1 /* aclparse.c - routines to parse and check acl's */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 1998-2006 The OpenLDAP Foundation.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted only as authorized by the OpenLDAP
12 * A copy of this license is available in the file LICENSE in the
13 * top-level directory of the distribution or, alternatively, at
14 * <http://www.OpenLDAP.org/license.html>.
16 /* Portions Copyright (c) 1995 Regents of the University of Michigan.
17 * All rights reserved.
19 * Redistribution and use in source and binary forms are permitted
20 * provided that this notice is preserved and that due credit is given
21 * to the University of Michigan at Ann Arbor. The name of the University
22 * may not be used to endorse or promote products derived from this
23 * software without specific prior written permission. This software
24 * is provided ``as is'' without express or implied warranty.
33 #include <ac/socket.h>
34 #include <ac/string.h>
35 #include <ac/unistd.h>
41 static const char style_base[] = "base";
42 char *style_strings[] = {
59 static void split(char *line, int splitchar, char **left, char **right);
60 static void access_append(Access **l, Access *a);
61 static int acl_usage(void);
63 static void acl_regex_normalized_dn(const char *src, struct berval *pat);
66 static void print_acl(Backend *be, AccessControl *a);
69 static int check_scope( BackendDB *be, AccessControl *a );
82 slap_dynacl_t *da, *tmp;
85 for ( da = b->a_dynacl; da; da = da->da_next ) {
86 if ( strcasecmp( da->da_name, name ) == 0 ) {
87 Debug( LDAP_DEBUG_ANY,
88 "%s: line %d: dynacl \"%s\" already specified.\n",
89 fname, lineno, name );
94 da = slap_dynacl_get( name );
99 tmp = ch_malloc( sizeof( slap_dynacl_t ) );
102 if ( tmp->da_parse ) {
103 rc = ( *tmp->da_parse )( fname, lineno, opts, sty, right, &tmp->da_private );
110 tmp->da_next = b->a_dynacl;
115 #endif /* SLAP_DYNACL */
118 regtest(const char *fname, int lineno, char *pat) {
122 char buf[ SLAP_TEXT_BUFLEN ];
134 for (size = 0, flag = 0; (size < sizeof(buf)) && *sp; sp++) {
136 if (*sp == '$'|| (*sp >= '0' && *sp <= '9')) {
153 if ( size >= (sizeof(buf) - 1) ) {
154 Debug( LDAP_DEBUG_ANY,
155 "%s: line %d: regular expression \"%s\" too large\n",
156 fname, lineno, pat );
158 exit( EXIT_FAILURE );
161 if ((e = regcomp(&re, buf, REG_EXTENDED|REG_ICASE))) {
162 char error[ SLAP_TEXT_BUFLEN ];
164 regerror(e, &re, error, sizeof(error));
166 snprintf( buf, sizeof( buf ),
167 "regular expression \"%s\" bad because of %s",
169 Debug( LDAP_DEBUG_ANY,
171 fname, lineno, buf );
173 exit( EXIT_FAILURE );
181 * Check if the pattern of an ACL, if any, matches the scope
182 * of the backend it is defined within.
184 #define ACL_SCOPE_UNKNOWN (-2)
185 #define ACL_SCOPE_ERR (-1)
186 #define ACL_SCOPE_OK (0)
187 #define ACL_SCOPE_PARTIAL (1)
188 #define ACL_SCOPE_WARN (2)
191 check_scope( BackendDB *be, AccessControl *a )
196 dn = be->be_nsuffix[0];
198 if ( BER_BVISEMPTY( &dn ) ) {
202 if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
203 a->acl_dn_style != ACL_STYLE_REGEX )
205 slap_style_t style = a->acl_dn_style;
207 if ( style == ACL_STYLE_REGEX ) {
208 char dnbuf[SLAP_LDAPDN_MAXLEN + 2];
209 char rebuf[SLAP_LDAPDN_MAXLEN + 1];
214 /* add trailing '$' to database suffix to form
215 * a simple trial regex pattern "<suffix>$" */
216 AC_MEMCPY( dnbuf, be->be_nsuffix[0].bv_val,
217 be->be_nsuffix[0].bv_len );
218 dnbuf[be->be_nsuffix[0].bv_len] = '$';
219 dnbuf[be->be_nsuffix[0].bv_len + 1] = '\0';
221 if ( regcomp( &re, dnbuf, REG_EXTENDED|REG_ICASE ) ) {
222 return ACL_SCOPE_WARN;
225 /* remove trailing ')$', if any, from original
227 rebuflen = a->acl_dn_pat.bv_len;
228 AC_MEMCPY( rebuf, a->acl_dn_pat.bv_val, rebuflen + 1 );
229 if ( rebuf[rebuflen - 1] == '$' ) {
230 rebuf[--rebuflen] = '\0';
232 while ( rebuflen > be->be_nsuffix[0].bv_len && rebuf[rebuflen - 1] == ')' ) {
233 rebuf[--rebuflen] = '\0';
235 if ( rebuflen == be->be_nsuffix[0].bv_len ) {
240 /* not a clear indication of scoping error, though */
241 rc = regexec( &re, rebuf, 0, NULL, 0 )
242 ? ACL_SCOPE_WARN : ACL_SCOPE_OK;
249 patlen = a->acl_dn_pat.bv_len;
250 /* If backend suffix is longer than pattern,
251 * it is a potential mismatch (in the sense
252 * that a superior naming context could
254 if ( dn.bv_len > patlen ) {
255 /* base is blatantly wrong */
256 if ( style == ACL_STYLE_BASE ) return ACL_SCOPE_ERR;
258 /* a style of one can be wrong if there is
259 * more than one level between the suffix
261 if ( style == ACL_STYLE_ONE ) {
262 ber_len_t rdnlen = 0;
266 if ( !DN_SEPARATOR( dn.bv_val[dn.bv_len - patlen - 1] )) {
267 return ACL_SCOPE_ERR;
272 rdnlen = dn_rdnlen( NULL, &dn );
273 if ( rdnlen != dn.bv_len - patlen - sep )
274 return ACL_SCOPE_ERR;
277 /* if the trailing part doesn't match,
278 * then it's an error */
279 if ( strcmp( a->acl_dn_pat.bv_val,
280 &dn.bv_val[dn.bv_len - patlen] ) != 0 )
282 return ACL_SCOPE_ERR;
285 return ACL_SCOPE_PARTIAL;
291 case ACL_STYLE_CHILDREN:
292 case ACL_STYLE_SUBTREE:
300 if ( dn.bv_len < patlen &&
301 !DN_SEPARATOR( a->acl_dn_pat.bv_val[patlen - dn.bv_len - 1] ))
303 return ACL_SCOPE_ERR;
306 if ( strcmp( &a->acl_dn_pat.bv_val[patlen - dn.bv_len], dn.bv_val )
309 return ACL_SCOPE_ERR;
315 return ACL_SCOPE_UNKNOWN;
328 char *left, *right, *style;
336 for ( i = 1; i < argc; i++ ) {
337 /* to clause - select which entries are protected */
338 if ( strcasecmp( argv[i], "to" ) == 0 ) {
340 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
341 "only one to clause allowed in access line\n",
345 a = (AccessControl *) ch_calloc( 1, sizeof(AccessControl) );
346 for ( ++i; i < argc; i++ ) {
347 if ( strcasecmp( argv[i], "by" ) == 0 ) {
352 if ( strcasecmp( argv[i], "*" ) == 0 ) {
353 if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
354 a->acl_dn_style != ACL_STYLE_REGEX )
356 Debug( LDAP_DEBUG_ANY,
357 "%s: line %d: dn pattern"
358 " already specified in to clause.\n",
363 ber_str2bv( "*", STRLENOF( "*" ), 1, &a->acl_dn_pat );
367 split( argv[i], '=', &left, &right );
368 split( left, '.', &left, &style );
370 if ( right == NULL ) {
371 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
372 "missing \"=\" in \"%s\" in to clause\n",
373 fname, lineno, left );
377 if ( strcasecmp( left, "dn" ) == 0 ) {
378 if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
379 a->acl_dn_style != ACL_STYLE_REGEX )
381 Debug( LDAP_DEBUG_ANY,
382 "%s: line %d: dn pattern"
383 " already specified in to clause.\n",
388 if ( style == NULL || *style == '\0' ||
389 strcasecmp( style, "baseObject" ) == 0 ||
390 strcasecmp( style, "base" ) == 0 ||
391 strcasecmp( style, "exact" ) == 0 )
393 a->acl_dn_style = ACL_STYLE_BASE;
394 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
396 } else if ( strcasecmp( style, "oneLevel" ) == 0 ||
397 strcasecmp( style, "one" ) == 0 )
399 a->acl_dn_style = ACL_STYLE_ONE;
400 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
402 } else if ( strcasecmp( style, "subtree" ) == 0 ||
403 strcasecmp( style, "sub" ) == 0 )
405 if( *right == '\0' ) {
406 ber_str2bv( "*", STRLENOF( "*" ), 1, &a->acl_dn_pat );
409 a->acl_dn_style = ACL_STYLE_SUBTREE;
410 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
413 } else if ( strcasecmp( style, "children" ) == 0 ) {
414 a->acl_dn_style = ACL_STYLE_CHILDREN;
415 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
417 } else if ( strcasecmp( style, "regex" ) == 0 ) {
418 a->acl_dn_style = ACL_STYLE_REGEX;
420 if ( *right == '\0' ) {
421 /* empty regex should match empty DN */
422 a->acl_dn_style = ACL_STYLE_BASE;
423 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
425 } else if ( strcmp(right, "*") == 0
426 || strcmp(right, ".*") == 0
427 || strcmp(right, ".*$") == 0
428 || strcmp(right, "^.*") == 0
429 || strcmp(right, "^.*$") == 0
430 || strcmp(right, ".*$$") == 0
431 || strcmp(right, "^.*$$") == 0 )
433 ber_str2bv( "*", STRLENOF("*"), 1, &a->acl_dn_pat );
436 acl_regex_normalized_dn( right, &a->acl_dn_pat );
440 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
441 "unknown dn style \"%s\" in to clause\n",
442 fname, lineno, style );
449 if ( strcasecmp( left, "filter" ) == 0 ) {
450 if ( (a->acl_filter = str2filter( right )) == NULL ) {
451 Debug( LDAP_DEBUG_ANY,
452 "%s: line %d: bad filter \"%s\" in to clause\n",
453 fname, lineno, right );
457 } else if ( strcasecmp( left, "attr" ) == 0 /* TOLERATED */
458 || strcasecmp( left, "attrs" ) == 0 ) /* DOCUMENTED */
460 if ( strcasecmp( left, "attr" ) == 0 ) {
461 Debug( LDAP_DEBUG_ANY,
462 "%s: line %d: \"attr\" "
463 "is deprecated (and undocumented); "
464 "use \"attrs\" instead.\n",
468 a->acl_attrs = str2anlist( a->acl_attrs,
470 if ( a->acl_attrs == NULL ) {
471 Debug( LDAP_DEBUG_ANY,
472 "%s: line %d: unknown attr \"%s\" in to clause\n",
473 fname, lineno, right );
477 } else if ( strncasecmp( left, "val", 3 ) == 0 ) {
481 if ( !BER_BVISEMPTY( &a->acl_attrval ) ) {
482 Debug( LDAP_DEBUG_ANY,
483 "%s: line %d: attr val already specified in to clause.\n",
487 if ( a->acl_attrs == NULL || !BER_BVISEMPTY( &a->acl_attrs[1].an_name ) )
489 Debug( LDAP_DEBUG_ANY,
490 "%s: line %d: attr val requires a single attribute.\n",
495 ber_str2bv( right, 0, 0, &bv );
496 a->acl_attrval_style = ACL_STYLE_BASE;
498 mr = strchr( left, '/' );
503 a->acl_attrval_mr = mr_find( mr );
504 if ( a->acl_attrval_mr == NULL ) {
505 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
506 "invalid matching rule \"%s\".\n",
511 if( !mr_usable_with_at( a->acl_attrval_mr, a->acl_attrs[ 0 ].an_desc->ad_type ) )
513 char buf[ SLAP_TEXT_BUFLEN ];
515 snprintf( buf, sizeof( buf ),
516 "matching rule \"%s\" use "
517 "with attr \"%s\" not appropriate.",
518 mr, a->acl_attrs[ 0 ].an_name.bv_val );
521 Debug( LDAP_DEBUG_ANY, "%s: line %d: %s\n",
522 fname, lineno, buf );
527 if ( style != NULL ) {
528 if ( strcasecmp( style, "regex" ) == 0 ) {
529 int e = regcomp( &a->acl_attrval_re, bv.bv_val,
530 REG_EXTENDED | REG_ICASE | REG_NOSUB );
532 char err[SLAP_TEXT_BUFLEN],
533 buf[ SLAP_TEXT_BUFLEN ];
535 regerror( e, &a->acl_attrval_re, err, sizeof( err ) );
537 snprintf( buf, sizeof( buf ),
538 "regular expression \"%s\" bad because of %s",
541 Debug( LDAP_DEBUG_ANY, "%s: line %d: %s\n",
542 fname, lineno, buf );
545 a->acl_attrval_style = ACL_STYLE_REGEX;
548 /* FIXME: if the attribute has DN syntax, we might
549 * allow one, subtree and children styles as well */
550 if ( !strcasecmp( style, "base" ) ||
551 !strcasecmp( style, "exact" ) ) {
552 a->acl_attrval_style = ACL_STYLE_BASE;
554 } else if ( a->acl_attrs[0].an_desc->ad_type->
555 sat_syntax == slap_schema.si_syn_distinguishedName )
557 if ( !strcasecmp( style, "baseObject" ) ||
558 !strcasecmp( style, "base" ) )
560 a->acl_attrval_style = ACL_STYLE_BASE;
561 } else if ( !strcasecmp( style, "onelevel" ) ||
562 !strcasecmp( style, "one" ) )
564 a->acl_attrval_style = ACL_STYLE_ONE;
565 } else if ( !strcasecmp( style, "subtree" ) ||
566 !strcasecmp( style, "sub" ) )
568 a->acl_attrval_style = ACL_STYLE_SUBTREE;
569 } else if ( !strcasecmp( style, "children" ) ) {
570 a->acl_attrval_style = ACL_STYLE_CHILDREN;
572 char buf[ SLAP_TEXT_BUFLEN ];
574 /* FIXME: should be an error */
576 snprintf( buf, sizeof( buf ),
577 "unknown val.<style> \"%s\" "
578 "for attributeType \"%s\" with DN syntax"
579 #ifndef SLAPD_CONF_UNKNOWN_BAILOUT
581 #endif /* ! SLAPD_CONF_UNKNOWN_BAILOUT */
582 SLAPD_CONF_UNKNOWN_IGNORED ".",
584 a->acl_attrs[0].an_desc->ad_cname.bv_val );
586 Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL,
588 fname, lineno, buf );
589 #ifdef SLAPD_CONF_UNKNOWN_BAILOUT
591 #endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
592 a->acl_attrval_style = ACL_STYLE_BASE;
595 rc = dnNormalize( 0, NULL, NULL, &bv, &a->acl_attrval, NULL );
596 if ( rc != LDAP_SUCCESS ) {
597 char buf[ SLAP_TEXT_BUFLEN ];
599 snprintf( buf, sizeof( buf ),
600 "unable to normalize DN \"%s\" "
601 "for attributeType \"%s\" (%d).",
603 a->acl_attrs[0].an_desc->ad_cname.bv_val,
605 Debug( LDAP_DEBUG_ANY,
607 fname, lineno, buf );
612 char buf[ SLAP_TEXT_BUFLEN ];
614 /* FIXME: should be an error */
616 snprintf( buf, sizeof( buf ),
617 "unknown val.<style> \"%s\" "
618 "for attributeType \"%s\""
619 #ifndef SLAPD_CONF_UNKNOWN_BAILOUT
621 #endif /* ! SLAPD_CONF_UNKNOWN_BAILOUT */
622 SLAPD_CONF_UNKNOWN_IGNORED ".",
623 style, a->acl_attrs[0].an_desc->ad_cname.bv_val );
624 Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL,
626 fname, lineno, buf );
627 #ifdef SLAPD_CONF_UNKNOWN_BAILOUT
629 #endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
630 a->acl_attrval_style = ACL_STYLE_BASE;
635 /* Check for appropriate matching rule */
636 if ( a->acl_attrval_style == ACL_STYLE_REGEX ) {
637 ber_dupbv( &a->acl_attrval, &bv );
639 } else if ( BER_BVISNULL( &a->acl_attrval ) ) {
643 if ( a->acl_attrval_mr == NULL ) {
644 a->acl_attrval_mr = a->acl_attrs[ 0 ].an_desc->ad_type->sat_equality;
647 if ( a->acl_attrval_mr == NULL ) {
648 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
649 "attr \"%s\" does not have an EQUALITY matching rule.\n",
650 fname, lineno, a->acl_attrs[ 0 ].an_name.bv_val );
654 rc = asserted_value_validate_normalize(
655 a->acl_attrs[ 0 ].an_desc,
657 SLAP_MR_EQUALITY|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX,
662 if ( rc != LDAP_SUCCESS ) {
663 char buf[ SLAP_TEXT_BUFLEN ];
665 snprintf( buf, sizeof( buf ), "%s: line %d: "
666 " attr \"%s\" normalization failed (%d: %s)",
668 a->acl_attrs[ 0 ].an_name.bv_val, rc, text );
669 Debug( LDAP_DEBUG_ANY, "%s: line %d: %s.\n",
670 fname, lineno, buf );
676 Debug( LDAP_DEBUG_ANY,
677 "%s: line %d: expecting <what> got \"%s\"\n",
678 fname, lineno, left );
683 if ( !BER_BVISNULL( &a->acl_dn_pat ) &&
684 ber_bvccmp( &a->acl_dn_pat, '*' ) )
686 free( a->acl_dn_pat.bv_val );
687 BER_BVZERO( &a->acl_dn_pat );
688 a->acl_dn_style = ACL_STYLE_REGEX;
691 if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
692 a->acl_dn_style != ACL_STYLE_REGEX )
694 if ( a->acl_dn_style != ACL_STYLE_REGEX ) {
696 rc = dnNormalize( 0, NULL, NULL, &a->acl_dn_pat, &bv, NULL);
697 if ( rc != LDAP_SUCCESS ) {
698 Debug( LDAP_DEBUG_ANY,
699 "%s: line %d: bad DN \"%s\" in to DN clause\n",
700 fname, lineno, a->acl_dn_pat.bv_val );
703 free( a->acl_dn_pat.bv_val );
707 int e = regcomp( &a->acl_dn_re, a->acl_dn_pat.bv_val,
708 REG_EXTENDED | REG_ICASE );
710 char err[ SLAP_TEXT_BUFLEN ],
711 buf[ SLAP_TEXT_BUFLEN ];
713 regerror( e, &a->acl_dn_re, err, sizeof( err ) );
714 snprintf( buf, sizeof( buf ),
715 "regular expression \"%s\" bad because of %s",
717 Debug( LDAP_DEBUG_ANY, "%s: line %d: %s\n",
718 fname, lineno, buf );
724 /* by clause - select who has what access to entries */
725 } else if ( strcasecmp( argv[i], "by" ) == 0 ) {
727 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
728 "to clause required before by clause in access line\n",
734 * by clause consists of <who> and <access>
737 b = (Access *) ch_calloc( 1, sizeof(Access) );
739 ACL_INVALIDATE( b->a_access_mask );
742 Debug( LDAP_DEBUG_ANY,
743 "%s: line %d: premature EOL: expecting <who>\n",
749 for ( ; i < argc; i++ ) {
750 slap_style_t sty = ACL_STYLE_REGEX;
751 char *style_modifier = NULL;
752 char *style_level = NULL;
755 slap_dn_access *bdn = &b->a_dn;
758 split( argv[i], '=', &left, &right );
759 split( left, '.', &left, &style );
761 split( style, ',', &style, &style_modifier );
763 if ( strncasecmp( style, "level", STRLENOF( "level" ) ) == 0 ) {
764 split( style, '{', &style, &style_level );
765 if ( style_level != NULL ) {
766 char *p = strchr( style_level, '}' );
768 Debug( LDAP_DEBUG_ANY,
769 "%s: line %d: premature eol: "
770 "expecting closing '}' in \"level{n}\"\n",
773 } else if ( p == style_level ) {
774 Debug( LDAP_DEBUG_ANY,
775 "%s: line %d: empty level "
785 if ( style == NULL || *style == '\0' ||
786 strcasecmp( style, "exact" ) == 0 ||
787 strcasecmp( style, "baseObject" ) == 0 ||
788 strcasecmp( style, "base" ) == 0 )
790 sty = ACL_STYLE_BASE;
792 } else if ( strcasecmp( style, "onelevel" ) == 0 ||
793 strcasecmp( style, "one" ) == 0 )
797 } else if ( strcasecmp( style, "subtree" ) == 0 ||
798 strcasecmp( style, "sub" ) == 0 )
800 sty = ACL_STYLE_SUBTREE;
802 } else if ( strcasecmp( style, "children" ) == 0 ) {
803 sty = ACL_STYLE_CHILDREN;
805 } else if ( strcasecmp( style, "level" ) == 0 )
807 if ( lutil_atoi( &level, style_level ) != 0 ) {
808 Debug( LDAP_DEBUG_ANY,
809 "%s: line %d: unable to parse level "
815 sty = ACL_STYLE_LEVEL;
817 } else if ( strcasecmp( style, "regex" ) == 0 ) {
818 sty = ACL_STYLE_REGEX;
820 } else if ( strcasecmp( style, "expand" ) == 0 ) {
821 sty = ACL_STYLE_EXPAND;
823 } else if ( strcasecmp( style, "ip" ) == 0 ) {
826 } else if ( strcasecmp( style, "path" ) == 0 ) {
827 sty = ACL_STYLE_PATH;
828 #ifndef LDAP_PF_LOCAL
829 Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL,
831 "\"path\" style modifier is useless without local"
832 SLAPD_CONF_UNKNOWN_IGNORED ".\n",
834 #ifdef SLAPD_CONF_UNKNOWN_BAILOUT
836 #endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
837 #endif /* LDAP_PF_LOCAL */
840 Debug( LDAP_DEBUG_ANY,
841 "%s: line %d: unknown style \"%s\" in by clause\n",
842 fname, lineno, style );
846 if ( style_modifier &&
847 strcasecmp( style_modifier, "expand" ) == 0 )
850 case ACL_STYLE_REGEX:
851 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
852 "\"regex\" style implies "
853 "\"expand\" modifier"
854 SLAPD_CONF_UNKNOWN_IGNORED ".\n",
856 #ifdef SLAPD_CONF_UNKNOWN_BAILOUT
858 #endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
861 case ACL_STYLE_EXPAND:
865 /* we'll see later if it's pertinent */
871 /* expand in <who> needs regex in <what> */
872 if ( ( sty == ACL_STYLE_EXPAND || expand )
873 && a->acl_dn_style != ACL_STYLE_REGEX )
875 Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL, "%s: line %d: "
876 "\"expand\" style or modifier used "
877 "in conjunction with "
878 "a non-regex <what> clause"
879 SLAPD_CONF_UNKNOWN_IGNORED ".\n",
881 #ifdef SLAPD_CONF_UNKNOWN_BAILOUT
883 #endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
886 if ( strncasecmp( left, "real", STRLENOF( "real" ) ) == 0 ) {
889 left += STRLENOF( "real" );
892 if ( strcasecmp( left, "*" ) == 0 ) {
897 ber_str2bv( "*", STRLENOF( "*" ), 1, &bv );
898 sty = ACL_STYLE_REGEX;
900 } else if ( strcasecmp( left, "anonymous" ) == 0 ) {
901 ber_str2bv("anonymous", STRLENOF( "anonymous" ), 1, &bv);
902 sty = ACL_STYLE_ANONYMOUS;
904 } else if ( strcasecmp( left, "users" ) == 0 ) {
905 ber_str2bv("users", STRLENOF( "users" ), 1, &bv);
906 sty = ACL_STYLE_USERS;
908 } else if ( strcasecmp( left, "self" ) == 0 ) {
909 ber_str2bv("self", STRLENOF( "self" ), 1, &bv);
910 sty = ACL_STYLE_SELF;
912 } else if ( strcasecmp( left, "dn" ) == 0 ) {
913 if ( sty == ACL_STYLE_REGEX ) {
914 bdn->a_style = ACL_STYLE_REGEX;
915 if ( right == NULL ) {
920 bdn->a_style = ACL_STYLE_USERS;
922 } else if (*right == '\0' ) {
924 ber_str2bv("anonymous",
925 STRLENOF( "anonymous" ),
927 bdn->a_style = ACL_STYLE_ANONYMOUS;
929 } else if ( strcmp( right, "*" ) == 0 ) {
931 /* any or users? users for now */
935 bdn->a_style = ACL_STYLE_USERS;
937 } else if ( strcmp( right, ".+" ) == 0
938 || strcmp( right, "^.+" ) == 0
939 || strcmp( right, ".+$" ) == 0
940 || strcmp( right, "^.+$" ) == 0
941 || strcmp( right, ".+$$" ) == 0
942 || strcmp( right, "^.+$$" ) == 0 )
947 bdn->a_style = ACL_STYLE_USERS;
949 } else if ( strcmp( right, ".*" ) == 0
950 || strcmp( right, "^.*" ) == 0
951 || strcmp( right, ".*$" ) == 0
952 || strcmp( right, "^.*$" ) == 0
953 || strcmp( right, ".*$$" ) == 0
954 || strcmp( right, "^.*$$" ) == 0 )
961 acl_regex_normalized_dn( right, &bv );
962 if ( !ber_bvccmp( &bv, '*' ) ) {
963 regtest( fname, lineno, bv.bv_val );
967 } else if ( right == NULL || *right == '\0' ) {
968 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
969 "missing \"=\" in (or value after) \"%s\" "
971 fname, lineno, left );
975 ber_str2bv( right, 0, 1, &bv );
982 if ( !BER_BVISNULL( &bv ) ) {
983 if ( !BER_BVISEMPTY( &bdn->a_pat ) ) {
984 Debug( LDAP_DEBUG_ANY,
985 "%s: line %d: dn pattern already specified.\n",
990 if ( sty != ACL_STYLE_REGEX &&
991 sty != ACL_STYLE_ANONYMOUS &&
992 sty != ACL_STYLE_USERS &&
993 sty != ACL_STYLE_SELF &&
996 rc = dnNormalize(0, NULL, NULL,
997 &bv, &bdn->a_pat, NULL);
998 if ( rc != LDAP_SUCCESS ) {
999 Debug( LDAP_DEBUG_ANY,
1000 "%s: line %d: bad DN \"%s\" in by DN clause\n",
1001 fname, lineno, bv.bv_val );
1005 if ( sty == ACL_STYLE_BASE
1007 && !BER_BVISNULL( &be->be_rootndn )
1008 && dn_match( &bdn->a_pat, &be->be_rootndn ) )
1010 Debug( LDAP_DEBUG_ANY,
1011 "%s: line %d: rootdn is always granted "
1012 "unlimited privileges.\n",
1024 for ( exp = strchr( bdn->a_pat.bv_val, '$' );
1025 exp && (ber_len_t)(exp - bdn->a_pat.bv_val)
1026 < bdn->a_pat.bv_len;
1027 exp = strchr( exp, '$' ) )
1029 if ( isdigit( exp[ 1 ] ) ) {
1036 bdn->a_expand = expand;
1039 Debug( LDAP_DEBUG_ANY,
1040 "%s: line %d: \"expand\" used "
1041 "with no expansions in \"pattern\""
1042 SLAPD_CONF_UNKNOWN_IGNORED ".\n",
1044 #ifdef SLAPD_CONF_UNKNOWN_BAILOUT
1046 #endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
1049 if ( sty == ACL_STYLE_SELF ) {
1050 bdn->a_self_level = level;
1054 Debug( LDAP_DEBUG_ANY,
1055 "%s: line %d: bad negative level \"%d\" "
1056 "in by DN clause\n",
1057 fname, lineno, level );
1059 } else if ( level == 1 ) {
1060 Debug( LDAP_DEBUG_ANY,
1061 "%s: line %d: \"onelevel\" should be used "
1062 "instead of \"level{1}\" in by DN clause\n",
1064 } else if ( level == 0 && sty == ACL_STYLE_LEVEL ) {
1065 Debug( LDAP_DEBUG_ANY,
1066 "%s: line %d: \"base\" should be used "
1067 "instead of \"level{0}\" in by DN clause\n",
1071 bdn->a_level = level;
1076 if ( strcasecmp( left, "dnattr" ) == 0 ) {
1077 if ( right == NULL || right[0] == '\0' ) {
1078 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1079 "missing \"=\" in (or value after) \"%s\" "
1081 fname, lineno, left );
1085 if( bdn->a_at != NULL ) {
1086 Debug( LDAP_DEBUG_ANY,
1087 "%s: line %d: dnattr already specified.\n",
1092 rc = slap_str2ad( right, &bdn->a_at, &text );
1094 if( rc != LDAP_SUCCESS ) {
1095 char buf[ SLAP_TEXT_BUFLEN ];
1097 snprintf( buf, sizeof( buf ),
1098 "dnattr \"%s\": %s",
1100 Debug( LDAP_DEBUG_ANY,
1101 "%s: line %d: %s\n",
1102 fname, lineno, buf );
1107 if( !is_at_syntax( bdn->a_at->ad_type,
1108 SLAPD_DN_SYNTAX ) &&
1109 !is_at_syntax( bdn->a_at->ad_type,
1110 SLAPD_NAMEUID_SYNTAX ))
1112 char buf[ SLAP_TEXT_BUFLEN ];
1114 snprintf( buf, sizeof( buf ),
1116 "inappropriate syntax: %s\n",
1118 bdn->a_at->ad_type->sat_syntax_oid );
1119 Debug( LDAP_DEBUG_ANY,
1120 "%s: line %d: %s\n",
1121 fname, lineno, buf );
1125 if( bdn->a_at->ad_type->sat_equality == NULL ) {
1126 Debug( LDAP_DEBUG_ANY,
1127 "%s: line %d: dnattr \"%s\": "
1128 "inappropriate matching (no EQUALITY)\n",
1129 fname, lineno, right );
1136 if ( strncasecmp( left, "group", STRLENOF( "group" ) ) == 0 ) {
1141 case ACL_STYLE_REGEX:
1142 /* legacy, tolerated */
1143 Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL,
1145 "deprecated group style \"regex\"; "
1146 "use \"expand\" instead.\n",
1148 sty = ACL_STYLE_EXPAND;
1151 case ACL_STYLE_BASE:
1152 /* legal, traditional */
1153 case ACL_STYLE_EXPAND:
1154 /* legal, substring expansion; supersedes regex */
1159 Debug( LDAP_DEBUG_ANY,
1161 "inappropriate style \"%s\" in by clause.\n",
1162 fname, lineno, style );
1166 if ( right == NULL || right[0] == '\0' ) {
1167 Debug( LDAP_DEBUG_ANY,
1169 "missing \"=\" in (or value after) \"%s\" "
1171 fname, lineno, left );
1175 if ( !BER_BVISEMPTY( &b->a_group_pat ) ) {
1176 Debug( LDAP_DEBUG_ANY,
1177 "%s: line %d: group pattern already specified.\n",
1182 /* format of string is
1183 "group/objectClassValue/groupAttrName" */
1184 if ( ( value = strchr(left, '/') ) != NULL ) {
1186 if ( *value && ( name = strchr( value, '/' ) ) != NULL ) {
1191 b->a_group_style = sty;
1192 if ( sty == ACL_STYLE_EXPAND ) {
1193 acl_regex_normalized_dn( right, &bv );
1194 if ( !ber_bvccmp( &bv, '*' ) ) {
1195 regtest( fname, lineno, bv.bv_val );
1197 b->a_group_pat = bv;
1200 ber_str2bv( right, 0, 0, &bv );
1201 rc = dnNormalize( 0, NULL, NULL, &bv,
1202 &b->a_group_pat, NULL );
1203 if ( rc != LDAP_SUCCESS ) {
1204 Debug( LDAP_DEBUG_ANY,
1205 "%s: line %d: bad DN \"%s\".\n",
1206 fname, lineno, right );
1211 if ( value && *value ) {
1212 b->a_group_oc = oc_find( value );
1215 if ( b->a_group_oc == NULL ) {
1216 Debug( LDAP_DEBUG_ANY,
1217 "%s: line %d: group objectclass "
1218 "\"%s\" unknown.\n",
1219 fname, lineno, value );
1224 b->a_group_oc = oc_find( SLAPD_GROUP_CLASS );
1226 if( b->a_group_oc == NULL ) {
1227 Debug( LDAP_DEBUG_ANY,
1228 "%s: line %d: group default objectclass "
1229 "\"%s\" unknown.\n",
1230 fname, lineno, SLAPD_GROUP_CLASS );
1235 if ( is_object_subclass( slap_schema.si_oc_referral,
1238 Debug( LDAP_DEBUG_ANY,
1239 "%s: line %d: group objectclass \"%s\" "
1240 "is subclass of referral.\n",
1241 fname, lineno, value );
1245 if ( is_object_subclass( slap_schema.si_oc_alias,
1248 Debug( LDAP_DEBUG_ANY,
1249 "%s: line %d: group objectclass \"%s\" "
1250 "is subclass of alias.\n",
1251 fname, lineno, value );
1255 if ( name && *name ) {
1256 rc = slap_str2ad( name, &b->a_group_at, &text );
1258 if( rc != LDAP_SUCCESS ) {
1259 char buf[ SLAP_TEXT_BUFLEN ];
1261 snprintf( buf, sizeof( buf ),
1262 "group \"%s\": %s.",
1264 Debug( LDAP_DEBUG_ANY,
1265 "%s: line %d: %s\n",
1266 fname, lineno, buf );
1272 rc = slap_str2ad( SLAPD_GROUP_ATTR, &b->a_group_at, &text );
1274 if ( rc != LDAP_SUCCESS ) {
1275 char buf[ SLAP_TEXT_BUFLEN ];
1277 snprintf( buf, sizeof( buf ),
1278 "group \"%s\": %s.",
1279 SLAPD_GROUP_ATTR, text );
1280 Debug( LDAP_DEBUG_ANY,
1281 "%s: line %d: %s\n",
1282 fname, lineno, buf );
1287 if ( !is_at_syntax( b->a_group_at->ad_type,
1288 SLAPD_DN_SYNTAX ) &&
1289 !is_at_syntax( b->a_group_at->ad_type,
1290 SLAPD_NAMEUID_SYNTAX ) &&
1291 !is_at_subtype( b->a_group_at->ad_type, slap_schema.si_ad_labeledURI->ad_type ) )
1293 char buf[ SLAP_TEXT_BUFLEN ];
1295 snprintf( buf, sizeof( buf ),
1296 "group \"%s\": inappropriate syntax: %s.",
1298 b->a_group_at->ad_type->sat_syntax_oid );
1299 Debug( LDAP_DEBUG_ANY,
1300 "%s: line %d: %s\n",
1301 fname, lineno, buf );
1308 struct berval vals[2];
1310 ber_str2bv( b->a_group_oc->soc_oid, 0, 0, &vals[0] );
1311 BER_BVZERO( &vals[1] );
1313 rc = oc_check_allowed( b->a_group_at->ad_type,
1317 char buf[ SLAP_TEXT_BUFLEN ];
1319 snprintf( buf, sizeof( buf ),
1320 "group: \"%s\" not allowed by \"%s\".",
1321 b->a_group_at->ad_cname.bv_val,
1322 b->a_group_oc->soc_oid );
1323 Debug( LDAP_DEBUG_ANY, "%s: line %d: %s\n",
1324 fname, lineno, buf );
1331 if ( strcasecmp( left, "peername" ) == 0 ) {
1333 case ACL_STYLE_REGEX:
1334 case ACL_STYLE_BASE:
1335 /* legal, traditional */
1336 case ACL_STYLE_EXPAND:
1337 /* cheap replacement to regex for simple expansion */
1339 case ACL_STYLE_PATH:
1340 /* legal, peername specific */
1344 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1345 "inappropriate style \"%s\" in by clause.\n",
1346 fname, lineno, style );
1350 if ( right == NULL || right[0] == '\0' ) {
1351 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1352 "missing \"=\" in (or value after) \"%s\" "
1354 fname, lineno, left );
1358 if ( !BER_BVISEMPTY( &b->a_peername_pat ) ) {
1359 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1360 "peername pattern already specified.\n",
1365 b->a_peername_style = sty;
1366 if ( sty == ACL_STYLE_REGEX ) {
1367 acl_regex_normalized_dn( right, &bv );
1368 if ( !ber_bvccmp( &bv, '*' ) ) {
1369 regtest( fname, lineno, bv.bv_val );
1371 b->a_peername_pat = bv;
1374 ber_str2bv( right, 0, 1, &b->a_peername_pat );
1376 if ( sty == ACL_STYLE_IP ) {
1381 split( right, '{', &addr, &port );
1382 split( addr, '%', &addr, &mask );
1384 b->a_peername_addr = inet_addr( addr );
1385 if ( b->a_peername_addr == (unsigned long)(-1) ) {
1386 /* illegal address */
1387 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1388 "illegal peername address \"%s\".\n",
1389 fname, lineno, addr );
1393 b->a_peername_mask = (unsigned long)(-1);
1394 if ( mask != NULL ) {
1395 b->a_peername_mask = inet_addr( mask );
1396 if ( b->a_peername_mask ==
1397 (unsigned long)(-1) )
1400 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1401 "illegal peername address mask "
1403 fname, lineno, mask );
1408 b->a_peername_port = -1;
1412 b->a_peername_port = strtol( port, &end, 10 );
1413 if ( end == port || end[0] != '}' ) {
1415 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1416 "illegal peername port specification "
1418 fname, lineno, port );
1427 if ( strcasecmp( left, "sockname" ) == 0 ) {
1429 case ACL_STYLE_REGEX:
1430 case ACL_STYLE_BASE:
1431 /* legal, traditional */
1432 case ACL_STYLE_EXPAND:
1433 /* cheap replacement to regex for simple expansion */
1438 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1439 "inappropriate style \"%s\" in by clause\n",
1440 fname, lineno, style );
1444 if ( right == NULL || right[0] == '\0' ) {
1445 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1446 "missing \"=\" in (or value after) \"%s\" "
1448 fname, lineno, left );
1452 if ( !BER_BVISNULL( &b->a_sockname_pat ) ) {
1453 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1454 "sockname pattern already specified.\n",
1459 b->a_sockname_style = sty;
1460 if ( sty == ACL_STYLE_REGEX ) {
1461 acl_regex_normalized_dn( right, &bv );
1462 if ( !ber_bvccmp( &bv, '*' ) ) {
1463 regtest( fname, lineno, bv.bv_val );
1465 b->a_sockname_pat = bv;
1468 ber_str2bv( right, 0, 1, &b->a_sockname_pat );
1473 if ( strcasecmp( left, "domain" ) == 0 ) {
1475 case ACL_STYLE_REGEX:
1476 case ACL_STYLE_BASE:
1477 case ACL_STYLE_SUBTREE:
1478 /* legal, traditional */
1481 case ACL_STYLE_EXPAND:
1482 /* tolerated: means exact,expand */
1484 Debug( LDAP_DEBUG_ANY,
1486 "\"expand\" modifier "
1487 "with \"expand\" style.\n",
1490 sty = ACL_STYLE_BASE;
1496 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1497 "inappropriate style \"%s\" in by clause.\n",
1498 fname, lineno, style );
1502 if ( right == NULL || right[0] == '\0' ) {
1503 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1504 "missing \"=\" in (or value after) \"%s\" "
1506 fname, lineno, left );
1510 if ( !BER_BVISEMPTY( &b->a_domain_pat ) ) {
1511 Debug( LDAP_DEBUG_ANY,
1512 "%s: line %d: domain pattern already specified.\n",
1517 b->a_domain_style = sty;
1518 b->a_domain_expand = expand;
1519 if ( sty == ACL_STYLE_REGEX ) {
1520 acl_regex_normalized_dn( right, &bv );
1521 if ( !ber_bvccmp( &bv, '*' ) ) {
1522 regtest( fname, lineno, bv.bv_val );
1524 b->a_domain_pat = bv;
1527 ber_str2bv( right, 0, 1, &b->a_domain_pat );
1532 if ( strcasecmp( left, "sockurl" ) == 0 ) {
1534 case ACL_STYLE_REGEX:
1535 case ACL_STYLE_BASE:
1536 /* legal, traditional */
1537 case ACL_STYLE_EXPAND:
1538 /* cheap replacement to regex for simple expansion */
1543 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1544 "inappropriate style \"%s\" in by clause.\n",
1545 fname, lineno, style );
1549 if ( right == NULL || right[0] == '\0' ) {
1550 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1551 "missing \"=\" in (or value after) \"%s\" "
1553 fname, lineno, left );
1557 if ( !BER_BVISEMPTY( &b->a_sockurl_pat ) ) {
1558 Debug( LDAP_DEBUG_ANY,
1559 "%s: line %d: sockurl pattern already specified.\n",
1564 b->a_sockurl_style = sty;
1565 if ( sty == ACL_STYLE_REGEX ) {
1566 acl_regex_normalized_dn( right, &bv );
1567 if ( !ber_bvccmp( &bv, '*' ) ) {
1568 regtest( fname, lineno, bv.bv_val );
1570 b->a_sockurl_pat = bv;
1573 ber_str2bv( right, 0, 1, &b->a_sockurl_pat );
1578 if ( strcasecmp( left, "set" ) == 0 ) {
1581 case ACL_STYLE_REGEX:
1582 Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL,
1584 "deprecated set style "
1585 "\"regex\" in <by> clause; "
1586 "use \"expand\" instead.\n",
1588 sty = ACL_STYLE_EXPAND;
1591 case ACL_STYLE_BASE:
1592 case ACL_STYLE_EXPAND:
1596 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1597 "inappropriate style \"%s\" in by clause.\n",
1598 fname, lineno, style );
1602 if ( !BER_BVISEMPTY( &b->a_set_pat ) ) {
1603 Debug( LDAP_DEBUG_ANY,
1604 "%s: line %d: set attribute already specified.\n",
1609 if ( right == NULL || *right == '\0' ) {
1610 Debug( LDAP_DEBUG_ANY,
1611 "%s: line %d: no set is defined.\n",
1616 b->a_set_style = sty;
1617 ber_str2bv( right, 0, 1, &b->a_set_pat );
1627 if ( strcasecmp( left, "aci" ) == 0 ) {
1630 } else if ( strncasecmp( left, "dynacl/", STRLENOF( "dynacl/" ) ) == 0 ) {
1631 name = &left[ STRLENOF( "dynacl/" ) ];
1632 opts = strchr( name, '/' );
1640 if ( slap_dynacl_config( fname, lineno, b, name, opts, sty, right ) ) {
1641 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1642 "unable to configure dynacl \"%s\".\n",
1643 fname, lineno, name );
1650 #else /* ! SLAP_DYNACL */
1652 #ifdef SLAPD_ACI_ENABLED
1653 if ( strcasecmp( left, "aci" ) == 0 ) {
1654 if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
1655 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1656 "inappropriate style \"%s\" in by clause.\n",
1657 fname, lineno, style );
1661 if( b->a_aci_at != NULL ) {
1662 Debug( LDAP_DEBUG_ANY,
1663 "%s: line %d: ACI attribute already specified.\n",
1668 if ( right != NULL && *right != '\0' ) {
1669 rc = slap_str2ad( right, &b->a_aci_at, &text );
1671 if( rc != LDAP_SUCCESS ) {
1672 char buf[ SLAP_TEXT_BUFLEN ];
1674 snprintf( buf, sizeof( buf ),
1677 Debug( LDAP_DEBUG_ANY,
1678 "%s: line %d: %s\n",
1679 fname, lineno, buf );
1684 b->a_aci_at = slap_ad_aci;
1687 if( !is_at_syntax( b->a_aci_at->ad_type,
1690 char buf[ SLAP_TEXT_BUFLEN ];
1692 snprintf( buf, sizeof( buf ),
1693 "ACI \"%s\": inappropriate syntax: %s.",
1695 b->a_aci_at->ad_type->sat_syntax_oid );
1696 Debug( LDAP_DEBUG_ANY, "%s: line %d: %s\n",
1697 fname, lineno, buf );
1703 #endif /* SLAPD_ACI_ENABLED */
1704 #endif /* ! SLAP_DYNACL */
1706 if ( strcasecmp( left, "ssf" ) == 0 ) {
1707 if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
1708 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1709 "inappropriate style \"%s\" in by clause.\n",
1710 fname, lineno, style );
1714 if ( b->a_authz.sai_ssf ) {
1715 Debug( LDAP_DEBUG_ANY,
1716 "%s: line %d: ssf attribute already specified.\n",
1721 if ( right == NULL || *right == '\0' ) {
1722 Debug( LDAP_DEBUG_ANY,
1723 "%s: line %d: no ssf is defined.\n",
1728 if ( lutil_atou( &b->a_authz.sai_ssf, right ) != 0 ) {
1729 Debug( LDAP_DEBUG_ANY,
1730 "%s: line %d: unable to parse ssf value (%s).\n",
1731 fname, lineno, right );
1735 if ( !b->a_authz.sai_ssf ) {
1736 Debug( LDAP_DEBUG_ANY,
1737 "%s: line %d: invalid ssf value (%s).\n",
1738 fname, lineno, right );
1744 if ( strcasecmp( left, "transport_ssf" ) == 0 ) {
1745 if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
1746 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1747 "inappropriate style \"%s\" in by clause.\n",
1748 fname, lineno, style );
1752 if ( b->a_authz.sai_transport_ssf ) {
1753 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1754 "transport_ssf attribute already specified.\n",
1759 if ( right == NULL || *right == '\0' ) {
1760 Debug( LDAP_DEBUG_ANY,
1761 "%s: line %d: no transport_ssf is defined.\n",
1766 if ( lutil_atou( &b->a_authz.sai_transport_ssf, right ) != 0 ) {
1767 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1768 "unable to parse transport_ssf value (%s).\n",
1769 fname, lineno, right );
1773 if ( !b->a_authz.sai_transport_ssf ) {
1774 Debug( LDAP_DEBUG_ANY,
1775 "%s: line %d: invalid transport_ssf value (%s).\n",
1776 fname, lineno, right );
1782 if ( strcasecmp( left, "tls_ssf" ) == 0 ) {
1783 if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
1784 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1785 "inappropriate style \"%s\" in by clause.\n",
1786 fname, lineno, style );
1790 if ( b->a_authz.sai_tls_ssf ) {
1791 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1792 "tls_ssf attribute already specified.\n",
1797 if ( right == NULL || *right == '\0' ) {
1798 Debug( LDAP_DEBUG_ANY,
1799 "%s: line %d: no tls_ssf is defined\n",
1804 if ( lutil_atou( &b->a_authz.sai_tls_ssf, right ) != 0 ) {
1805 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1806 "unable to parse tls_ssf value (%s).\n",
1807 fname, lineno, right );
1811 if ( !b->a_authz.sai_tls_ssf ) {
1812 Debug( LDAP_DEBUG_ANY,
1813 "%s: line %d: invalid tls_ssf value (%s).\n",
1814 fname, lineno, right );
1820 if ( strcasecmp( left, "sasl_ssf" ) == 0 ) {
1821 if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
1822 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1823 "inappropriate style \"%s\" in by clause.\n",
1824 fname, lineno, style );
1828 if ( b->a_authz.sai_sasl_ssf ) {
1829 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1830 "sasl_ssf attribute already specified.\n",
1835 if ( right == NULL || *right == '\0' ) {
1836 Debug( LDAP_DEBUG_ANY,
1837 "%s: line %d: no sasl_ssf is defined.\n",
1842 if ( lutil_atou( &b->a_authz.sai_sasl_ssf, right ) != 0 ) {
1843 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1844 "unable to parse sasl_ssf value (%s).\n",
1845 fname, lineno, right );
1849 if ( !b->a_authz.sai_sasl_ssf ) {
1850 Debug( LDAP_DEBUG_ANY,
1851 "%s: line %d: invalid sasl_ssf value (%s).\n",
1852 fname, lineno, right );
1858 if ( right != NULL ) {
1865 if ( i == argc || ( strcasecmp( left, "stop" ) == 0 ) ) {
1866 /* out of arguments or plain stop */
1868 ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
1869 b->a_type = ACL_STOP;
1871 access_append( &a->acl_access, b );
1875 if ( strcasecmp( left, "continue" ) == 0 ) {
1876 /* plain continue */
1878 ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
1879 b->a_type = ACL_CONTINUE;
1881 access_append( &a->acl_access, b );
1885 if ( strcasecmp( left, "break" ) == 0 ) {
1886 /* plain continue */
1888 ACL_PRIV_ASSIGN(b->a_access_mask, ACL_PRIV_ADDITIVE);
1889 b->a_type = ACL_BREAK;
1891 access_append( &a->acl_access, b );
1895 if ( strcasecmp( left, "by" ) == 0 ) {
1896 /* we've gone too far */
1898 ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
1899 b->a_type = ACL_STOP;
1901 access_append( &a->acl_access, b );
1906 if ( strncasecmp( left, "self", STRLENOF( "self" ) ) == 0 ) {
1908 ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( &left[ STRLENOF( "self" ) ] ) );
1910 } else if ( strncasecmp( left, "realself", STRLENOF( "realself" ) ) == 0 ) {
1911 b->a_realdn_self = 1;
1912 ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( &left[ STRLENOF( "realself" ) ] ) );
1915 ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( left ) );
1918 if ( ACL_IS_INVALID( b->a_access_mask ) ) {
1919 Debug( LDAP_DEBUG_ANY,
1920 "%s: line %d: expecting <access> got \"%s\".\n",
1921 fname, lineno, left );
1925 b->a_type = ACL_STOP;
1927 if ( ++i == argc ) {
1928 /* out of arguments or plain stop */
1929 access_append( &a->acl_access, b );
1933 if ( strcasecmp( argv[i], "continue" ) == 0 ) {
1934 /* plain continue */
1935 b->a_type = ACL_CONTINUE;
1937 } else if ( strcasecmp( argv[i], "break" ) == 0 ) {
1938 /* plain continue */
1939 b->a_type = ACL_BREAK;
1941 } else if ( strcasecmp( argv[i], "stop" ) != 0 ) {
1946 access_append( &a->acl_access, b );
1949 Debug( LDAP_DEBUG_ANY,
1950 "%s: line %d: expecting \"to\" "
1951 "or \"by\" got \"%s\"\n",
1952 fname, lineno, argv[i] );
1957 /* if we have no real access clause, complain and do nothing */
1959 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1960 "warning: no access clause(s) "
1961 "specified in access line"
1962 SLAPD_CONF_UNKNOWN_IGNORED ".\n",
1964 #ifdef SLAPD_CONF_UNKNOWN_BAILOUT
1966 #endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
1970 if ( ldap_debug & LDAP_DEBUG_ACL ) {
1975 if ( a->acl_access == NULL ) {
1976 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1977 "warning: no by clause(s) "
1978 "specified in access line"
1979 SLAPD_CONF_UNKNOWN_IGNORED ".\n",
1981 #ifdef SLAPD_CONF_UNKNOWN_BAILOUT
1983 #endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
1987 if ( be->be_nsuffix == NULL ) {
1988 Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
1989 "scope checking needs suffix before ACLs.\n",
1991 /* go ahead, since checking is not authoritative */
1992 } else if ( !BER_BVISNULL( &be->be_nsuffix[ 1 ] ) ) {
1993 Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
1994 "scope checking only applies to single-valued "
1995 "suffix databases\n",
1997 /* go ahead, since checking is not authoritative */
1999 switch ( check_scope( be, a ) ) {
2000 case ACL_SCOPE_UNKNOWN:
2001 Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
2002 "cannot assess the validity of the ACL scope within "
2003 "backend naming context\n",
2007 case ACL_SCOPE_WARN:
2008 Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
2009 "ACL could be out of scope within backend naming context\n",
2013 case ACL_SCOPE_PARTIAL:
2014 Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
2015 "ACL appears to be partially out of scope within "
2016 "backend naming context\n",
2021 Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
2022 "ACL appears to be out of scope within "
2023 "backend naming context\n",
2031 acl_append( &be->be_acl, a, pos );
2034 acl_append( &frontendDB->be_acl, a, pos );
2042 accessmask2str( slap_mask_t mask, char *buf, int debug )
2047 assert( buf != NULL );
2049 if ( ACL_IS_INVALID( mask ) ) {
2055 if ( ACL_IS_LEVEL( mask ) ) {
2056 if ( ACL_LVL_IS_NONE(mask) ) {
2057 ptr = lutil_strcopy( ptr, "none" );
2059 } else if ( ACL_LVL_IS_DISCLOSE(mask) ) {
2060 ptr = lutil_strcopy( ptr, "disclose" );
2062 } else if ( ACL_LVL_IS_AUTH(mask) ) {
2063 ptr = lutil_strcopy( ptr, "auth" );
2065 } else if ( ACL_LVL_IS_COMPARE(mask) ) {
2066 ptr = lutil_strcopy( ptr, "compare" );
2068 } else if ( ACL_LVL_IS_SEARCH(mask) ) {
2069 ptr = lutil_strcopy( ptr, "search" );
2071 } else if ( ACL_LVL_IS_READ(mask) ) {
2072 ptr = lutil_strcopy( ptr, "read" );
2074 } else if ( ACL_LVL_IS_WRITE(mask) ) {
2075 ptr = lutil_strcopy( ptr, "write" );
2077 } else if ( ACL_LVL_IS_WADD(mask) ) {
2078 ptr = lutil_strcopy( ptr, "add" );
2080 } else if ( ACL_LVL_IS_WDEL(mask) ) {
2081 ptr = lutil_strcopy( ptr, "delete" );
2083 } else if ( ACL_LVL_IS_MANAGE(mask) ) {
2084 ptr = lutil_strcopy( ptr, "manage" );
2087 ptr = lutil_strcopy( ptr, "unknown" );
2097 if( ACL_IS_ADDITIVE( mask ) ) {
2100 } else if( ACL_IS_SUBTRACTIVE( mask ) ) {
2107 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_MANAGE) ) {
2112 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_WRITE) ) {
2116 } else if ( ACL_PRIV_ISSET(mask, ACL_PRIV_WADD) ) {
2120 } else if ( ACL_PRIV_ISSET(mask, ACL_PRIV_WDEL) ) {
2125 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_READ) ) {
2130 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_SEARCH) ) {
2135 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_COMPARE) ) {
2140 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_AUTH) ) {
2145 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_DISCLOSE) ) {
2150 if ( none && ACL_PRIV_ISSET(mask, ACL_PRIV_NONE) ) {
2159 if ( ACL_IS_LEVEL( mask ) ) {
2169 str2accessmask( const char *str )
2173 if( !ASCII_ALPHA(str[0]) ) {
2176 if ( str[0] == '=' ) {
2179 } else if( str[0] == '+' ) {
2180 ACL_PRIV_ASSIGN(mask, ACL_PRIV_ADDITIVE);
2182 } else if( str[0] == '-' ) {
2183 ACL_PRIV_ASSIGN(mask, ACL_PRIV_SUBSTRACTIVE);
2186 ACL_INVALIDATE(mask);
2190 for( i=1; str[i] != '\0'; i++ ) {
2191 if( TOLOWER((unsigned char) str[i]) == 'm' ) {
2192 ACL_PRIV_SET(mask, ACL_PRIV_MANAGE);
2194 } else if( TOLOWER((unsigned char) str[i]) == 'w' ) {
2195 ACL_PRIV_SET(mask, ACL_PRIV_WRITE);
2197 } else if( TOLOWER((unsigned char) str[i]) == 'a' ) {
2198 ACL_PRIV_SET(mask, ACL_PRIV_WADD);
2200 } else if( TOLOWER((unsigned char) str[i]) == 'z' ) {
2201 ACL_PRIV_SET(mask, ACL_PRIV_WDEL);
2203 } else if( TOLOWER((unsigned char) str[i]) == 'r' ) {
2204 ACL_PRIV_SET(mask, ACL_PRIV_READ);
2206 } else if( TOLOWER((unsigned char) str[i]) == 's' ) {
2207 ACL_PRIV_SET(mask, ACL_PRIV_SEARCH);
2209 } else if( TOLOWER((unsigned char) str[i]) == 'c' ) {
2210 ACL_PRIV_SET(mask, ACL_PRIV_COMPARE);
2212 } else if( TOLOWER((unsigned char) str[i]) == 'x' ) {
2213 ACL_PRIV_SET(mask, ACL_PRIV_AUTH);
2215 } else if( TOLOWER((unsigned char) str[i]) == 'd' ) {
2216 ACL_PRIV_SET(mask, ACL_PRIV_DISCLOSE);
2218 } else if( str[i] != '0' ) {
2219 ACL_INVALIDATE(mask);
2227 if ( strcasecmp( str, "none" ) == 0 ) {
2228 ACL_LVL_ASSIGN_NONE(mask);
2230 } else if ( strcasecmp( str, "disclose" ) == 0 ) {
2231 ACL_LVL_ASSIGN_DISCLOSE(mask);
2233 } else if ( strcasecmp( str, "auth" ) == 0 ) {
2234 ACL_LVL_ASSIGN_AUTH(mask);
2236 } else if ( strcasecmp( str, "compare" ) == 0 ) {
2237 ACL_LVL_ASSIGN_COMPARE(mask);
2239 } else if ( strcasecmp( str, "search" ) == 0 ) {
2240 ACL_LVL_ASSIGN_SEARCH(mask);
2242 } else if ( strcasecmp( str, "read" ) == 0 ) {
2243 ACL_LVL_ASSIGN_READ(mask);
2245 } else if ( strcasecmp( str, "add" ) == 0 ) {
2246 ACL_LVL_ASSIGN_WADD(mask);
2248 } else if ( strcasecmp( str, "delete" ) == 0 ) {
2249 ACL_LVL_ASSIGN_WDEL(mask);
2251 } else if ( strcasecmp( str, "write" ) == 0 ) {
2252 ACL_LVL_ASSIGN_WRITE(mask);
2254 } else if ( strcasecmp( str, "manage" ) == 0 ) {
2255 ACL_LVL_ASSIGN_MANAGE(mask);
2258 ACL_INVALIDATE( mask );
2268 "<access clause> ::= access to <what> "
2269 "[ by <who> <access> [ <control> ] ]+ \n";
2271 "<what> ::= * | [dn[.<dnstyle>]=<DN>] [filter=<filter>] [attrs=<attrspec>]\n"
2272 "<attrspec> ::= <attrname> [val[/<matchingRule>][.<attrstyle>]=<value>] | <attrlist>\n"
2273 "<attrlist> ::= <attr> [ , <attrlist> ]\n"
2274 "<attr> ::= <attrname> | @<objectClass> | !<objectClass> | entry | children\n";
2277 "<who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ]\n"
2278 "\t[ realanonymous | realusers | realself | realdn[.<dnstyle>]=<DN> ]\n"
2279 "\t[dnattr=<attrname>]\n"
2280 "\t[realdnattr=<attrname>]\n"
2281 "\t[group[/<objectclass>[/<attrname>]][.<style>]=<group>]\n"
2282 "\t[peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>]\n"
2283 "\t[domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>]\n"
2285 "\t[dynacl/<name>[/<options>][.<dynstyle>][=<pattern>]]\n"
2286 #else /* ! SLAP_DYNACL */
2287 #ifdef SLAPD_ACI_ENABLED
2288 "\t[aci[=<attrname>]]\n"
2289 #endif /* SLAPD_ACI_ENABLED */
2290 #endif /* ! SLAP_DYNACL */
2291 "\t[ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]\n"
2292 "<style> ::= exact | regex | base(Object)\n"
2293 "<dnstyle> ::= base(Object) | one(level) | sub(tree) | children | "
2295 "<attrstyle> ::= exact | regex | base(Object) | one(level) | "
2296 "sub(tree) | children\n"
2297 "<peernamestyle> ::= exact | regex | ip | path\n"
2298 "<domainstyle> ::= exact | regex | base(Object) | sub(tree)\n"
2299 "<access> ::= [[real]self]{<level>|<priv>}\n"
2300 "<level> ::= none|disclose|auth|compare|search|read|{write|add|delete}|manage\n"
2301 "<priv> ::= {=|+|-}{0|d|x|c|s|r|{w|a|z}|m}+\n"
2302 "<control> ::= [ stop | continue | break ]\n"
2304 #ifdef SLAPD_ACI_ENABLED
2306 "\t<name>=ACI\t<pattern>=<attrname>\n"
2307 #endif /* SLAPD_ACI_ENABLED */
2308 #endif /* ! SLAP_DYNACL */
2311 Debug( LDAP_DEBUG_ANY, "%s%s%s\n", access, what, who );
2317 * Set pattern to a "normalized" DN from src.
2318 * At present it simply eats the (optional) space after
2319 * a RDN separator (,)
2320 * Eventually will evolve in a more complete normalization
2323 acl_regex_normalized_dn(
2325 struct berval *pattern )
2330 str = ch_strdup( src );
2331 len = strlen( src );
2333 for ( p = str; p && p[0]; p++ ) {
2335 if ( p[0] == '\\' && p[1] ) {
2337 * if escaping a hex pair we should
2338 * increment p twice; however, in that
2339 * case the second hex number does
2345 if ( p[0] == ',' && p[1] == ' ' ) {
2349 * too much space should be an error if we are pedantic
2351 for ( q = &p[2]; q[0] == ' '; q++ ) {
2354 AC_MEMCPY( p+1, q, len-(q-str)+1);
2357 pattern->bv_val = str;
2358 pattern->bv_len = p - str;
2371 if ( (*right = strchr( line, splitchar )) != NULL ) {
2372 *((*right)++) = '\0';
2377 access_append( Access **l, Access *a )
2379 for ( ; *l != NULL; l = &(*l)->a_next ) {
2387 acl_append( AccessControl **l, AccessControl *a, int pos )
2391 for (i=0 ; i != pos && *l != NULL; l = &(*l)->acl_next, i++ ) {
2400 access_free( Access *a )
2402 if ( !BER_BVISNULL( &a->a_dn_pat ) ) {
2403 free( a->a_dn_pat.bv_val );
2405 if ( !BER_BVISNULL( &a->a_realdn_pat ) ) {
2406 free( a->a_realdn_pat.bv_val );
2408 if ( !BER_BVISNULL( &a->a_peername_pat ) ) {
2409 free( a->a_peername_pat.bv_val );
2411 if ( !BER_BVISNULL( &a->a_sockname_pat ) ) {
2412 free( a->a_sockname_pat.bv_val );
2414 if ( !BER_BVISNULL( &a->a_domain_pat ) ) {
2415 free( a->a_domain_pat.bv_val );
2417 if ( !BER_BVISNULL( &a->a_sockurl_pat ) ) {
2418 free( a->a_sockurl_pat.bv_val );
2420 if ( !BER_BVISNULL( &a->a_set_pat ) ) {
2421 free( a->a_set_pat.bv_val );
2423 if ( !BER_BVISNULL( &a->a_group_pat ) ) {
2424 free( a->a_group_pat.bv_val );
2427 if ( a->a_dynacl != NULL ) {
2429 for ( da = a->a_dynacl; da; ) {
2430 slap_dynacl_t *tmp = da;
2434 if ( tmp->da_destroy ) {
2435 tmp->da_destroy( tmp->da_private );
2441 #endif /* SLAP_DYNACL */
2446 acl_free( AccessControl *a )
2451 if ( a->acl_filter ) {
2452 filter_free( a->acl_filter );
2454 if ( !BER_BVISNULL( &a->acl_dn_pat ) ) {
2455 if ( a->acl_dn_style == ACL_STYLE_REGEX ) {
2456 regfree( &a->acl_dn_re );
2458 free ( a->acl_dn_pat.bv_val );
2460 if ( a->acl_attrs ) {
2461 for ( an = a->acl_attrs; !BER_BVISNULL( &an->an_name ); an++ ) {
2462 free( an->an_name.bv_val );
2464 free( a->acl_attrs );
2466 for ( ; a->acl_access; a->acl_access = n ) {
2467 n = a->acl_access->a_next;
2468 access_free( a->acl_access );
2473 /* Because backend_startup uses acl_append to tack on the global_acl to
2474 * the end of each backend's acl, we cannot just take one argument and
2475 * merrily free our way to the end of the list. backend_destroy calls us
2476 * with the be_acl in arg1, and global_acl in arg2 to give us a stopping
2477 * point. config_destroy calls us with global_acl in arg1 and NULL in
2478 * arg2, so we then proceed to polish off the global_acl.
2481 acl_destroy( AccessControl *a, AccessControl *end )
2485 for ( ; a && a != end; a = n ) {
2492 access2str( slap_access_t access )
2494 if ( access == ACL_NONE ) {
2497 } else if ( access == ACL_DISCLOSE ) {
2500 } else if ( access == ACL_AUTH ) {
2503 } else if ( access == ACL_COMPARE ) {
2506 } else if ( access == ACL_SEARCH ) {
2509 } else if ( access == ACL_READ ) {
2512 } else if ( access == ACL_WRITE ) {
2515 } else if ( access == ACL_WADD ) {
2518 } else if ( access == ACL_WDEL ) {
2521 } else if ( access == ACL_MANAGE ) {
2530 str2access( const char *str )
2532 if ( strcasecmp( str, "none" ) == 0 ) {
2535 } else if ( strcasecmp( str, "disclose" ) == 0 ) {
2536 #ifndef SLAP_ACL_HONOR_DISCLOSE
2537 Debug( LDAP_DEBUG_ACL, "str2access: warning, "
2538 "\"disclose\" privilege disabled.\n",
2540 #endif /* SLAP_ACL_HONOR_DISCLOSE */
2541 return ACL_DISCLOSE;
2543 } else if ( strcasecmp( str, "auth" ) == 0 ) {
2546 } else if ( strcasecmp( str, "compare" ) == 0 ) {
2549 } else if ( strcasecmp( str, "search" ) == 0 ) {
2552 } else if ( strcasecmp( str, "read" ) == 0 ) {
2555 } else if ( strcasecmp( str, "write" ) == 0 ) {
2558 } else if ( strcasecmp( str, "add" ) == 0 ) {
2561 } else if ( strcasecmp( str, "delete" ) == 0 ) {
2564 } else if ( strcasecmp( str, "manage" ) == 0 ) {
2568 return( ACL_INVALID_ACCESS );
2571 #define ACLBUF_MAXLEN 8192
2573 static char aclbuf[ACLBUF_MAXLEN];
2576 dnaccess2text( slap_dn_access *bdn, char *ptr, int is_realdn )
2581 ptr = lutil_strcopy( ptr, "real" );
2584 if ( ber_bvccmp( &bdn->a_pat, '*' ) ||
2585 bdn->a_style == ACL_STYLE_ANONYMOUS ||
2586 bdn->a_style == ACL_STYLE_USERS ||
2587 bdn->a_style == ACL_STYLE_SELF )
2590 assert( ! ber_bvccmp( &bdn->a_pat, '*' ) );
2593 ptr = lutil_strcopy( ptr, bdn->a_pat.bv_val );
2594 if ( bdn->a_style == ACL_STYLE_SELF && bdn->a_self_level != 0 ) {
2595 int n = sprintf( ptr, ".level{%d}", bdn->a_self_level );
2602 ptr = lutil_strcopy( ptr, "dn." );
2603 if ( bdn->a_style == ACL_STYLE_BASE )
2604 ptr = lutil_strcopy( ptr, style_base );
2606 ptr = lutil_strcopy( ptr, style_strings[bdn->a_style] );
2607 if ( bdn->a_style == ACL_STYLE_LEVEL ) {
2608 int n = sprintf( ptr, "{%d}", bdn->a_level );
2613 if ( bdn->a_expand ) {
2614 ptr = lutil_strcopy( ptr, ",expand" );
2618 ptr = lutil_strcopy( ptr, bdn->a_pat.bv_val );
2625 access2text( Access *b, char *ptr )
2627 char maskbuf[ACCESSMASK_MAXLEN];
2629 ptr = lutil_strcopy( ptr, "\tby" );
2631 if ( !BER_BVISEMPTY( &b->a_dn_pat ) ) {
2632 ptr = dnaccess2text( &b->a_dn, ptr, 0 );
2635 ptr = lutil_strcopy( ptr, " dnattr=" );
2636 ptr = lutil_strcopy( ptr, b->a_dn_at->ad_cname.bv_val );
2639 if ( !BER_BVISEMPTY( &b->a_realdn_pat ) ) {
2640 ptr = dnaccess2text( &b->a_realdn, ptr, 1 );
2642 if ( b->a_realdn_at ) {
2643 ptr = lutil_strcopy( ptr, " realdnattr=" );
2644 ptr = lutil_strcopy( ptr, b->a_realdn_at->ad_cname.bv_val );
2647 if ( !BER_BVISEMPTY( &b->a_group_pat ) ) {
2648 ptr = lutil_strcopy( ptr, " group/" );
2649 ptr = lutil_strcopy( ptr, b->a_group_oc ?
2650 b->a_group_oc->soc_cname.bv_val : SLAPD_GROUP_CLASS );
2652 ptr = lutil_strcopy( ptr, b->a_group_at ?
2653 b->a_group_at->ad_cname.bv_val : SLAPD_GROUP_ATTR );
2655 ptr = lutil_strcopy( ptr, style_strings[b->a_group_style] );
2658 ptr = lutil_strcopy( ptr, b->a_group_pat.bv_val );
2662 if ( !BER_BVISEMPTY( &b->a_peername_pat ) ) {
2663 ptr = lutil_strcopy( ptr, " peername" );
2665 ptr = lutil_strcopy( ptr, style_strings[b->a_peername_style] );
2668 ptr = lutil_strcopy( ptr, b->a_peername_pat.bv_val );
2672 if ( !BER_BVISEMPTY( &b->a_sockname_pat ) ) {
2673 ptr = lutil_strcopy( ptr, " sockname" );
2675 ptr = lutil_strcopy( ptr, style_strings[b->a_sockname_style] );
2678 ptr = lutil_strcopy( ptr, b->a_sockname_pat.bv_val );
2682 if ( !BER_BVISEMPTY( &b->a_domain_pat ) ) {
2683 ptr = lutil_strcopy( ptr, " domain" );
2685 ptr = lutil_strcopy( ptr, style_strings[b->a_domain_style] );
2686 if ( b->a_domain_expand ) {
2687 ptr = lutil_strcopy( ptr, ",expand" );
2690 ptr = lutil_strcopy( ptr, b->a_domain_pat.bv_val );
2693 if ( !BER_BVISEMPTY( &b->a_sockurl_pat ) ) {
2694 ptr = lutil_strcopy( ptr, " sockurl" );
2696 ptr = lutil_strcopy( ptr, style_strings[b->a_sockurl_style] );
2699 ptr = lutil_strcopy( ptr, b->a_sockurl_pat.bv_val );
2703 if ( !BER_BVISEMPTY( &b->a_set_pat ) ) {
2704 ptr = lutil_strcopy( ptr, " set" );
2706 ptr = lutil_strcopy( ptr, style_strings[b->a_set_style] );
2709 ptr = lutil_strcopy( ptr, b->a_set_pat.bv_val );
2714 if ( b->a_dynacl ) {
2717 for ( da = b->a_dynacl; da; da = da->da_next ) {
2718 if ( da->da_unparse ) {
2719 struct berval bv = BER_BVNULL;
2720 (void)( *da->da_unparse )( da->da_private, &bv );
2721 assert( !BER_BVISNULL( &bv ) );
2722 ptr = lutil_strcopy( ptr, bv.bv_val );
2723 ch_free( bv.bv_val );
2727 #else /* ! SLAP_DYNACL */
2728 #ifdef SLAPD_ACI_ENABLED
2729 if ( b->a_aci_at != NULL ) {
2730 ptr = lutil_strcopy( ptr, " aci=" );
2731 ptr = lutil_strcopy( ptr, b->a_aci_at->ad_cname.bv_val );
2734 #endif /* SLAP_DYNACL */
2736 /* Security Strength Factors */
2737 if ( b->a_authz.sai_ssf ) {
2738 ptr += sprintf( ptr, " ssf=%u",
2739 b->a_authz.sai_ssf );
2741 if ( b->a_authz.sai_transport_ssf ) {
2742 ptr += sprintf( ptr, " transport_ssf=%u",
2743 b->a_authz.sai_transport_ssf );
2745 if ( b->a_authz.sai_tls_ssf ) {
2746 ptr += sprintf( ptr, " tls_ssf=%u",
2747 b->a_authz.sai_tls_ssf );
2749 if ( b->a_authz.sai_sasl_ssf ) {
2750 ptr += sprintf( ptr, " sasl_ssf=%u",
2751 b->a_authz.sai_sasl_ssf );
2755 if ( b->a_dn_self ) {
2756 ptr = lutil_strcopy( ptr, "self" );
2757 } else if ( b->a_realdn_self ) {
2758 ptr = lutil_strcopy( ptr, "realself" );
2760 ptr = lutil_strcopy( ptr, accessmask2str( b->a_access_mask, maskbuf, 0 ));
2761 if ( !maskbuf[0] ) ptr--;
2763 if( b->a_type == ACL_BREAK ) {
2764 ptr = lutil_strcopy( ptr, " break" );
2766 } else if( b->a_type == ACL_CONTINUE ) {
2767 ptr = lutil_strcopy( ptr, " continue" );
2769 } else if( b->a_type != ACL_STOP ) {
2770 ptr = lutil_strcopy( ptr, " unknown-control" );
2772 if ( !maskbuf[0] ) ptr = lutil_strcopy( ptr, " stop" );
2780 acl_unparse( AccessControl *a, struct berval *bv )
2786 bv->bv_val = aclbuf;
2791 ptr = lutil_strcopy( ptr, "to" );
2792 if ( !BER_BVISNULL( &a->acl_dn_pat ) ) {
2794 ptr = lutil_strcopy( ptr, " dn." );
2795 if ( a->acl_dn_style == ACL_STYLE_BASE )
2796 ptr = lutil_strcopy( ptr, style_base );
2798 ptr = lutil_strcopy( ptr, style_strings[a->acl_dn_style] );
2801 ptr = lutil_strcopy( ptr, a->acl_dn_pat.bv_val );
2802 ptr = lutil_strcopy( ptr, "\"\n" );
2805 if ( a->acl_filter != NULL ) {
2806 struct berval bv = BER_BVNULL;
2809 filter2bv( a->acl_filter, &bv );
2810 ptr = lutil_strcopy( ptr, " filter=\"" );
2811 ptr = lutil_strcopy( ptr, bv.bv_val );
2814 ch_free( bv.bv_val );
2817 if ( a->acl_attrs != NULL ) {
2822 ptr = lutil_strcopy( ptr, " attrs=" );
2823 for ( an = a->acl_attrs; an && !BER_BVISNULL( &an->an_name ); an++ ) {
2824 if ( ! first ) *ptr++ = ',';
2826 *ptr++ = an->an_oc_exclude ? '!' : '@';
2827 ptr = lutil_strcopy( ptr, an->an_oc->soc_cname.bv_val );
2830 ptr = lutil_strcopy( ptr, an->an_name.bv_val );
2837 if ( !BER_BVISEMPTY( &a->acl_attrval ) ) {
2839 ptr = lutil_strcopy( ptr, " val." );
2840 if ( a->acl_attrval_style == ACL_STYLE_BASE &&
2841 a->acl_attrs[0].an_desc->ad_type->sat_syntax ==
2842 slap_schema.si_syn_distinguishedName )
2843 ptr = lutil_strcopy( ptr, style_base );
2845 ptr = lutil_strcopy( ptr, style_strings[a->acl_attrval_style] );
2848 ptr = lutil_strcopy( ptr, a->acl_attrval.bv_val );
2854 ptr = lutil_strcopy( ptr, " *\n" );
2857 for ( b = a->acl_access; b != NULL; b = b->a_next ) {
2858 ptr = access2text( b, ptr );
2861 bv->bv_len = ptr - bv->bv_val;
2866 print_acl( Backend *be, AccessControl *a )
2870 acl_unparse( a, &bv );
2871 fprintf( stderr, "%s ACL: access %s\n",
2872 be == NULL ? "Global" : "Backend", bv.bv_val );
2874 #endif /* LDAP_DEBUG */