = &(*l)->acl_next, i++ ) {
2169 access_free( Access *a )
2171 if ( !BER_BVISNULL( &a->a_dn_pat ) ) {
2172 free( a->a_dn_pat.bv_val );
2174 if ( !BER_BVISNULL( &a->a_realdn_pat ) ) {
2175 free( a->a_realdn_pat.bv_val );
2177 if ( !BER_BVISNULL( &a->a_peername_pat ) ) {
2178 free( a->a_peername_pat.bv_val );
2180 if ( !BER_BVISNULL( &a->a_sockname_pat ) ) {
2181 free( a->a_sockname_pat.bv_val );
2183 if ( !BER_BVISNULL( &a->a_domain_pat ) ) {
2184 free( a->a_domain_pat.bv_val );
2186 if ( !BER_BVISNULL( &a->a_sockurl_pat ) ) {
2187 free( a->a_sockurl_pat.bv_val );
2189 if ( !BER_BVISNULL( &a->a_set_pat ) ) {
2190 free( a->a_set_pat.bv_val );
2192 if ( !BER_BVISNULL( &a->a_group_pat ) ) {
2193 free( a->a_group_pat.bv_val );
2199 acl_free( AccessControl *a )
2204 if ( a->acl_filter ) {
2205 filter_free( a->acl_filter );
2207 if ( !BER_BVISNULL( &a->acl_dn_pat ) ) {
2208 free ( a->acl_dn_pat.bv_val );
2210 if ( a->acl_attrs ) {
2211 for ( an = a->acl_attrs; !BER_BVISNULL( &an->an_name ); an++ ) {
2212 free( an->an_name.bv_val );
2214 free( a->acl_attrs );
2216 for ( ; a->acl_access; a->acl_access = n ) {
2217 n = a->acl_access->a_next;
2218 access_free( a->acl_access );
2223 /* Because backend_startup uses acl_append to tack on the global_acl to
2224 * the end of each backend's acl, we cannot just take one argument and
2225 * merrily free our way to the end of the list. backend_destroy calls us
2226 * with the be_acl in arg1, and global_acl in arg2 to give us a stopping
2227 * point. config_destroy calls us with global_acl in arg1 and NULL in
2228 * arg2, so we then proceed to polish off the global_acl.
2231 acl_destroy( AccessControl *a, AccessControl *end )
2235 for (; a && a!= end; a=n) {
2242 access2str( slap_access_t access )
2244 if ( access == ACL_NONE ) {
2247 } else if ( access == ACL_DISCLOSE ) {
2250 } else if ( access == ACL_AUTH ) {
2253 } else if ( access == ACL_COMPARE ) {
2256 } else if ( access == ACL_SEARCH ) {
2259 } else if ( access == ACL_READ ) {
2262 } else if ( access == ACL_WRITE ) {
2265 } else if ( access == ACL_WADD ) {
2268 } else if ( access == ACL_WDEL ) {
2271 } else if ( access == ACL_MANAGE ) {
2280 str2access( const char *str )
2282 if ( strcasecmp( str, "none" ) == 0 ) {
2285 } else if ( strcasecmp( str, "disclose" ) == 0 ) {
2286 #ifndef SLAP_ACL_HONOR_DISCLOSE
2287 fprintf( stderr, "str2access: warning, "
2288 "\"disclose\" privilege disabled.\n" );
2289 #endif /* SLAP_ACL_HONOR_DISCLOSE */
2290 return ACL_DISCLOSE;
2292 } else if ( strcasecmp( str, "auth" ) == 0 ) {
2295 } else if ( strcasecmp( str, "compare" ) == 0 ) {
2298 } else if ( strcasecmp( str, "search" ) == 0 ) {
2301 } else if ( strcasecmp( str, "read" ) == 0 ) {
2304 } else if ( strcasecmp( str, "write" ) == 0 ) {
2307 } else if ( strcasecmp( str, "add" ) == 0 ) {
2310 } else if ( strcasecmp( str, "delete" ) == 0 ) {
2313 } else if ( strcasecmp( str, "manage" ) == 0 ) {
2317 return( ACL_INVALID_ACCESS );
2320 #define ACLBUF_MAXLEN 8192
2322 static char aclbuf[ACLBUF_MAXLEN];
2325 dnaccess2text( slap_dn_access *bdn, char *ptr, int is_realdn )
2330 ptr = lutil_strcopy( ptr, "real" );
2333 if ( ber_bvccmp( &bdn->a_pat, '*' ) ||
2334 bdn->a_style == ACL_STYLE_ANONYMOUS ||
2335 bdn->a_style == ACL_STYLE_USERS ||
2336 bdn->a_style == ACL_STYLE_SELF )
2339 assert( ! ber_bvccmp( &bdn->a_pat, '*' ) );
2342 ptr = lutil_strcopy( ptr, bdn->a_pat.bv_val );
2343 if ( bdn->a_style == ACL_STYLE_SELF && bdn->a_self_level != 0 ) {
2344 int n = sprintf( ptr, ".level{%d}", bdn->a_self_level );
2351 ptr = lutil_strcopy( ptr, "dn." );
2352 ptr = lutil_strcopy( ptr, style_strings[bdn->a_style] );
2353 if ( bdn->a_style == ACL_STYLE_LEVEL ) {
2354 int n = sprintf( ptr, "{%d}", bdn->a_level );
2359 if ( bdn->a_expand ) {
2360 ptr = lutil_strcopy( ptr, ",expand" );
2364 ptr = lutil_strcopy( ptr, bdn->a_pat.bv_val );
2371 access2text( Access *b, char *ptr )
2373 char maskbuf[ACCESSMASK_MAXLEN];
2375 ptr = lutil_strcopy( ptr, "\tby" );
2377 if ( !BER_BVISEMPTY( &b->a_dn_pat ) ) {
2378 ptr = dnaccess2text( &b->a_dn, ptr, 0 );
2381 ptr = lutil_strcopy( ptr, " dnattr=" );
2382 ptr = lutil_strcopy( ptr, b->a_dn_at->ad_cname.bv_val );
2385 if ( !BER_BVISEMPTY( &b->a_realdn_pat ) ) {
2386 ptr = dnaccess2text( &b->a_realdn, ptr, 1 );
2388 if ( b->a_realdn_at ) {
2389 ptr = lutil_strcopy( ptr, " realdnattr=" );
2390 ptr = lutil_strcopy( ptr, b->a_realdn_at->ad_cname.bv_val );
2393 if ( !BER_BVISEMPTY( &b->a_group_pat ) ) {
2394 ptr = lutil_strcopy( ptr, " group/" );
2395 ptr = lutil_strcopy( ptr, b->a_group_oc ?
2396 b->a_group_oc->soc_cname.bv_val : "groupOfNames" );
2398 ptr = lutil_strcopy( ptr, b->a_group_at ?
2399 b->a_group_at->ad_cname.bv_val : "member" );
2401 ptr = lutil_strcopy( ptr, style_strings[b->a_group_style] );
2404 ptr = lutil_strcopy( ptr, b->a_group_pat.bv_val );
2408 if ( !BER_BVISEMPTY( &b->a_peername_pat ) ) {
2409 ptr = lutil_strcopy( ptr, " peername" );
2411 ptr = lutil_strcopy( ptr, style_strings[b->a_peername_style] );
2414 ptr = lutil_strcopy( ptr, b->a_peername_pat.bv_val );
2418 if ( !BER_BVISEMPTY( &b->a_sockname_pat ) ) {
2419 ptr = lutil_strcopy( ptr, " sockname" );
2421 ptr = lutil_strcopy( ptr, style_strings[b->a_sockname_style] );
2424 ptr = lutil_strcopy( ptr, b->a_sockname_pat.bv_val );
2428 if ( !BER_BVISEMPTY( &b->a_domain_pat ) ) {
2429 ptr = lutil_strcopy( ptr, " domain" );
2431 ptr = lutil_strcopy( ptr, style_strings[b->a_domain_style] );
2432 if ( b->a_domain_expand ) {
2433 ptr = lutil_strcopy( ptr, ",expand" );
2436 ptr = lutil_strcopy( ptr, b->a_domain_pat.bv_val );
2439 if ( !BER_BVISEMPTY( &b->a_sockurl_pat ) ) {
2440 ptr = lutil_strcopy( ptr, " sockurl" );
2442 ptr = lutil_strcopy( ptr, style_strings[b->a_sockurl_style] );
2445 ptr = lutil_strcopy( ptr, b->a_sockurl_pat.bv_val );
2449 if ( !BER_BVISEMPTY( &b->a_set_pat ) ) {
2450 ptr = lutil_strcopy( ptr, " set" );
2452 ptr = lutil_strcopy( ptr, style_strings[b->a_set_style] );
2455 ptr = lutil_strcopy( ptr, b->a_set_pat.bv_val );
2460 if ( b->a_dynacl ) {
2463 for ( da = b->a_dynacl; da; da = da->da_next ) {
2464 if ( da->da_unparse ) {
2466 (void)( *da->da_unparse )( da->da_private, &bv );
2467 ptr = lutil_strcopy( ptr, bv.bv_val );
2468 ch_free( bv.bv_val );
2472 #else /* ! SLAP_DYNACL */
2473 #ifdef SLAPD_ACI_ENABLED
2474 if ( b->a_aci_at != NULL ) {
2475 ptr = lutil_strcopy( ptr, " aci=" );
2476 ptr = lutil_strcopy( ptr, b->a_aci_at->ad_cname.bv_val );
2479 #endif /* SLAP_DYNACL */
2481 /* Security Strength Factors */
2482 if ( b->a_authz.sai_ssf ) {
2483 ptr += sprintf( ptr, " ssf=%u",
2484 b->a_authz.sai_ssf );
2486 if ( b->a_authz.sai_transport_ssf ) {
2487 ptr += sprintf( ptr, " transport_ssf=%u",
2488 b->a_authz.sai_transport_ssf );
2490 if ( b->a_authz.sai_tls_ssf ) {
2491 ptr += sprintf( ptr, " tls_ssf=%u",
2492 b->a_authz.sai_tls_ssf );
2494 if ( b->a_authz.sai_sasl_ssf ) {
2495 ptr += sprintf( ptr, " sasl_ssf=%u",
2496 b->a_authz.sai_sasl_ssf );
2500 if ( b->a_dn_self ) {
2501 ptr = lutil_strcopy( ptr, "self" );
2502 } else if ( b->a_realdn_self ) {
2503 ptr = lutil_strcopy( ptr, "realself" );
2505 ptr = lutil_strcopy( ptr, accessmask2str( b->a_access_mask, maskbuf, 0 ));
2506 if ( !maskbuf[0] ) ptr--;
2508 if( b->a_type == ACL_BREAK ) {
2509 ptr = lutil_strcopy( ptr, " break" );
2511 } else if( b->a_type == ACL_CONTINUE ) {
2512 ptr = lutil_strcopy( ptr, " continue" );
2514 } else if( b->a_type != ACL_STOP ) {
2515 ptr = lutil_strcopy( ptr, " unknown-control" );
2517 if ( !maskbuf[0] ) ptr = lutil_strcopy( ptr, " stop" );
2525 acl_unparse( AccessControl *a, struct berval *bv )
2531 bv->bv_val = aclbuf;
2536 ptr = lutil_strcopy( ptr, "to" );
2537 if ( !BER_BVISNULL( &a->acl_dn_pat ) ) {
2539 ptr = lutil_strcopy( ptr, " dn." );
2540 ptr = lutil_strcopy( ptr, style_strings[a->acl_dn_style] );
2543 ptr = lutil_strcopy( ptr, a->acl_dn_pat.bv_val );
2544 ptr = lutil_strcopy( ptr, "\"\n" );
2547 if ( a->acl_filter != NULL ) {
2548 struct berval bv = BER_BVNULL;
2551 filter2bv( a->acl_filter, &bv );
2552 ptr = lutil_strcopy( ptr, " filter=\"" );
2553 ptr = lutil_strcopy( ptr, bv.bv_val );
2556 ch_free( bv.bv_val );
2559 if ( a->acl_attrs != NULL ) {
2564 ptr = lutil_strcopy( ptr, " attrs=" );
2565 for ( an = a->acl_attrs; an && !BER_BVISNULL( &an->an_name ); an++ ) {
2566 if ( ! first ) *ptr++ = ',';
2568 *ptr++ = an->an_oc_exclude ? '!' : '@';
2569 ptr = lutil_strcopy( ptr, an->an_oc->soc_cname.bv_val );
2572 ptr = lutil_strcopy( ptr, an->an_name.bv_val );
2579 if ( !BER_BVISEMPTY( &a->acl_attrval ) ) {
2581 ptr = lutil_strcopy( ptr, " val." );
2582 ptr = lutil_strcopy( ptr, style_strings[a->acl_attrval_style] );
2585 ptr = lutil_strcopy( ptr, a->acl_attrval.bv_val );
2591 ptr = lutil_strcopy( ptr, " *\n" );
2594 for ( b = a->acl_access; b != NULL; b = b->a_next ) {
2595 ptr = access2text( b, ptr );
2598 bv->bv_len = ptr - bv->bv_val;
2604 print_acl( Backend *be, AccessControl *a )
2608 acl_unparse( a, &bv );
2609 fprintf( stderr, "%s ACL: access %s\n",
2610 be == NULL ? "Global" : "Backend", bv.bv_val );
2612 #endif /* LDAP_DEBUG */