1 /* aclparse.c - routines to parse and check acl's */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 1998-2004 The OpenLDAP Foundation.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted only as authorized by the OpenLDAP
12 * A copy of this license is available in the file LICENSE in the
13 * top-level directory of the distribution or, alternatively, at
14 * <http://www.OpenLDAP.org/license.html>.
16 /* Portions Copyright (c) 1995 Regents of the University of Michigan.
17 * All rights reserved.
19 * Redistribution and use in source and binary forms are permitted
20 * provided that this notice is preserved and that due credit is given
21 * to the University of Michigan at Ann Arbor. The name of the University
22 * may not be used to endorse or promote products derived from this
23 * software without specific prior written permission. This software
24 * is provided ``as is'' without express or implied warranty.
33 #include <ac/socket.h>
34 #include <ac/string.h>
35 #include <ac/unistd.h>
41 static char *style_strings[] = {
54 static void split(char *line, int splitchar, char **left, char **right);
55 static void access_append(Access **l, Access *a);
56 static void acl_usage(void) LDAP_GCCATTR((noreturn));
58 static void acl_regex_normalized_dn(const char *src, struct berval *pat);
61 static void print_acl(Backend *be, AccessControl *a);
62 static void print_access(Access *b);
67 check_scope( BackendDB *be, AccessControl *a );
68 #endif /* LDAP_DEVEL */
71 regtest(const char *fname, int lineno, char *pat) {
87 for (size = 0, flag = 0; (size < sizeof(buf)) && *sp; sp++) {
89 if (*sp == '$'|| (*sp >= '0' && *sp <= '9')) {
106 if ( size >= (sizeof(buf) - 1) ) {
108 "%s: line %d: regular expression \"%s\" too large\n",
109 fname, lineno, pat );
113 if ((e = regcomp(&re, buf, REG_EXTENDED|REG_ICASE))) {
115 regerror(e, &re, error, sizeof(error));
117 "%s: line %d: regular expression \"%s\" bad because of %s\n",
118 fname, lineno, pat, error );
128 * Check if the pattern of an ACL, if any, matches the scope
129 * of the backend it is defined within.
131 #define ACL_SCOPE_UNKNOWN (-2)
132 #define ACL_SCOPE_ERR (-1)
133 #define ACL_SCOPE_OK (0)
134 #define ACL_SCOPE_PARTIAL (1)
135 #define ACL_SCOPE_WARN (2)
138 check_scope( BackendDB *be, AccessControl *a )
143 dn = be->be_nsuffix[0];
145 if ( a->acl_dn_pat.bv_len || a->acl_dn_style != ACL_STYLE_REGEX ) {
146 slap_style_t style = a->acl_dn_style;
148 if ( style == ACL_STYLE_REGEX ) {
149 char dnbuf[SLAP_LDAPDN_MAXLEN + 2];
150 char rebuf[SLAP_LDAPDN_MAXLEN + 1];
154 /* add trailing '$' */
155 AC_MEMCPY( dnbuf, be->be_nsuffix[0].bv_val,
156 be->be_nsuffix[0].bv_len );
157 dnbuf[be->be_nsuffix[0].bv_len] = '$';
158 dnbuf[be->be_nsuffix[0].bv_len + 1] = '\0';
160 if ( regcomp( &re, dnbuf, REG_EXTENDED|REG_ICASE ) ) {
161 return ACL_SCOPE_WARN;
164 /* remove trailing '$' */
165 AC_MEMCPY( rebuf, a->acl_dn_pat.bv_val,
166 a->acl_dn_pat.bv_len + 1 );
167 if ( a->acl_dn_pat.bv_val[a->acl_dn_pat.bv_len - 1] == '$' ) {
168 rebuf[a->acl_dn_pat.bv_len - 1] = '\0';
171 /* not a clear indication of scoping error, though */
172 rc = regexec( &re, rebuf, 0, NULL, 0 )
173 ? ACL_SCOPE_WARN : ACL_SCOPE_OK;
179 patlen = a->acl_dn_pat.bv_len;
180 /* If backend suffix is longer than pattern,
181 * it is a potential mismatch (in the sense
182 * that a superior naming context could
184 if ( dn.bv_len > patlen ) {
185 /* base is blatantly wrong */
186 if ( style == ACL_STYLE_BASE ) return ACL_SCOPE_ERR;
188 /* one can be wrong if there is more
189 * than one level between the suffix
191 if ( style == ACL_STYLE_ONE ) {
192 int rdnlen = -1, sep = 0;
195 if ( !DN_SEPARATOR( dn.bv_val[dn.bv_len - patlen - 1] )) {
196 return ACL_SCOPE_ERR;
201 rdnlen = dn_rdnlen( NULL, &dn );
202 if ( rdnlen != dn.bv_len - patlen - sep )
203 return ACL_SCOPE_ERR;
206 /* if the trailing part doesn't match,
207 * then it's an error */
208 if ( strcmp( a->acl_dn_pat.bv_val,
209 &dn.bv_val[dn.bv_len - patlen] ) != 0 )
211 return ACL_SCOPE_ERR;
214 return ACL_SCOPE_PARTIAL;
220 case ACL_STYLE_CHILDREN:
221 case ACL_STYLE_SUBTREE:
229 if ( dn.bv_len < patlen &&
230 !DN_SEPARATOR( a->acl_dn_pat.bv_val[patlen -dn.bv_len - 1] )) {
231 return ACL_SCOPE_ERR;
234 if ( strcmp( &a->acl_dn_pat.bv_val[patlen - dn.bv_len], dn.bv_val )
237 return ACL_SCOPE_ERR;
243 return ACL_SCOPE_UNKNOWN;
245 #endif /* LDAP_DEVEL */
257 char *left, *right, *style, *next;
265 for ( i = 1; i < argc; i++ ) {
266 /* to clause - select which entries are protected */
267 if ( strcasecmp( argv[i], "to" ) == 0 ) {
269 fprintf( stderr, "%s: line %d: "
270 "only one to clause allowed in access line\n",
274 a = (AccessControl *) ch_calloc( 1, sizeof(AccessControl) );
275 for ( ++i; i < argc; i++ ) {
276 if ( strcasecmp( argv[i], "by" ) == 0 ) {
281 if ( strcasecmp( argv[i], "*" ) == 0 ) {
282 if( a->acl_dn_pat.bv_len ||
283 ( a->acl_dn_style != ACL_STYLE_REGEX ) )
286 "%s: line %d: dn pattern"
287 " already specified in to clause.\n",
292 a->acl_dn_pat.bv_val = ch_strdup( "*" );
293 a->acl_dn_pat.bv_len = 1;
297 split( argv[i], '=', &left, &right );
298 split( left, '.', &left, &style );
300 if ( right == NULL ) {
301 fprintf( stderr, "%s: line %d: "
302 "missing \"=\" in \"%s\" in to clause\n",
303 fname, lineno, left );
307 if ( strcasecmp( left, "dn" ) == 0 ) {
308 if( a->acl_dn_pat.bv_len != 0 ||
309 ( a->acl_dn_style != ACL_STYLE_REGEX ) )
312 "%s: line %d: dn pattern"
313 " already specified in to clause.\n",
318 if ( style == NULL || *style == '\0' ||
319 strcasecmp( style, "baseObject" ) == 0 ||
320 strcasecmp( style, "base" ) == 0 ||
321 strcasecmp( style, "exact" ) == 0 )
323 a->acl_dn_style = ACL_STYLE_BASE;
324 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
326 } else if ( strcasecmp( style, "oneLevel" ) == 0 ||
327 strcasecmp( style, "one" ) == 0 )
329 a->acl_dn_style = ACL_STYLE_ONE;
330 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
332 } else if ( strcasecmp( style, "subtree" ) == 0 ||
333 strcasecmp( style, "sub" ) == 0 )
335 if( *right == '\0' ) {
336 a->acl_dn_pat.bv_val = ch_strdup( "*" );
337 a->acl_dn_pat.bv_len = 1;
340 a->acl_dn_style = ACL_STYLE_SUBTREE;
341 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
344 } else if ( strcasecmp( style, "children" ) == 0 ) {
345 a->acl_dn_style = ACL_STYLE_CHILDREN;
346 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
348 } else if ( strcasecmp( style, "regex" ) == 0 ) {
349 a->acl_dn_style = ACL_STYLE_REGEX;
351 if ( *right == '\0' ) {
352 /* empty regex should match empty DN */
353 a->acl_dn_style = ACL_STYLE_BASE;
354 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
356 } else if ( strcmp(right, "*") == 0
357 || strcmp(right, ".*") == 0
358 || strcmp(right, ".*$") == 0
359 || strcmp(right, "^.*") == 0
360 || strcmp(right, "^.*$") == 0
361 || strcmp(right, ".*$$") == 0
362 || strcmp(right, "^.*$$") == 0 )
364 a->acl_dn_pat.bv_val = ch_strdup( "*" );
365 a->acl_dn_pat.bv_len = STRLENOF("*");
368 acl_regex_normalized_dn( right, &a->acl_dn_pat );
372 fprintf( stderr, "%s: line %d: "
373 "unknown dn style \"%s\" in to clause\n",
374 fname, lineno, style );
381 if ( strcasecmp( left, "filter" ) == 0 ) {
382 if ( (a->acl_filter = str2filter( right )) == NULL ) {
384 "%s: line %d: bad filter \"%s\" in to clause\n",
385 fname, lineno, right );
389 } else if ( strcasecmp( left, "attr" ) == 0
390 || strcasecmp( left, "attrs" ) == 0 ) {
391 a->acl_attrs = str2anlist( a->acl_attrs,
393 if ( a->acl_attrs == NULL ) {
395 "%s: line %d: unknown attr \"%s\" in to clause\n",
396 fname, lineno, right );
400 } else if ( strncasecmp( left, "val", 3 ) == 0 ) {
401 if ( a->acl_attrval.bv_len ) {
403 "%s: line %d: attr val already specified in to clause.\n",
407 if ( a->acl_attrs == NULL || a->acl_attrs[1].an_name.bv_val ) {
409 "%s: line %d: attr val requires a single attribute.\n",
413 ber_str2bv( right, 0, 1, &a->acl_attrval );
414 if ( style && strcasecmp( style, "regex" ) == 0 ) {
415 int e = regcomp( &a->acl_attrval_re, a->acl_attrval.bv_val,
416 REG_EXTENDED | REG_ICASE | REG_NOSUB );
419 regerror( e, &a->acl_attrval_re, buf, sizeof(buf) );
420 fprintf( stderr, "%s: line %d: "
421 "regular expression \"%s\" bad because of %s\n",
422 fname, lineno, right, buf );
425 a->acl_attrval_style = ACL_STYLE_REGEX;
427 /* FIXME: if the attribute has DN syntax, we might
428 * allow one, subtree and children styles as well */
429 if ( !strcasecmp( style, "exact" ) ) {
430 a->acl_attrval_style = ACL_STYLE_BASE;
432 } else if ( a->acl_attrs[0].an_desc->ad_type->
433 sat_syntax == slap_schema.si_syn_distinguishedName )
435 if ( !strcasecmp( style, "baseObject" ) ||
436 !strcasecmp( style, "base" ) )
438 a->acl_attrval_style = ACL_STYLE_BASE;
439 } else if ( !strcasecmp( style, "onelevel" ) ||
440 !strcasecmp( style, "one" ) )
442 a->acl_attrval_style = ACL_STYLE_ONE;
443 } else if ( !strcasecmp( style, "subtree" ) ||
444 !strcasecmp( style, "sub" ) )
446 a->acl_attrval_style = ACL_STYLE_SUBTREE;
447 } else if ( !strcasecmp( style, "children" ) ) {
448 a->acl_attrval_style = ACL_STYLE_CHILDREN;
451 "%s: line %d: unknown val.<style> \"%s\" "
452 "for attributeType \"%s\" with DN syntax; "
454 fname, lineno, style,
455 a->acl_attrs[0].an_desc->ad_cname.bv_val );
456 a->acl_attrval_style = ACL_STYLE_BASE;
461 "%s: line %d: unknown val.<style> \"%s\" "
462 "for attributeType \"%s\"; using \"exact\"\n",
463 fname, lineno, style,
464 a->acl_attrs[0].an_desc->ad_cname.bv_val );
465 a->acl_attrval_style = ACL_STYLE_BASE;
471 "%s: line %d: expecting <what> got \"%s\"\n",
472 fname, lineno, left );
477 if ( !BER_BVISNULL( &a->acl_dn_pat ) &&
478 ber_bvccmp( &a->acl_dn_pat, '*' ) )
480 free( a->acl_dn_pat.bv_val );
481 BER_BVZERO( &a->acl_dn_pat );
484 if( a->acl_dn_pat.bv_len != 0 ||
485 ( a->acl_dn_style != ACL_STYLE_REGEX ) )
487 if ( a->acl_dn_style != ACL_STYLE_REGEX ) {
489 rc = dnNormalize( 0, NULL, NULL, &a->acl_dn_pat, &bv, NULL);
490 if ( rc != LDAP_SUCCESS ) {
492 "%s: line %d: bad DN \"%s\" in to DN clause\n",
493 fname, lineno, a->acl_dn_pat.bv_val );
496 free( a->acl_dn_pat.bv_val );
499 int e = regcomp( &a->acl_dn_re, a->acl_dn_pat.bv_val,
500 REG_EXTENDED | REG_ICASE );
503 regerror( e, &a->acl_dn_re, buf, sizeof(buf) );
504 fprintf( stderr, "%s: line %d: "
505 "regular expression \"%s\" bad because of %s\n",
506 fname, lineno, right, buf );
512 /* by clause - select who has what access to entries */
513 } else if ( strcasecmp( argv[i], "by" ) == 0 ) {
515 fprintf( stderr, "%s: line %d: "
516 "to clause required before by clause in access line\n",
522 * by clause consists of <who> and <access>
525 b = (Access *) ch_calloc( 1, sizeof(Access) );
527 ACL_INVALIDATE( b->a_access_mask );
531 "%s: line %d: premature eol: expecting <who>\n",
537 for ( ; i < argc; i++ ) {
538 slap_style_t sty = ACL_STYLE_REGEX;
539 char *style_modifier = NULL;
542 split( argv[i], '=', &left, &right );
543 split( left, '.', &left, &style );
545 split( style, ',', &style, &style_modifier);
548 if ( style == NULL || *style == '\0' ||
549 strcasecmp( style, "exact" ) == 0 ||
550 strcasecmp( style, "baseObject" ) == 0 ||
551 strcasecmp( style, "base" ) == 0 )
553 sty = ACL_STYLE_BASE;
555 } else if ( strcasecmp( style, "onelevel" ) == 0 ||
556 strcasecmp( style, "one" ) == 0 )
560 } else if ( strcasecmp( style, "subtree" ) == 0 ||
561 strcasecmp( style, "sub" ) == 0 )
563 sty = ACL_STYLE_SUBTREE;
565 } else if ( strcasecmp( style, "children" ) == 0 ) {
566 sty = ACL_STYLE_CHILDREN;
568 } else if ( strcasecmp( style, "regex" ) == 0 ) {
569 sty = ACL_STYLE_REGEX;
571 } else if ( strcasecmp( style, "expand" ) == 0 ) {
572 sty = ACL_STYLE_EXPAND;
574 } else if ( strcasecmp( style, "ip" ) == 0 ) {
577 } else if ( strcasecmp( style, "path" ) == 0 ) {
578 sty = ACL_STYLE_PATH;
579 #ifndef LDAP_PF_LOCAL
580 fprintf( stderr, "%s: line %d: "
581 "path style modifier is useless without local\n",
583 #endif /* LDAP_PF_LOCAL */
587 "%s: line %d: unknown style \"%s\" in by clause\n",
588 fname, lineno, style );
592 if ( style_modifier &&
593 strcasecmp( style_modifier, "expand" ) == 0 )
596 case ACL_STYLE_REGEX:
597 fprintf( stderr, "%s: line %d: "
598 "\"regex\" style implies "
599 "\"expand\" modifier (ignored)\n",
603 case ACL_STYLE_EXPAND:
605 /* FIXME: now it's legal... */
606 fprintf( stderr, "%s: line %d: "
607 "\"expand\" style used "
608 "in conjunction with "
609 "\"expand\" modifier (ignored)\n",
615 /* we'll see later if it's pertinent */
621 /* expand in <who> needs regex in <what> */
622 if ( ( sty == ACL_STYLE_EXPAND || expand )
623 && a->acl_dn_style != ACL_STYLE_REGEX )
625 fprintf( stderr, "%s: line %d: "
626 "\"expand\" style or modifier used "
627 "in conjunction with "
628 "a non-regex <what> clause\n",
632 if ( strcasecmp( argv[i], "*" ) == 0 ) {
633 bv.bv_val = ch_strdup( "*" );
635 sty = ACL_STYLE_REGEX;
637 } else if ( strcasecmp( argv[i], "anonymous" ) == 0 ) {
638 ber_str2bv("anonymous", STRLENOF( "anonymous" ), 1, &bv);
639 sty = ACL_STYLE_REGEX;
641 } else if ( strcasecmp( argv[i], "self" ) == 0 ) {
642 ber_str2bv("self", STRLENOF( "self" ), 1, &bv);
643 sty = ACL_STYLE_REGEX;
645 } else if ( strcasecmp( argv[i], "users" ) == 0 ) {
646 ber_str2bv("users", STRLENOF( "users" ), 1, &bv);
647 sty = ACL_STYLE_REGEX;
649 } else if ( strcasecmp( left, "dn" ) == 0 ) {
650 if ( sty == ACL_STYLE_REGEX ) {
651 b->a_dn_style = ACL_STYLE_REGEX;
652 if( right == NULL ) {
657 } else if (*right == '\0' ) {
659 ber_str2bv("anonymous",
660 STRLENOF( "anonymous" ),
662 } else if ( strcmp( right, "*" ) == 0 ) {
664 /* any or users? users for now */
668 } else if ( strcmp( right, ".+" ) == 0
669 || strcmp( right, "^.+" ) == 0
670 || strcmp( right, ".+$" ) == 0
671 || strcmp( right, "^.+$" ) == 0
672 || strcmp( right, ".+$$" ) == 0
673 || strcmp( right, "^.+$$" ) == 0 )
678 } else if ( strcmp( right, ".*" ) == 0
679 || strcmp( right, "^.*" ) == 0
680 || strcmp( right, ".*$" ) == 0
681 || strcmp( right, "^.*$" ) == 0
682 || strcmp( right, ".*$$" ) == 0
683 || strcmp( right, "^.*$$" ) == 0 )
690 acl_regex_normalized_dn( right, &bv );
691 if ( !ber_bvccmp( &bv, '*' ) ) {
692 regtest(fname, lineno, bv.bv_val);
695 } else if ( right == NULL || *right == '\0' ) {
696 fprintf( stderr, "%s: line %d: "
697 "missing \"=\" in (or value after) \"%s\" "
699 fname, lineno, left );
703 ber_str2bv( right, 0, 1, &bv );
710 if( bv.bv_val != NULL ) {
711 if( b->a_dn_pat.bv_len != 0 ) {
713 "%s: line %d: dn pattern already specified.\n",
718 if ( sty != ACL_STYLE_REGEX && expand == 0 ) {
719 rc = dnNormalize(0, NULL, NULL,
720 &bv, &b->a_dn_pat, NULL);
721 if ( rc != LDAP_SUCCESS ) {
723 "%s: line %d: bad DN \"%s\" in by DN clause\n",
724 fname, lineno, bv.bv_val );
732 b->a_dn_expand = expand;
736 if ( strcasecmp( left, "dnattr" ) == 0 ) {
737 if ( right == NULL || right[0] == '\0' ) {
738 fprintf( stderr, "%s: line %d: "
739 "missing \"=\" in (or value after) \"%s\" "
741 fname, lineno, left );
745 if( b->a_dn_at != NULL ) {
747 "%s: line %d: dnattr already specified.\n",
752 rc = slap_str2ad( right, &b->a_dn_at, &text );
754 if( rc != LDAP_SUCCESS ) {
756 "%s: line %d: dnattr \"%s\": %s\n",
757 fname, lineno, right, text );
762 if( !is_at_syntax( b->a_dn_at->ad_type,
764 !is_at_syntax( b->a_dn_at->ad_type,
765 SLAPD_NAMEUID_SYNTAX ))
768 "%s: line %d: dnattr \"%s\": "
769 "inappropriate syntax: %s\n",
770 fname, lineno, right,
771 b->a_dn_at->ad_type->sat_syntax_oid );
775 if( b->a_dn_at->ad_type->sat_equality == NULL ) {
777 "%s: line %d: dnattr \"%s\": "
778 "inappropriate matching (no EQUALITY)\n",
779 fname, lineno, right );
786 if ( strncasecmp( left, "group", STRLENOF( "group" ) ) == 0 ) {
791 case ACL_STYLE_REGEX:
792 /* legacy, tolerated */
793 fprintf( stderr, "%s: line %d: "
794 "deprecated group style \"regex\"; "
795 "use \"expand\" instead\n",
796 fname, lineno, style );
797 sty = ACL_STYLE_EXPAND;
801 /* legal, traditional */
802 case ACL_STYLE_EXPAND:
803 /* legal, substring expansion; supersedes regex */
808 fprintf( stderr, "%s: line %d: "
809 "inappropriate style \"%s\" in by clause\n",
810 fname, lineno, style );
814 if ( right == NULL || right[0] == '\0' ) {
815 fprintf( stderr, "%s: line %d: "
816 "missing \"=\" in (or value after) \"%s\" "
818 fname, lineno, left );
822 if( b->a_group_pat.bv_len ) {
824 "%s: line %d: group pattern already specified.\n",
829 /* format of string is
830 "group/objectClassValue/groupAttrName" */
831 if ((value = strchr(left, '/')) != NULL) {
833 if (*value && (name = strchr(value, '/')) != NULL) {
838 b->a_group_style = sty;
839 if (sty == ACL_STYLE_EXPAND) {
840 acl_regex_normalized_dn( right, &bv );
841 if ( !ber_bvccmp( &bv, '*' ) ) {
842 regtest(fname, lineno, bv.bv_val);
846 ber_str2bv( right, 0, 0, &bv );
847 rc = dnNormalize( 0, NULL, NULL, &bv,
848 &b->a_group_pat, NULL );
849 if ( rc != LDAP_SUCCESS ) {
851 "%s: line %d: bad DN \"%s\"\n",
852 fname, lineno, right );
857 if (value && *value) {
858 b->a_group_oc = oc_find( value );
861 if( b->a_group_oc == NULL ) {
863 "%s: line %d: group objectclass "
865 fname, lineno, value );
869 b->a_group_oc = oc_find(SLAPD_GROUP_CLASS);
871 if( b->a_group_oc == NULL ) {
873 "%s: line %d: group default objectclass "
875 fname, lineno, SLAPD_GROUP_CLASS );
880 if( is_object_subclass( slap_schema.si_oc_referral,
884 "%s: line %d: group objectclass \"%s\" "
885 "is subclass of referral\n",
886 fname, lineno, value );
890 if( is_object_subclass( slap_schema.si_oc_alias,
894 "%s: line %d: group objectclass \"%s\" "
895 "is subclass of alias\n",
896 fname, lineno, value );
901 rc = slap_str2ad( name, &b->a_group_at, &text );
903 if( rc != LDAP_SUCCESS ) {
905 "%s: line %d: group \"%s\": %s\n",
906 fname, lineno, right, text );
911 rc = slap_str2ad( SLAPD_GROUP_ATTR, &b->a_group_at, &text );
913 if( rc != LDAP_SUCCESS ) {
915 "%s: line %d: group \"%s\": %s\n",
916 fname, lineno, SLAPD_GROUP_ATTR, text );
921 if( !is_at_syntax( b->a_group_at->ad_type,
923 !is_at_syntax( b->a_group_at->ad_type,
924 SLAPD_NAMEUID_SYNTAX ) &&
925 !is_at_subtype( b->a_group_at->ad_type, slap_schema.si_ad_labeledURI->ad_type ))
928 "%s: line %d: group \"%s\": inappropriate syntax: %s\n",
929 fname, lineno, right,
930 b->a_group_at->ad_type->sat_syntax_oid );
937 struct berval vals[2];
939 vals[0].bv_val = b->a_group_oc->soc_oid;
940 vals[0].bv_len = strlen(vals[0].bv_val);
941 vals[1].bv_val = NULL;
944 rc = oc_check_allowed( b->a_group_at->ad_type,
948 fprintf( stderr, "%s: line %d: "
949 "group: \"%s\" not allowed by \"%s\"\n",
951 b->a_group_at->ad_cname.bv_val,
952 b->a_group_oc->soc_oid );
959 if ( strcasecmp( left, "peername" ) == 0 ) {
961 case ACL_STYLE_REGEX:
963 /* legal, traditional */
964 case ACL_STYLE_EXPAND:
965 /* cheap replacement to regex for simple expansion */
968 /* legal, peername specific */
972 fprintf( stderr, "%s: line %d: "
973 "inappropriate style \"%s\" in by clause\n",
974 fname, lineno, style );
978 if ( right == NULL || right[0] == '\0' ) {
979 fprintf( stderr, "%s: line %d: "
980 "missing \"=\" in (or value after) \"%s\" "
982 fname, lineno, left );
986 if( b->a_peername_pat.bv_len ) {
987 fprintf( stderr, "%s: line %d: "
988 "peername pattern already specified.\n",
993 b->a_peername_style = sty;
994 if (sty == ACL_STYLE_REGEX) {
995 acl_regex_normalized_dn( right, &bv );
996 if ( !ber_bvccmp( &bv, '*' ) ) {
997 regtest(fname, lineno, bv.bv_val);
999 b->a_peername_pat = bv;
1002 ber_str2bv( right, 0, 1, &b->a_peername_pat );
1004 if ( sty == ACL_STYLE_IP ) {
1009 split( right, '{', &addr, &port );
1010 split( addr, '%', &addr, &mask );
1012 b->a_peername_addr = inet_addr( addr );
1013 if ( b->a_peername_addr == (unsigned long)(-1)) {
1014 /* illegal address */
1015 fprintf( stderr, "%s: line %d: "
1016 "illegal peername address \"%s\".\n",
1017 fname, lineno, addr );
1021 b->a_peername_mask = (unsigned long)(-1);
1022 if ( mask != NULL ) {
1023 b->a_peername_mask = inet_addr( mask );
1024 if ( b->a_peername_mask ==
1025 (unsigned long)(-1))
1028 fprintf( stderr, "%s: line %d: "
1029 "illegal peername address mask "
1031 fname, lineno, mask );
1036 b->a_peername_port = -1;
1040 b->a_peername_port = strtol( port, &end, 10 );
1041 if ( end[0] != '}' ) {
1043 fprintf( stderr, "%s: line %d: "
1044 "illegal peername port specification "
1046 fname, lineno, port );
1055 if ( strcasecmp( left, "sockname" ) == 0 ) {
1057 case ACL_STYLE_REGEX:
1058 case ACL_STYLE_BASE:
1059 /* legal, traditional */
1060 case ACL_STYLE_EXPAND:
1061 /* cheap replacement to regex for simple expansion */
1066 fprintf( stderr, "%s: line %d: "
1067 "inappropriate style \"%s\" in by clause\n",
1068 fname, lineno, style );
1072 if ( right == NULL || right[0] == '\0' ) {
1073 fprintf( stderr, "%s: line %d: "
1074 "missing \"=\" in (or value after) \"%s\" "
1076 fname, lineno, left );
1080 if( b->a_sockname_pat.bv_len ) {
1081 fprintf( stderr, "%s: line %d: "
1082 "sockname pattern already specified.\n",
1087 b->a_sockname_style = sty;
1088 if (sty == ACL_STYLE_REGEX) {
1089 acl_regex_normalized_dn( right, &bv );
1090 if ( !ber_bvccmp( &bv, '*' ) ) {
1091 regtest(fname, lineno, bv.bv_val);
1093 b->a_sockname_pat = bv;
1095 ber_str2bv( right, 0, 1, &b->a_sockname_pat );
1100 if ( strcasecmp( left, "domain" ) == 0 ) {
1102 case ACL_STYLE_REGEX:
1103 case ACL_STYLE_BASE:
1104 case ACL_STYLE_SUBTREE:
1105 /* legal, traditional */
1108 case ACL_STYLE_EXPAND:
1109 /* tolerated: means exact,expand */
1113 "\"expand\" modifier "
1114 "with \"expand\" style\n",
1117 sty = ACL_STYLE_BASE;
1123 fprintf( stderr, "%s: line %d: "
1124 "inappropriate style \"%s\" in by clause\n",
1125 fname, lineno, style );
1129 if ( right == NULL || right[0] == '\0' ) {
1130 fprintf( stderr, "%s: line %d: "
1131 "missing \"=\" in (or value after) \"%s\" "
1133 fname, lineno, left );
1137 if( b->a_domain_pat.bv_len ) {
1139 "%s: line %d: domain pattern already specified.\n",
1144 b->a_domain_style = sty;
1145 b->a_domain_expand = expand;
1146 if (sty == ACL_STYLE_REGEX) {
1147 acl_regex_normalized_dn( right, &bv );
1148 if ( !ber_bvccmp( &bv, '*' ) ) {
1149 regtest(fname, lineno, bv.bv_val);
1151 b->a_domain_pat = bv;
1153 ber_str2bv( right, 0, 1, &b->a_domain_pat );
1158 if ( strcasecmp( left, "sockurl" ) == 0 ) {
1160 case ACL_STYLE_REGEX:
1161 case ACL_STYLE_BASE:
1162 /* legal, traditional */
1163 case ACL_STYLE_EXPAND:
1164 /* cheap replacement to regex for simple expansion */
1169 fprintf( stderr, "%s: line %d: "
1170 "inappropriate style \"%s\" in by clause\n",
1171 fname, lineno, style );
1175 if ( right == NULL || right[0] == '\0' ) {
1176 fprintf( stderr, "%s: line %d: "
1177 "missing \"=\" in (or value after) \"%s\" "
1179 fname, lineno, left );
1183 if( b->a_sockurl_pat.bv_len ) {
1185 "%s: line %d: sockurl pattern already specified.\n",
1190 b->a_sockurl_style = sty;
1191 if (sty == ACL_STYLE_REGEX) {
1192 acl_regex_normalized_dn( right, &bv );
1193 if ( !ber_bvccmp( &bv, '*' ) ) {
1194 regtest(fname, lineno, bv.bv_val);
1196 b->a_sockurl_pat = bv;
1198 ber_str2bv( right, 0, 1, &b->a_sockurl_pat );
1203 if ( strcasecmp( left, "set" ) == 0 ) {
1206 case ACL_STYLE_REGEX:
1207 fprintf( stderr, "%s: line %d: "
1208 "deprecated set style "
1209 "\"regex\" in <by> clause; "
1210 "use \"expand\" instead\n",
1212 sty = ACL_STYLE_EXPAND;
1215 case ACL_STYLE_BASE:
1216 case ACL_STYLE_EXPAND:
1220 fprintf( stderr, "%s: line %d: "
1221 "inappropriate style \"%s\" in by clause\n",
1222 fname, lineno, style );
1226 if( b->a_set_pat.bv_len != 0 ) {
1228 "%s: line %d: set attribute already specified.\n",
1233 if ( right == NULL || *right == '\0' ) {
1235 "%s: line %d: no set is defined\n",
1240 b->a_set_style = sty;
1241 ber_str2bv( right, 0, 1, &b->a_set_pat );
1246 #ifdef SLAPD_ACI_ENABLED
1247 if ( strcasecmp( left, "aci" ) == 0 ) {
1248 if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
1249 fprintf( stderr, "%s: line %d: "
1250 "inappropriate style \"%s\" in by clause\n",
1251 fname, lineno, style );
1255 if( b->a_aci_at != NULL ) {
1257 "%s: line %d: aci attribute already specified.\n",
1262 if ( right != NULL && *right != '\0' ) {
1263 rc = slap_str2ad( right, &b->a_aci_at, &text );
1265 if( rc != LDAP_SUCCESS ) {
1267 "%s: line %d: aci \"%s\": %s\n",
1268 fname, lineno, right, text );
1273 b->a_aci_at = slap_schema.si_ad_aci;
1276 if( !is_at_syntax( b->a_aci_at->ad_type,
1279 fprintf( stderr, "%s: line %d: "
1280 "aci \"%s\": inappropriate syntax: %s\n",
1281 fname, lineno, right,
1282 b->a_aci_at->ad_type->sat_syntax_oid );
1288 #endif /* SLAPD_ACI_ENABLED */
1290 if ( strcasecmp( left, "ssf" ) == 0 ) {
1291 if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
1292 fprintf( stderr, "%s: line %d: "
1293 "inappropriate style \"%s\" in by clause\n",
1294 fname, lineno, style );
1298 if( b->a_authz.sai_ssf ) {
1300 "%s: line %d: ssf attribute already specified.\n",
1305 if ( right == NULL || *right == '\0' ) {
1307 "%s: line %d: no ssf is defined\n",
1312 b->a_authz.sai_ssf = strtol( right, &next, 10 );
1313 if ( next == NULL || next[0] != '\0' ) {
1315 "%s: line %d: unable to parse ssf value (%s)\n",
1316 fname, lineno, right );
1320 if( !b->a_authz.sai_ssf ) {
1322 "%s: line %d: invalid ssf value (%s)\n",
1323 fname, lineno, right );
1329 if ( strcasecmp( left, "transport_ssf" ) == 0 ) {
1330 if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
1331 fprintf( stderr, "%s: line %d: "
1332 "inappropriate style \"%s\" in by clause\n",
1333 fname, lineno, style );
1337 if( b->a_authz.sai_transport_ssf ) {
1338 fprintf( stderr, "%s: line %d: "
1339 "transport_ssf attribute already specified.\n",
1344 if ( right == NULL || *right == '\0' ) {
1346 "%s: line %d: no transport_ssf is defined\n",
1351 b->a_authz.sai_transport_ssf = strtol( right, &next, 10 );
1352 if ( next == NULL || next[0] != '\0' ) {
1353 fprintf( stderr, "%s: line %d: "
1354 "unable to parse transport_ssf value (%s)\n",
1355 fname, lineno, right );
1359 if( !b->a_authz.sai_transport_ssf ) {
1361 "%s: line %d: invalid transport_ssf value (%s)\n",
1362 fname, lineno, right );
1368 if ( strcasecmp( left, "tls_ssf" ) == 0 ) {
1369 if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
1370 fprintf( stderr, "%s: line %d: "
1371 "inappropriate style \"%s\" in by clause\n",
1372 fname, lineno, style );
1376 if( b->a_authz.sai_tls_ssf ) {
1377 fprintf( stderr, "%s: line %d: "
1378 "tls_ssf attribute already specified.\n",
1383 if ( right == NULL || *right == '\0' ) {
1385 "%s: line %d: no tls_ssf is defined\n",
1390 b->a_authz.sai_tls_ssf = strtol( right, &next, 10 );
1391 if ( next == NULL || next[0] != '\0' ) {
1392 fprintf( stderr, "%s: line %d: "
1393 "unable to parse tls_ssf value (%s)\n",
1394 fname, lineno, right );
1398 if( !b->a_authz.sai_tls_ssf ) {
1400 "%s: line %d: invalid tls_ssf value (%s)\n",
1401 fname, lineno, right );
1407 if ( strcasecmp( left, "sasl_ssf" ) == 0 ) {
1408 if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
1409 fprintf( stderr, "%s: line %d: "
1410 "inappropriate style \"%s\" in by clause\n",
1411 fname, lineno, style );
1415 if( b->a_authz.sai_sasl_ssf ) {
1416 fprintf( stderr, "%s: line %d: "
1417 "sasl_ssf attribute already specified.\n",
1422 if ( right == NULL || *right == '\0' ) {
1424 "%s: line %d: no sasl_ssf is defined\n",
1429 b->a_authz.sai_sasl_ssf = strtol( right, &next, 10 );
1430 if ( next == NULL || next[0] != '\0' ) {
1431 fprintf( stderr, "%s: line %d: "
1432 "unable to parse sasl_ssf value (%s)\n",
1433 fname, lineno, right );
1437 if( !b->a_authz.sai_sasl_ssf ) {
1439 "%s: line %d: invalid sasl_ssf value (%s)\n",
1440 fname, lineno, right );
1446 if( right != NULL ) {
1453 if( i == argc || ( strcasecmp( left, "stop" ) == 0 )) {
1454 /* out of arguments or plain stop */
1456 ACL_PRIV_ASSIGN(b->a_access_mask, ACL_PRIV_ADDITIVE);
1457 b->a_type = ACL_STOP;
1459 access_append( &a->acl_access, b );
1463 if( strcasecmp( left, "continue" ) == 0 ) {
1464 /* plain continue */
1466 ACL_PRIV_ASSIGN(b->a_access_mask, ACL_PRIV_ADDITIVE);
1467 b->a_type = ACL_CONTINUE;
1469 access_append( &a->acl_access, b );
1473 if( strcasecmp( left, "break" ) == 0 ) {
1474 /* plain continue */
1476 ACL_PRIV_ASSIGN(b->a_access_mask, ACL_PRIV_ADDITIVE);
1477 b->a_type = ACL_BREAK;
1479 access_append( &a->acl_access, b );
1483 if ( strcasecmp( left, "by" ) == 0 ) {
1484 /* we've gone too far */
1486 ACL_PRIV_ASSIGN(b->a_access_mask, ACL_PRIV_ADDITIVE);
1487 b->a_type = ACL_STOP;
1489 access_append( &a->acl_access, b );
1494 if( strncasecmp( left, "self", 4 ) == 0 ) {
1496 ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( &left[4] ) );
1499 ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( left ) );
1502 if( ACL_IS_INVALID( b->a_access_mask ) ) {
1504 "%s: line %d: expecting <access> got \"%s\"\n",
1505 fname, lineno, left );
1509 b->a_type = ACL_STOP;
1512 /* out of arguments or plain stop */
1513 access_append( &a->acl_access, b );
1517 if( strcasecmp( argv[i], "continue" ) == 0 ) {
1518 /* plain continue */
1519 b->a_type = ACL_CONTINUE;
1521 } else if( strcasecmp( argv[i], "break" ) == 0 ) {
1522 /* plain continue */
1523 b->a_type = ACL_BREAK;
1525 } else if ( strcasecmp( argv[i], "stop" ) != 0 ) {
1530 access_append( &a->acl_access, b );
1534 "%s: line %d: expecting \"to\" or \"by\" got \"%s\"\n",
1535 fname, lineno, argv[i] );
1540 /* if we have no real access clause, complain and do nothing */
1542 fprintf( stderr, "%s: line %d: "
1543 "warning: no access clause(s) specified in access line\n",
1548 if (ldap_debug & LDAP_DEBUG_ACL) print_acl(be, a);
1551 if ( a->acl_access == NULL ) {
1552 fprintf( stderr, "%s: line %d: "
1553 "warning: no by clause(s) specified in access line\n",
1559 switch ( check_scope( be, a ) ) {
1560 case ACL_SCOPE_UNKNOWN:
1561 fprintf( stderr, "%s: line %d: warning: "
1562 "cannot assess the validity of the ACL scope within "
1563 "backend naming context\n",
1567 case ACL_SCOPE_WARN:
1568 fprintf( stderr, "%s: line %d: warning: "
1569 "ACL could be out of scope within backend naming context\n",
1573 case ACL_SCOPE_PARTIAL:
1574 fprintf( stderr, "%s: line %d: warning: "
1575 "ACL appears to be partially out of scope within "
1576 "backend naming context\n",
1581 fprintf( stderr, "%s: line %d: warning: "
1582 "ACL appears to be out of scope within "
1583 "backend naming context\n",
1590 #endif /* LDAP_DEVEL */
1591 acl_append( &be->be_acl, a );
1593 acl_append( &frontendDB->be_acl, a );
1599 accessmask2str( slap_mask_t mask, char *buf )
1604 assert( buf != NULL );
1606 if ( ACL_IS_INVALID( mask ) ) {
1612 if ( ACL_IS_LEVEL( mask ) ) {
1613 if ( ACL_LVL_IS_NONE(mask) ) {
1614 ptr = lutil_strcopy( ptr, "none" );
1616 } else if ( ACL_LVL_IS_AUTH(mask) ) {
1617 ptr = lutil_strcopy( ptr, "auth" );
1619 } else if ( ACL_LVL_IS_COMPARE(mask) ) {
1620 ptr = lutil_strcopy( ptr, "compare" );
1622 } else if ( ACL_LVL_IS_SEARCH(mask) ) {
1623 ptr = lutil_strcopy( ptr, "search" );
1625 } else if ( ACL_LVL_IS_READ(mask) ) {
1626 ptr = lutil_strcopy( ptr, "read" );
1628 } else if ( ACL_LVL_IS_WRITE(mask) ) {
1629 ptr = lutil_strcopy( ptr, "write" );
1631 ptr = lutil_strcopy( ptr, "unknown" );
1637 if( ACL_IS_ADDITIVE( mask ) ) {
1640 } else if( ACL_IS_SUBTRACTIVE( mask ) ) {
1647 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_WRITE) ) {
1652 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_READ) ) {
1657 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_SEARCH) ) {
1662 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_COMPARE) ) {
1667 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_AUTH) ) {
1672 if ( none && ACL_PRIV_ISSET(mask, ACL_PRIV_NONE) ) {
1681 if ( ACL_IS_LEVEL( mask ) ) {
1691 str2accessmask( const char *str )
1695 if( !ASCII_ALPHA(str[0]) ) {
1698 if ( str[0] == '=' ) {
1701 } else if( str[0] == '+' ) {
1702 ACL_PRIV_ASSIGN(mask, ACL_PRIV_ADDITIVE);
1704 } else if( str[0] == '-' ) {
1705 ACL_PRIV_ASSIGN(mask, ACL_PRIV_SUBSTRACTIVE);
1708 ACL_INVALIDATE(mask);
1712 for( i=1; str[i] != '\0'; i++ ) {
1713 if( TOLOWER((unsigned char) str[i]) == 'w' ) {
1714 ACL_PRIV_SET(mask, ACL_PRIV_WRITE);
1716 } else if( TOLOWER((unsigned char) str[i]) == 'r' ) {
1717 ACL_PRIV_SET(mask, ACL_PRIV_READ);
1719 } else if( TOLOWER((unsigned char) str[i]) == 's' ) {
1720 ACL_PRIV_SET(mask, ACL_PRIV_SEARCH);
1722 } else if( TOLOWER((unsigned char) str[i]) == 'c' ) {
1723 ACL_PRIV_SET(mask, ACL_PRIV_COMPARE);
1725 } else if( TOLOWER((unsigned char) str[i]) == 'x' ) {
1726 ACL_PRIV_SET(mask, ACL_PRIV_AUTH);
1728 } else if( str[i] != '0' ) {
1729 ACL_INVALIDATE(mask);
1737 if ( strcasecmp( str, "none" ) == 0 ) {
1738 ACL_LVL_ASSIGN_NONE(mask);
1740 } else if ( strcasecmp( str, "auth" ) == 0 ) {
1741 ACL_LVL_ASSIGN_AUTH(mask);
1743 } else if ( strcasecmp( str, "compare" ) == 0 ) {
1744 ACL_LVL_ASSIGN_COMPARE(mask);
1746 } else if ( strcasecmp( str, "search" ) == 0 ) {
1747 ACL_LVL_ASSIGN_SEARCH(mask);
1749 } else if ( strcasecmp( str, "read" ) == 0 ) {
1750 ACL_LVL_ASSIGN_READ(mask);
1752 } else if ( strcasecmp( str, "write" ) == 0 ) {
1753 ACL_LVL_ASSIGN_WRITE(mask);
1756 ACL_INVALIDATE( mask );
1765 fprintf( stderr, "%s%s%s\n",
1766 "<access clause> ::= access to <what> "
1767 "[ by <who> <access> [ <control> ] ]+ \n"
1768 "<what> ::= * | [dn[.<dnstyle>]=<DN>] [filter=<filter>] [attrs=<attrlist>]\n"
1769 "<attrlist> ::= <attr> [val[.<style>]=<value>] | <attr> , <attrlist>\n"
1770 "<attr> ::= <attrname> | entry | children\n",
1771 "<who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ]\n"
1772 "\t[dnattr=<attrname>]\n"
1773 "\t[group[/<objectclass>[/<attrname>]][.<style>]=<group>]\n"
1774 "\t[peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>]\n"
1775 "\t[domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>]\n"
1776 #ifdef SLAPD_ACI_ENABLED
1777 "\t[aci=<attrname>]\n"
1779 "\t[ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]\n",
1780 "<dnstyle> ::= base(Object) | one(level) | sub(tree) | children | "
1782 "<style> ::= exact | regex | base(Object)\n"
1783 "<peernamestyle> ::= exact | regex | ip | path\n"
1784 "<domainstyle> ::= exact | regex | base(Object) | sub(tree)\n"
1785 "<access> ::= [self]{<level>|<priv>}\n"
1786 "<level> ::= none | auth | compare | search | read | write\n"
1787 "<priv> ::= {=|+|-}{w|r|s|c|x|0}+\n"
1788 "<control> ::= [ stop | continue | break ]\n"
1790 exit( EXIT_FAILURE );
1794 * Set pattern to a "normalized" DN from src.
1795 * At present it simply eats the (optional) space after
1796 * a RDN separator (,)
1797 * Eventually will evolve in a more complete normalization
1800 acl_regex_normalized_dn(
1802 struct berval *pattern )
1807 str = ch_strdup( src );
1808 len = strlen( src );
1810 for ( p = str; p && p[0]; p++ ) {
1812 if ( p[0] == '\\' && p[1] ) {
1814 * if escaping a hex pair we should
1815 * increment p twice; however, in that
1816 * case the second hex number does
1822 if ( p[0] == ',' && p[1] == ' ' ) {
1826 * too much space should be an error if we are pedantic
1828 for ( q = &p[2]; q[0] == ' '; q++ ) {
1831 AC_MEMCPY( p+1, q, len-(q-str)+1);
1834 pattern->bv_val = str;
1835 pattern->bv_len = p-str;
1848 if ( (*right = strchr( line, splitchar )) != NULL ) {
1849 *((*right)++) = '\0';
1854 access_append( Access **l, Access *a )
1856 for ( ; *l != NULL; l = &(*l)->a_next ) {
1864 acl_append( AccessControl **l, AccessControl *a )
1866 for ( ; *l != NULL; l = &(*l)->acl_next ) {
1874 access_free( Access *a )
1876 if ( a->a_dn_pat.bv_val ) free ( a->a_dn_pat.bv_val );
1877 if ( a->a_peername_pat.bv_val ) free ( a->a_peername_pat.bv_val );
1878 if ( a->a_sockname_pat.bv_val ) free ( a->a_sockname_pat.bv_val );
1879 if ( a->a_domain_pat.bv_val ) free ( a->a_domain_pat.bv_val );
1880 if ( a->a_sockurl_pat.bv_val ) free ( a->a_sockurl_pat.bv_val );
1881 if ( a->a_set_pat.bv_len ) free ( a->a_set_pat.bv_val );
1882 if ( a->a_group_pat.bv_len ) free ( a->a_group_pat.bv_val );
1887 acl_free( AccessControl *a )
1892 if ( a->acl_filter ) filter_free( a->acl_filter );
1893 if ( a->acl_dn_pat.bv_len ) free ( a->acl_dn_pat.bv_val );
1894 if ( a->acl_attrs ) {
1895 for ( an = a->acl_attrs; an->an_name.bv_val; an++ ) {
1896 free( an->an_name.bv_val );
1898 free( a->acl_attrs );
1900 for (; a->acl_access; a->acl_access = n) {
1901 n = a->acl_access->a_next;
1902 access_free( a->acl_access );
1907 /* Because backend_startup uses acl_append to tack on the global_acl to
1908 * the end of each backend's acl, we cannot just take one argument and
1909 * merrily free our way to the end of the list. backend_destroy calls us
1910 * with the be_acl in arg1, and global_acl in arg2 to give us a stopping
1911 * point. config_destroy calls us with global_acl in arg1 and NULL in
1912 * arg2, so we then proceed to polish off the global_acl.
1915 acl_destroy( AccessControl *a, AccessControl *end )
1919 for (; a && a!= end; a=n) {
1926 access2str( slap_access_t access )
1928 if ( access == ACL_NONE ) {
1931 } else if ( access == ACL_AUTH ) {
1934 } else if ( access == ACL_COMPARE ) {
1937 } else if ( access == ACL_SEARCH ) {
1940 } else if ( access == ACL_READ ) {
1943 } else if ( access == ACL_WRITE ) {
1951 str2access( const char *str )
1953 if ( strcasecmp( str, "none" ) == 0 ) {
1956 } else if ( strcasecmp( str, "auth" ) == 0 ) {
1959 } else if ( strcasecmp( str, "compare" ) == 0 ) {
1962 } else if ( strcasecmp( str, "search" ) == 0 ) {
1965 } else if ( strcasecmp( str, "read" ) == 0 ) {
1968 } else if ( strcasecmp( str, "write" ) == 0 ) {
1972 return( ACL_INVALID_ACCESS );
1978 print_access( Access *b )
1980 char maskbuf[ACCESSMASK_MAXLEN];
1982 fprintf( stderr, "\tby" );
1984 if ( b->a_dn_pat.bv_len != 0 ) {
1985 if ( ber_bvccmp( &b->a_dn_pat, '*' ) ||
1986 strcmp(b->a_dn_pat.bv_val, "users") == 0 ||
1987 strcmp(b->a_dn_pat.bv_val, "anonymous") == 0 ||
1988 strcmp(b->a_dn_pat.bv_val, "self") == 0 )
1990 fprintf( stderr, " %s", b->a_dn_pat.bv_val );
1993 fprintf( stderr, " dn.%s=\"%s\"",
1994 style_strings[b->a_dn_style], b->a_dn_pat.bv_val );
1998 if ( b->a_dn_at != NULL ) {
1999 fprintf( stderr, " dnattr=%s", b->a_dn_at->ad_cname.bv_val );
2002 if ( b->a_group_pat.bv_len ) {
2003 fprintf( stderr, " group/%s/%s.%s=\"%s\"",
2004 b->a_group_oc ? b->a_group_oc->soc_cname.bv_val : "groupOfNames",
2005 b->a_group_at ? b->a_group_at->ad_cname.bv_val : "member",
2006 style_strings[b->a_group_style],
2007 b->a_group_pat.bv_val );
2010 if ( b->a_peername_pat.bv_len != 0 ) {
2011 fprintf( stderr, " peername=\"%s\"", b->a_peername_pat.bv_val );
2014 if ( b->a_sockname_pat.bv_len != 0 ) {
2015 fprintf( stderr, " sockname=\"%s\"", b->a_sockname_pat.bv_val );
2018 if ( b->a_domain_pat.bv_len != 0 ) {
2019 fprintf( stderr, " domain=%s", b->a_domain_pat.bv_val );
2022 if ( b->a_sockurl_pat.bv_len != 0 ) {
2023 fprintf( stderr, " sockurl=\"%s\"", b->a_sockurl_pat.bv_val );
2026 if ( b->a_set_pat.bv_len != 0 ) {
2027 fprintf( stderr, " set=\"%s\"", b->a_set_pat.bv_val );
2030 #ifdef SLAPD_ACI_ENABLED
2031 if ( b->a_aci_at != NULL ) {
2032 fprintf( stderr, " aci=%s", b->a_aci_at->ad_cname.bv_val );
2036 /* Security Strength Factors */
2037 if ( b->a_authz.sai_ssf ) {
2038 fprintf( stderr, " ssf=%u",
2039 b->a_authz.sai_ssf );
2041 if ( b->a_authz.sai_transport_ssf ) {
2042 fprintf( stderr, " transport_ssf=%u",
2043 b->a_authz.sai_transport_ssf );
2045 if ( b->a_authz.sai_tls_ssf ) {
2046 fprintf( stderr, " tls_ssf=%u",
2047 b->a_authz.sai_tls_ssf );
2049 if ( b->a_authz.sai_sasl_ssf ) {
2050 fprintf( stderr, " sasl_ssf=%u",
2051 b->a_authz.sai_sasl_ssf );
2054 fprintf( stderr, " %s%s",
2055 b->a_dn_self ? "self" : "",
2056 accessmask2str( b->a_access_mask, maskbuf ) );
2058 if( b->a_type == ACL_BREAK ) {
2059 fprintf( stderr, " break" );
2061 } else if( b->a_type == ACL_CONTINUE ) {
2062 fprintf( stderr, " continue" );
2064 } else if( b->a_type != ACL_STOP ) {
2065 fprintf( stderr, " unknown-control" );
2068 fprintf( stderr, "\n" );
2073 print_acl( Backend *be, AccessControl *a )
2078 fprintf( stderr, "%s ACL: access to",
2079 be == NULL ? "Global" : "Backend" );
2081 if ( a->acl_dn_pat.bv_len != 0 ) {
2083 fprintf( stderr, " dn.%s=\"%s\"\n",
2084 style_strings[a->acl_dn_style], a->acl_dn_pat.bv_val );
2087 if ( a->acl_filter != NULL ) {
2088 struct berval bv = BER_BVNULL;
2090 filter2bv( a->acl_filter, &bv );
2091 fprintf( stderr, " filter=%s\n", bv.bv_val );
2092 ch_free( bv.bv_val );
2095 if ( a->acl_attrs != NULL ) {
2100 fprintf( stderr, " attrs=" );
2101 for ( an = a->acl_attrs; an && an->an_name.bv_val; an++ ) {
2102 if ( ! first ) fprintf( stderr, "," );
2104 fputc( an->an_oc_exclude ? '!' : '@', stderr);
2106 fputs( an->an_name.bv_val, stderr );
2109 fprintf( stderr, "\n" );
2112 if ( a->acl_attrval.bv_len != 0 ) {
2114 fprintf( stderr, " val.%s=\"%s\"\n",
2115 style_strings[a->acl_attrval_style], a->acl_attrval.bv_val );
2119 if( !to ) fprintf( stderr, " *\n" );
2121 for ( b = a->acl_access; b != NULL; b = b->a_next ) {
2125 fprintf( stderr, "\n" );
2127 #endif /* LDAP_DEBUG */