1 /* aclparse.c - routines to parse and check acl's */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 1998-2007 The OpenLDAP Foundation.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted only as authorized by the OpenLDAP
12 * A copy of this license is available in the file LICENSE in the
13 * top-level directory of the distribution or, alternatively, at
14 * <http://www.OpenLDAP.org/license.html>.
16 /* Portions Copyright (c) 1995 Regents of the University of Michigan.
17 * All rights reserved.
19 * Redistribution and use in source and binary forms are permitted
20 * provided that this notice is preserved and that due credit is given
21 * to the University of Michigan at Ann Arbor. The name of the University
22 * may not be used to endorse or promote products derived from this
23 * software without specific prior written permission. This software
24 * is provided ``as is'' without express or implied warranty.
33 #include <ac/socket.h>
34 #include <ac/string.h>
35 #include <ac/unistd.h>
41 static const char style_base[] = "base";
42 char *style_strings[] = {
60 static void split(char *line, int splitchar, char **left, char **right);
61 static void access_append(Access **l, Access *a);
62 static void access_free( Access *a );
63 static int acl_usage(void);
65 static void acl_regex_normalized_dn(const char *src, struct berval *pat);
68 static void print_acl(Backend *be, AccessControl *a);
71 static int check_scope( BackendDB *be, AccessControl *a );
84 slap_dynacl_t *da, *tmp;
87 for ( da = b->a_dynacl; da; da = da->da_next ) {
88 if ( strcasecmp( da->da_name, name ) == 0 ) {
89 Debug( LDAP_DEBUG_ANY,
90 "%s: line %d: dynacl \"%s\" already specified.\n",
91 fname, lineno, name );
96 da = slap_dynacl_get( name );
101 tmp = ch_malloc( sizeof( slap_dynacl_t ) );
104 if ( tmp->da_parse ) {
105 rc = ( *tmp->da_parse )( fname, lineno, opts, sty, right, &tmp->da_private );
112 tmp->da_next = b->a_dynacl;
117 #endif /* SLAP_DYNACL */
120 regtest(const char *fname, int lineno, char *pat) {
124 char buf[ SLAP_TEXT_BUFLEN ];
136 for (size = 0, flag = 0; (size < sizeof(buf)) && *sp; sp++) {
138 if (*sp == '$'|| (*sp >= '0' && *sp <= '9')) {
155 if ( size >= (sizeof(buf) - 1) ) {
156 Debug( LDAP_DEBUG_ANY,
157 "%s: line %d: regular expression \"%s\" too large\n",
158 fname, lineno, pat );
160 exit( EXIT_FAILURE );
163 if ((e = regcomp(&re, buf, REG_EXTENDED|REG_ICASE))) {
164 char error[ SLAP_TEXT_BUFLEN ];
166 regerror(e, &re, error, sizeof(error));
168 snprintf( buf, sizeof( buf ),
169 "regular expression \"%s\" bad because of %s",
171 Debug( LDAP_DEBUG_ANY,
173 fname, lineno, buf );
175 exit( EXIT_FAILURE );
183 * Check if the pattern of an ACL, if any, matches the scope
184 * of the backend it is defined within.
186 #define ACL_SCOPE_UNKNOWN (-2)
187 #define ACL_SCOPE_ERR (-1)
188 #define ACL_SCOPE_OK (0)
189 #define ACL_SCOPE_PARTIAL (1)
190 #define ACL_SCOPE_WARN (2)
193 check_scope( BackendDB *be, AccessControl *a )
198 dn = be->be_nsuffix[0];
200 if ( BER_BVISEMPTY( &dn ) ) {
204 if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
205 a->acl_dn_style != ACL_STYLE_REGEX )
207 slap_style_t style = a->acl_dn_style;
209 if ( style == ACL_STYLE_REGEX ) {
210 char dnbuf[SLAP_LDAPDN_MAXLEN + 2];
211 char rebuf[SLAP_LDAPDN_MAXLEN + 1];
216 /* add trailing '$' to database suffix to form
217 * a simple trial regex pattern "<suffix>$" */
218 AC_MEMCPY( dnbuf, be->be_nsuffix[0].bv_val,
219 be->be_nsuffix[0].bv_len );
220 dnbuf[be->be_nsuffix[0].bv_len] = '$';
221 dnbuf[be->be_nsuffix[0].bv_len + 1] = '\0';
223 if ( regcomp( &re, dnbuf, REG_EXTENDED|REG_ICASE ) ) {
224 return ACL_SCOPE_WARN;
227 /* remove trailing ')$', if any, from original
229 rebuflen = a->acl_dn_pat.bv_len;
230 AC_MEMCPY( rebuf, a->acl_dn_pat.bv_val, rebuflen + 1 );
231 if ( rebuf[rebuflen - 1] == '$' ) {
232 rebuf[--rebuflen] = '\0';
234 while ( rebuflen > be->be_nsuffix[0].bv_len && rebuf[rebuflen - 1] == ')' ) {
235 rebuf[--rebuflen] = '\0';
237 if ( rebuflen == be->be_nsuffix[0].bv_len ) {
242 /* not a clear indication of scoping error, though */
243 rc = regexec( &re, rebuf, 0, NULL, 0 )
244 ? ACL_SCOPE_WARN : ACL_SCOPE_OK;
251 patlen = a->acl_dn_pat.bv_len;
252 /* If backend suffix is longer than pattern,
253 * it is a potential mismatch (in the sense
254 * that a superior naming context could
256 if ( dn.bv_len > patlen ) {
257 /* base is blatantly wrong */
258 if ( style == ACL_STYLE_BASE ) return ACL_SCOPE_ERR;
260 /* a style of one can be wrong if there is
261 * more than one level between the suffix
263 if ( style == ACL_STYLE_ONE ) {
264 ber_len_t rdnlen = 0;
268 if ( !DN_SEPARATOR( dn.bv_val[dn.bv_len - patlen - 1] )) {
269 return ACL_SCOPE_ERR;
274 rdnlen = dn_rdnlen( NULL, &dn );
275 if ( rdnlen != dn.bv_len - patlen - sep )
276 return ACL_SCOPE_ERR;
279 /* if the trailing part doesn't match,
280 * then it's an error */
281 if ( strcmp( a->acl_dn_pat.bv_val,
282 &dn.bv_val[dn.bv_len - patlen] ) != 0 )
284 return ACL_SCOPE_ERR;
287 return ACL_SCOPE_PARTIAL;
293 case ACL_STYLE_CHILDREN:
294 case ACL_STYLE_SUBTREE:
302 if ( dn.bv_len < patlen &&
303 !DN_SEPARATOR( a->acl_dn_pat.bv_val[patlen - dn.bv_len - 1] ))
305 return ACL_SCOPE_ERR;
308 if ( strcmp( &a->acl_dn_pat.bv_val[patlen - dn.bv_len], dn.bv_val )
311 return ACL_SCOPE_ERR;
317 return ACL_SCOPE_UNKNOWN;
330 char *left, *right, *style;
332 AccessControl *a = NULL;
337 for ( i = 1; i < argc; i++ ) {
338 /* to clause - select which entries are protected */
339 if ( strcasecmp( argv[i], "to" ) == 0 ) {
341 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
342 "only one to clause allowed in access line\n",
346 a = (AccessControl *) ch_calloc( 1, sizeof(AccessControl) );
347 for ( ++i; i < argc; i++ ) {
348 if ( strcasecmp( argv[i], "by" ) == 0 ) {
353 if ( strcasecmp( argv[i], "*" ) == 0 ) {
354 if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
355 a->acl_dn_style != ACL_STYLE_REGEX )
357 Debug( LDAP_DEBUG_ANY,
358 "%s: line %d: dn pattern"
359 " already specified in to clause.\n",
364 ber_str2bv( "*", STRLENOF( "*" ), 1, &a->acl_dn_pat );
368 split( argv[i], '=', &left, &right );
369 split( left, '.', &left, &style );
371 if ( right == NULL ) {
372 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
373 "missing \"=\" in \"%s\" in to clause\n",
374 fname, lineno, left );
378 if ( strcasecmp( left, "dn" ) == 0 ) {
379 if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
380 a->acl_dn_style != ACL_STYLE_REGEX )
382 Debug( LDAP_DEBUG_ANY,
383 "%s: line %d: dn pattern"
384 " already specified in to clause.\n",
389 if ( style == NULL || *style == '\0' ||
390 strcasecmp( style, "baseObject" ) == 0 ||
391 strcasecmp( style, "base" ) == 0 ||
392 strcasecmp( style, "exact" ) == 0 )
394 a->acl_dn_style = ACL_STYLE_BASE;
395 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
397 } else if ( strcasecmp( style, "oneLevel" ) == 0 ||
398 strcasecmp( style, "one" ) == 0 )
400 a->acl_dn_style = ACL_STYLE_ONE;
401 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
403 } else if ( strcasecmp( style, "subtree" ) == 0 ||
404 strcasecmp( style, "sub" ) == 0 )
406 if( *right == '\0' ) {
407 ber_str2bv( "*", STRLENOF( "*" ), 1, &a->acl_dn_pat );
410 a->acl_dn_style = ACL_STYLE_SUBTREE;
411 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
414 } else if ( strcasecmp( style, "children" ) == 0 ) {
415 a->acl_dn_style = ACL_STYLE_CHILDREN;
416 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
418 } else if ( strcasecmp( style, "regex" ) == 0 ) {
419 a->acl_dn_style = ACL_STYLE_REGEX;
421 if ( *right == '\0' ) {
422 /* empty regex should match empty DN */
423 a->acl_dn_style = ACL_STYLE_BASE;
424 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
426 } else if ( strcmp(right, "*") == 0
427 || strcmp(right, ".*") == 0
428 || strcmp(right, ".*$") == 0
429 || strcmp(right, "^.*") == 0
430 || strcmp(right, "^.*$") == 0
431 || strcmp(right, ".*$$") == 0
432 || strcmp(right, "^.*$$") == 0 )
434 ber_str2bv( "*", STRLENOF("*"), 1, &a->acl_dn_pat );
437 acl_regex_normalized_dn( right, &a->acl_dn_pat );
441 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
442 "unknown dn style \"%s\" in to clause\n",
443 fname, lineno, style );
450 if ( strcasecmp( left, "filter" ) == 0 ) {
451 if ( (a->acl_filter = str2filter( right )) == NULL ) {
452 Debug( LDAP_DEBUG_ANY,
453 "%s: line %d: bad filter \"%s\" in to clause\n",
454 fname, lineno, right );
458 } else if ( strcasecmp( left, "attr" ) == 0 /* TOLERATED */
459 || strcasecmp( left, "attrs" ) == 0 ) /* DOCUMENTED */
461 if ( strcasecmp( left, "attr" ) == 0 ) {
462 Debug( LDAP_DEBUG_ANY,
463 "%s: line %d: \"attr\" "
464 "is deprecated (and undocumented); "
465 "use \"attrs\" instead.\n",
469 a->acl_attrs = str2anlist( a->acl_attrs,
471 if ( a->acl_attrs == NULL ) {
472 Debug( LDAP_DEBUG_ANY,
473 "%s: line %d: unknown attr \"%s\" in to clause\n",
474 fname, lineno, right );
478 } else if ( strncasecmp( left, "val", 3 ) == 0 ) {
482 if ( !BER_BVISEMPTY( &a->acl_attrval ) ) {
483 Debug( LDAP_DEBUG_ANY,
484 "%s: line %d: attr val already specified in to clause.\n",
488 if ( a->acl_attrs == NULL || !BER_BVISEMPTY( &a->acl_attrs[1].an_name ) )
490 Debug( LDAP_DEBUG_ANY,
491 "%s: line %d: attr val requires a single attribute.\n",
496 ber_str2bv( right, 0, 0, &bv );
497 a->acl_attrval_style = ACL_STYLE_BASE;
499 mr = strchr( left, '/' );
504 a->acl_attrval_mr = mr_find( mr );
505 if ( a->acl_attrval_mr == NULL ) {
506 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
507 "invalid matching rule \"%s\".\n",
512 if( !mr_usable_with_at( a->acl_attrval_mr, a->acl_attrs[ 0 ].an_desc->ad_type ) )
514 char buf[ SLAP_TEXT_BUFLEN ];
516 snprintf( buf, sizeof( buf ),
517 "matching rule \"%s\" use "
518 "with attr \"%s\" not appropriate.",
519 mr, a->acl_attrs[ 0 ].an_name.bv_val );
522 Debug( LDAP_DEBUG_ANY, "%s: line %d: %s\n",
523 fname, lineno, buf );
528 if ( style != NULL ) {
529 if ( strcasecmp( style, "regex" ) == 0 ) {
530 int e = regcomp( &a->acl_attrval_re, bv.bv_val,
531 REG_EXTENDED | REG_ICASE | REG_NOSUB );
533 char err[SLAP_TEXT_BUFLEN],
534 buf[ SLAP_TEXT_BUFLEN ];
536 regerror( e, &a->acl_attrval_re, err, sizeof( err ) );
538 snprintf( buf, sizeof( buf ),
539 "regular expression \"%s\" bad because of %s",
542 Debug( LDAP_DEBUG_ANY, "%s: line %d: %s\n",
543 fname, lineno, buf );
546 a->acl_attrval_style = ACL_STYLE_REGEX;
549 /* FIXME: if the attribute has DN syntax, we might
550 * allow one, subtree and children styles as well */
551 if ( !strcasecmp( style, "base" ) ||
552 !strcasecmp( style, "exact" ) ) {
553 a->acl_attrval_style = ACL_STYLE_BASE;
555 } else if ( a->acl_attrs[0].an_desc->ad_type->
556 sat_syntax == slap_schema.si_syn_distinguishedName )
558 if ( !strcasecmp( style, "baseObject" ) ||
559 !strcasecmp( style, "base" ) )
561 a->acl_attrval_style = ACL_STYLE_BASE;
562 } else if ( !strcasecmp( style, "onelevel" ) ||
563 !strcasecmp( style, "one" ) )
565 a->acl_attrval_style = ACL_STYLE_ONE;
566 } else if ( !strcasecmp( style, "subtree" ) ||
567 !strcasecmp( style, "sub" ) )
569 a->acl_attrval_style = ACL_STYLE_SUBTREE;
570 } else if ( !strcasecmp( style, "children" ) ) {
571 a->acl_attrval_style = ACL_STYLE_CHILDREN;
573 char buf[ SLAP_TEXT_BUFLEN ];
575 snprintf( buf, sizeof( buf ),
576 "unknown val.<style> \"%s\" for attributeType \"%s\" "
579 a->acl_attrs[0].an_desc->ad_cname.bv_val );
581 Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL,
583 fname, lineno, buf );
587 rc = dnNormalize( 0, NULL, NULL, &bv, &a->acl_attrval, NULL );
588 if ( rc != LDAP_SUCCESS ) {
589 char buf[ SLAP_TEXT_BUFLEN ];
591 snprintf( buf, sizeof( buf ),
592 "unable to normalize DN \"%s\" "
593 "for attributeType \"%s\" (%d).",
595 a->acl_attrs[0].an_desc->ad_cname.bv_val,
597 Debug( LDAP_DEBUG_ANY,
599 fname, lineno, buf );
604 char buf[ SLAP_TEXT_BUFLEN ];
606 snprintf( buf, sizeof( buf ),
607 "unknown val.<style> \"%s\" for attributeType \"%s\".",
608 style, a->acl_attrs[0].an_desc->ad_cname.bv_val );
609 Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL,
611 fname, lineno, buf );
617 /* Check for appropriate matching rule */
618 if ( a->acl_attrval_style == ACL_STYLE_REGEX ) {
619 ber_dupbv( &a->acl_attrval, &bv );
621 } else if ( BER_BVISNULL( &a->acl_attrval ) ) {
625 if ( a->acl_attrval_mr == NULL ) {
626 a->acl_attrval_mr = a->acl_attrs[ 0 ].an_desc->ad_type->sat_equality;
629 if ( a->acl_attrval_mr == NULL ) {
630 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
631 "attr \"%s\" does not have an EQUALITY matching rule.\n",
632 fname, lineno, a->acl_attrs[ 0 ].an_name.bv_val );
636 rc = asserted_value_validate_normalize(
637 a->acl_attrs[ 0 ].an_desc,
639 SLAP_MR_EQUALITY|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX,
644 if ( rc != LDAP_SUCCESS ) {
645 char buf[ SLAP_TEXT_BUFLEN ];
647 snprintf( buf, sizeof( buf ), "%s: line %d: "
648 " attr \"%s\" normalization failed (%d: %s)",
650 a->acl_attrs[ 0 ].an_name.bv_val, rc, text );
651 Debug( LDAP_DEBUG_ANY, "%s: line %d: %s.\n",
652 fname, lineno, buf );
658 Debug( LDAP_DEBUG_ANY,
659 "%s: line %d: expecting <what> got \"%s\"\n",
660 fname, lineno, left );
665 if ( !BER_BVISNULL( &a->acl_dn_pat ) &&
666 ber_bvccmp( &a->acl_dn_pat, '*' ) )
668 free( a->acl_dn_pat.bv_val );
669 BER_BVZERO( &a->acl_dn_pat );
670 a->acl_dn_style = ACL_STYLE_REGEX;
673 if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
674 a->acl_dn_style != ACL_STYLE_REGEX )
676 if ( a->acl_dn_style != ACL_STYLE_REGEX ) {
678 rc = dnNormalize( 0, NULL, NULL, &a->acl_dn_pat, &bv, NULL);
679 if ( rc != LDAP_SUCCESS ) {
680 Debug( LDAP_DEBUG_ANY,
681 "%s: line %d: bad DN \"%s\" in to DN clause\n",
682 fname, lineno, a->acl_dn_pat.bv_val );
685 free( a->acl_dn_pat.bv_val );
689 int e = regcomp( &a->acl_dn_re, a->acl_dn_pat.bv_val,
690 REG_EXTENDED | REG_ICASE );
692 char err[ SLAP_TEXT_BUFLEN ],
693 buf[ SLAP_TEXT_BUFLEN ];
695 regerror( e, &a->acl_dn_re, err, sizeof( err ) );
696 snprintf( buf, sizeof( buf ),
697 "regular expression \"%s\" bad because of %s",
699 Debug( LDAP_DEBUG_ANY, "%s: line %d: %s\n",
700 fname, lineno, buf );
706 /* by clause - select who has what access to entries */
707 } else if ( strcasecmp( argv[i], "by" ) == 0 ) {
709 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
710 "to clause required before by clause in access line\n",
716 * by clause consists of <who> and <access>
720 Debug( LDAP_DEBUG_ANY,
721 "%s: line %d: premature EOL: expecting <who>\n",
726 b = (Access *) ch_calloc( 1, sizeof(Access) );
728 ACL_INVALIDATE( b->a_access_mask );
731 for ( ; i < argc; i++ ) {
732 slap_style_t sty = ACL_STYLE_REGEX;
733 char *style_modifier = NULL;
734 char *style_level = NULL;
737 slap_dn_access *bdn = &b->a_dn;
740 split( argv[i], '=', &left, &right );
741 split( left, '.', &left, &style );
743 split( style, ',', &style, &style_modifier );
745 if ( strncasecmp( style, "level", STRLENOF( "level" ) ) == 0 ) {
746 split( style, '{', &style, &style_level );
747 if ( style_level != NULL ) {
748 char *p = strchr( style_level, '}' );
750 Debug( LDAP_DEBUG_ANY,
751 "%s: line %d: premature eol: "
752 "expecting closing '}' in \"level{n}\"\n",
755 } else if ( p == style_level ) {
756 Debug( LDAP_DEBUG_ANY,
757 "%s: line %d: empty level "
767 if ( style == NULL || *style == '\0' ||
768 strcasecmp( style, "exact" ) == 0 ||
769 strcasecmp( style, "baseObject" ) == 0 ||
770 strcasecmp( style, "base" ) == 0 )
772 sty = ACL_STYLE_BASE;
774 } else if ( strcasecmp( style, "onelevel" ) == 0 ||
775 strcasecmp( style, "one" ) == 0 )
779 } else if ( strcasecmp( style, "subtree" ) == 0 ||
780 strcasecmp( style, "sub" ) == 0 )
782 sty = ACL_STYLE_SUBTREE;
784 } else if ( strcasecmp( style, "children" ) == 0 ) {
785 sty = ACL_STYLE_CHILDREN;
787 } else if ( strcasecmp( style, "level" ) == 0 )
789 if ( lutil_atoi( &level, style_level ) != 0 ) {
790 Debug( LDAP_DEBUG_ANY,
791 "%s: line %d: unable to parse level "
797 sty = ACL_STYLE_LEVEL;
799 } else if ( strcasecmp( style, "regex" ) == 0 ) {
800 sty = ACL_STYLE_REGEX;
802 } else if ( strcasecmp( style, "expand" ) == 0 ) {
803 sty = ACL_STYLE_EXPAND;
805 } else if ( strcasecmp( style, "ip" ) == 0 ) {
808 } else if ( strcasecmp( style, "ipv6" ) == 0 ) {
809 #ifndef LDAP_PF_INET6
810 Debug( LDAP_DEBUG_ANY,
811 "%s: line %d: IPv6 not supported\n",
813 #endif /* ! LDAP_PF_INET6 */
814 sty = ACL_STYLE_IPV6;
816 } else if ( strcasecmp( style, "path" ) == 0 ) {
817 sty = ACL_STYLE_PATH;
818 #ifndef LDAP_PF_LOCAL
819 Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL,
821 "\"path\" style modifier is useless without local.\n",
824 #endif /* LDAP_PF_LOCAL */
827 Debug( LDAP_DEBUG_ANY,
828 "%s: line %d: unknown style \"%s\" in by clause\n",
829 fname, lineno, style );
833 if ( style_modifier &&
834 strcasecmp( style_modifier, "expand" ) == 0 )
837 case ACL_STYLE_REGEX:
838 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
839 "\"regex\" style implies \"expand\" modifier.\n",
844 case ACL_STYLE_EXPAND:
848 /* we'll see later if it's pertinent */
854 /* expand in <who> needs regex in <what> */
855 if ( ( sty == ACL_STYLE_EXPAND || expand )
856 && a->acl_dn_style != ACL_STYLE_REGEX )
858 Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL, "%s: line %d: \"expand\" style "
859 "or modifier used in conjunction with a non-regex <what> clause.\n",
864 if ( strncasecmp( left, "real", STRLENOF( "real" ) ) == 0 ) {
867 left += STRLENOF( "real" );
870 if ( strcasecmp( left, "*" ) == 0 ) {
875 ber_str2bv( "*", STRLENOF( "*" ), 1, &bv );
876 sty = ACL_STYLE_REGEX;
878 } else if ( strcasecmp( left, "anonymous" ) == 0 ) {
879 ber_str2bv("anonymous", STRLENOF( "anonymous" ), 1, &bv);
880 sty = ACL_STYLE_ANONYMOUS;
882 } else if ( strcasecmp( left, "users" ) == 0 ) {
883 ber_str2bv("users", STRLENOF( "users" ), 1, &bv);
884 sty = ACL_STYLE_USERS;
886 } else if ( strcasecmp( left, "self" ) == 0 ) {
887 ber_str2bv("self", STRLENOF( "self" ), 1, &bv);
888 sty = ACL_STYLE_SELF;
890 } else if ( strcasecmp( left, "dn" ) == 0 ) {
891 if ( sty == ACL_STYLE_REGEX ) {
892 bdn->a_style = ACL_STYLE_REGEX;
893 if ( right == NULL ) {
898 bdn->a_style = ACL_STYLE_USERS;
900 } else if (*right == '\0' ) {
902 ber_str2bv("anonymous",
903 STRLENOF( "anonymous" ),
905 bdn->a_style = ACL_STYLE_ANONYMOUS;
907 } else if ( strcmp( right, "*" ) == 0 ) {
909 /* any or users? users for now */
913 bdn->a_style = ACL_STYLE_USERS;
915 } else if ( strcmp( right, ".+" ) == 0
916 || strcmp( right, "^.+" ) == 0
917 || strcmp( right, ".+$" ) == 0
918 || strcmp( right, "^.+$" ) == 0
919 || strcmp( right, ".+$$" ) == 0
920 || strcmp( right, "^.+$$" ) == 0 )
925 bdn->a_style = ACL_STYLE_USERS;
927 } else if ( strcmp( right, ".*" ) == 0
928 || strcmp( right, "^.*" ) == 0
929 || strcmp( right, ".*$" ) == 0
930 || strcmp( right, "^.*$" ) == 0
931 || strcmp( right, ".*$$" ) == 0
932 || strcmp( right, "^.*$$" ) == 0 )
939 acl_regex_normalized_dn( right, &bv );
940 if ( !ber_bvccmp( &bv, '*' ) ) {
941 regtest( fname, lineno, bv.bv_val );
945 } else if ( right == NULL || *right == '\0' ) {
946 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
947 "missing \"=\" in (or value after) \"%s\" "
949 fname, lineno, left );
953 ber_str2bv( right, 0, 1, &bv );
960 if ( !BER_BVISNULL( &bv ) ) {
961 if ( !BER_BVISEMPTY( &bdn->a_pat ) ) {
962 Debug( LDAP_DEBUG_ANY,
963 "%s: line %d: dn pattern already specified.\n",
968 if ( sty != ACL_STYLE_REGEX &&
969 sty != ACL_STYLE_ANONYMOUS &&
970 sty != ACL_STYLE_USERS &&
971 sty != ACL_STYLE_SELF &&
974 rc = dnNormalize(0, NULL, NULL,
975 &bv, &bdn->a_pat, NULL);
976 if ( rc != LDAP_SUCCESS ) {
977 Debug( LDAP_DEBUG_ANY,
978 "%s: line %d: bad DN \"%s\" in by DN clause\n",
979 fname, lineno, bv.bv_val );
983 if ( sty == ACL_STYLE_BASE
985 && !BER_BVISNULL( &be->be_rootndn )
986 && dn_match( &bdn->a_pat, &be->be_rootndn ) )
988 Debug( LDAP_DEBUG_ANY,
989 "%s: line %d: rootdn is always granted "
990 "unlimited privileges.\n",
1002 for ( exp = strchr( bdn->a_pat.bv_val, '$' );
1003 exp && (ber_len_t)(exp - bdn->a_pat.bv_val)
1004 < bdn->a_pat.bv_len;
1005 exp = strchr( exp, '$' ) )
1007 if ( isdigit( (unsigned char) exp[ 1 ] ) ) {
1014 bdn->a_expand = expand;
1017 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1018 "\"expand\" used with no expansions in \"pattern\".\n",
1023 if ( sty == ACL_STYLE_SELF ) {
1024 bdn->a_self_level = level;
1028 Debug( LDAP_DEBUG_ANY,
1029 "%s: line %d: bad negative level \"%d\" "
1030 "in by DN clause\n",
1031 fname, lineno, level );
1033 } else if ( level == 1 ) {
1034 Debug( LDAP_DEBUG_ANY,
1035 "%s: line %d: \"onelevel\" should be used "
1036 "instead of \"level{1}\" in by DN clause\n",
1038 } else if ( level == 0 && sty == ACL_STYLE_LEVEL ) {
1039 Debug( LDAP_DEBUG_ANY,
1040 "%s: line %d: \"base\" should be used "
1041 "instead of \"level{0}\" in by DN clause\n",
1045 bdn->a_level = level;
1050 if ( strcasecmp( left, "dnattr" ) == 0 ) {
1051 if ( right == NULL || right[0] == '\0' ) {
1052 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1053 "missing \"=\" in (or value after) \"%s\" "
1055 fname, lineno, left );
1059 if( bdn->a_at != NULL ) {
1060 Debug( LDAP_DEBUG_ANY,
1061 "%s: line %d: dnattr already specified.\n",
1066 rc = slap_str2ad( right, &bdn->a_at, &text );
1068 if( rc != LDAP_SUCCESS ) {
1069 char buf[ SLAP_TEXT_BUFLEN ];
1071 snprintf( buf, sizeof( buf ),
1072 "dnattr \"%s\": %s",
1074 Debug( LDAP_DEBUG_ANY,
1075 "%s: line %d: %s\n",
1076 fname, lineno, buf );
1081 if( !is_at_syntax( bdn->a_at->ad_type,
1082 SLAPD_DN_SYNTAX ) &&
1083 !is_at_syntax( bdn->a_at->ad_type,
1084 SLAPD_NAMEUID_SYNTAX ))
1086 char buf[ SLAP_TEXT_BUFLEN ];
1088 snprintf( buf, sizeof( buf ),
1090 "inappropriate syntax: %s\n",
1092 bdn->a_at->ad_type->sat_syntax_oid );
1093 Debug( LDAP_DEBUG_ANY,
1094 "%s: line %d: %s\n",
1095 fname, lineno, buf );
1099 if( bdn->a_at->ad_type->sat_equality == NULL ) {
1100 Debug( LDAP_DEBUG_ANY,
1101 "%s: line %d: dnattr \"%s\": "
1102 "inappropriate matching (no EQUALITY)\n",
1103 fname, lineno, right );
1110 if ( strncasecmp( left, "group", STRLENOF( "group" ) ) == 0 ) {
1115 case ACL_STYLE_REGEX:
1116 /* legacy, tolerated */
1117 Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL,
1119 "deprecated group style \"regex\"; "
1120 "use \"expand\" instead.\n",
1122 sty = ACL_STYLE_EXPAND;
1125 case ACL_STYLE_BASE:
1126 /* legal, traditional */
1127 case ACL_STYLE_EXPAND:
1128 /* legal, substring expansion; supersedes regex */
1133 Debug( LDAP_DEBUG_ANY,
1135 "inappropriate style \"%s\" in by clause.\n",
1136 fname, lineno, style );
1140 if ( right == NULL || right[0] == '\0' ) {
1141 Debug( LDAP_DEBUG_ANY,
1143 "missing \"=\" in (or value after) \"%s\" "
1145 fname, lineno, left );
1149 if ( !BER_BVISEMPTY( &b->a_group_pat ) ) {
1150 Debug( LDAP_DEBUG_ANY,
1151 "%s: line %d: group pattern already specified.\n",
1156 /* format of string is
1157 "group/objectClassValue/groupAttrName" */
1158 if ( ( value = strchr(left, '/') ) != NULL ) {
1160 if ( *value && ( name = strchr( value, '/' ) ) != NULL ) {
1165 b->a_group_style = sty;
1166 if ( sty == ACL_STYLE_EXPAND ) {
1167 acl_regex_normalized_dn( right, &bv );
1168 if ( !ber_bvccmp( &bv, '*' ) ) {
1169 regtest( fname, lineno, bv.bv_val );
1171 b->a_group_pat = bv;
1174 ber_str2bv( right, 0, 0, &bv );
1175 rc = dnNormalize( 0, NULL, NULL, &bv,
1176 &b->a_group_pat, NULL );
1177 if ( rc != LDAP_SUCCESS ) {
1178 Debug( LDAP_DEBUG_ANY,
1179 "%s: line %d: bad DN \"%s\".\n",
1180 fname, lineno, right );
1185 if ( value && *value ) {
1186 b->a_group_oc = oc_find( value );
1189 if ( b->a_group_oc == NULL ) {
1190 Debug( LDAP_DEBUG_ANY,
1191 "%s: line %d: group objectclass "
1192 "\"%s\" unknown.\n",
1193 fname, lineno, value );
1198 b->a_group_oc = oc_find( SLAPD_GROUP_CLASS );
1200 if( b->a_group_oc == NULL ) {
1201 Debug( LDAP_DEBUG_ANY,
1202 "%s: line %d: group default objectclass "
1203 "\"%s\" unknown.\n",
1204 fname, lineno, SLAPD_GROUP_CLASS );
1209 if ( is_object_subclass( slap_schema.si_oc_referral,
1212 Debug( LDAP_DEBUG_ANY,
1213 "%s: line %d: group objectclass \"%s\" "
1214 "is subclass of referral.\n",
1215 fname, lineno, value );
1219 if ( is_object_subclass( slap_schema.si_oc_alias,
1222 Debug( LDAP_DEBUG_ANY,
1223 "%s: line %d: group objectclass \"%s\" "
1224 "is subclass of alias.\n",
1225 fname, lineno, value );
1229 if ( name && *name ) {
1230 rc = slap_str2ad( name, &b->a_group_at, &text );
1232 if( rc != LDAP_SUCCESS ) {
1233 char buf[ SLAP_TEXT_BUFLEN ];
1235 snprintf( buf, sizeof( buf ),
1236 "group \"%s\": %s.",
1238 Debug( LDAP_DEBUG_ANY,
1239 "%s: line %d: %s\n",
1240 fname, lineno, buf );
1246 rc = slap_str2ad( SLAPD_GROUP_ATTR, &b->a_group_at, &text );
1248 if ( rc != LDAP_SUCCESS ) {
1249 char buf[ SLAP_TEXT_BUFLEN ];
1251 snprintf( buf, sizeof( buf ),
1252 "group \"%s\": %s.",
1253 SLAPD_GROUP_ATTR, text );
1254 Debug( LDAP_DEBUG_ANY,
1255 "%s: line %d: %s\n",
1256 fname, lineno, buf );
1261 if ( !is_at_syntax( b->a_group_at->ad_type,
1262 SLAPD_DN_SYNTAX ) &&
1263 !is_at_syntax( b->a_group_at->ad_type,
1264 SLAPD_NAMEUID_SYNTAX ) &&
1265 !is_at_subtype( b->a_group_at->ad_type,
1266 slap_schema.si_ad_labeledURI->ad_type ) )
1268 char buf[ SLAP_TEXT_BUFLEN ];
1270 snprintf( buf, sizeof( buf ),
1271 "group \"%s\": inappropriate syntax: %s.",
1273 b->a_group_at->ad_type->sat_syntax_oid );
1274 Debug( LDAP_DEBUG_ANY,
1275 "%s: line %d: %s\n",
1276 fname, lineno, buf );
1283 ObjectClass *ocs[2];
1285 ocs[0] = b->a_group_oc;
1288 rc = oc_check_allowed( b->a_group_at->ad_type,
1292 char buf[ SLAP_TEXT_BUFLEN ];
1294 snprintf( buf, sizeof( buf ),
1295 "group: \"%s\" not allowed by \"%s\".",
1296 b->a_group_at->ad_cname.bv_val,
1297 b->a_group_oc->soc_oid );
1298 Debug( LDAP_DEBUG_ANY, "%s: line %d: %s\n",
1299 fname, lineno, buf );
1306 if ( strcasecmp( left, "peername" ) == 0 ) {
1308 case ACL_STYLE_REGEX:
1309 case ACL_STYLE_BASE:
1310 /* legal, traditional */
1311 case ACL_STYLE_EXPAND:
1312 /* cheap replacement to regex for simple expansion */
1314 case ACL_STYLE_IPV6:
1315 case ACL_STYLE_PATH:
1316 /* legal, peername specific */
1320 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1321 "inappropriate style \"%s\" in by clause.\n",
1322 fname, lineno, style );
1326 if ( right == NULL || right[0] == '\0' ) {
1327 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1328 "missing \"=\" in (or value after) \"%s\" "
1330 fname, lineno, left );
1334 if ( !BER_BVISEMPTY( &b->a_peername_pat ) ) {
1335 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1336 "peername pattern already specified.\n",
1341 b->a_peername_style = sty;
1342 if ( sty == ACL_STYLE_REGEX ) {
1343 acl_regex_normalized_dn( right, &bv );
1344 if ( !ber_bvccmp( &bv, '*' ) ) {
1345 regtest( fname, lineno, bv.bv_val );
1347 b->a_peername_pat = bv;
1350 ber_str2bv( right, 0, 1, &b->a_peername_pat );
1352 if ( sty == ACL_STYLE_IP ) {
1357 split( right, '{', &addr, &port );
1358 split( addr, '%', &addr, &mask );
1360 b->a_peername_addr = inet_addr( addr );
1361 if ( b->a_peername_addr == (unsigned long)(-1) ) {
1362 /* illegal address */
1363 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1364 "illegal peername address \"%s\".\n",
1365 fname, lineno, addr );
1369 b->a_peername_mask = (unsigned long)(-1);
1370 if ( mask != NULL ) {
1371 b->a_peername_mask = inet_addr( mask );
1372 if ( b->a_peername_mask ==
1373 (unsigned long)(-1) )
1376 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1377 "illegal peername address mask "
1379 fname, lineno, mask );
1384 b->a_peername_port = -1;
1388 b->a_peername_port = strtol( port, &end, 10 );
1389 if ( end == port || end[0] != '}' ) {
1391 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1392 "illegal peername port specification "
1394 fname, lineno, port );
1399 #ifdef LDAP_PF_INET6
1400 } else if ( sty == ACL_STYLE_IPV6 ) {
1405 split( right, '{', &addr, &port );
1406 split( addr, '%', &addr, &mask );
1408 if ( inet_pton( AF_INET6, addr, &b->a_peername_addr6 ) != 1 ) {
1409 /* illegal address */
1410 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1411 "illegal peername address \"%s\".\n",
1412 fname, lineno, addr );
1416 if ( mask == NULL ) {
1417 mask = "FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF";
1420 if ( inet_pton( AF_INET6, mask, &b->a_peername_mask6 ) != 1 ) {
1422 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1423 "illegal peername address mask "
1425 fname, lineno, mask );
1429 b->a_peername_port = -1;
1433 b->a_peername_port = strtol( port, &end, 10 );
1434 if ( end == port || end[0] != '}' ) {
1436 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1437 "illegal peername port specification "
1439 fname, lineno, port );
1443 #endif /* LDAP_PF_INET6 */
1449 if ( strcasecmp( left, "sockname" ) == 0 ) {
1451 case ACL_STYLE_REGEX:
1452 case ACL_STYLE_BASE:
1453 /* legal, traditional */
1454 case ACL_STYLE_EXPAND:
1455 /* cheap replacement to regex for simple expansion */
1460 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1461 "inappropriate style \"%s\" in by clause\n",
1462 fname, lineno, style );
1466 if ( right == NULL || right[0] == '\0' ) {
1467 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1468 "missing \"=\" in (or value after) \"%s\" "
1470 fname, lineno, left );
1474 if ( !BER_BVISNULL( &b->a_sockname_pat ) ) {
1475 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1476 "sockname pattern already specified.\n",
1481 b->a_sockname_style = sty;
1482 if ( sty == ACL_STYLE_REGEX ) {
1483 acl_regex_normalized_dn( right, &bv );
1484 if ( !ber_bvccmp( &bv, '*' ) ) {
1485 regtest( fname, lineno, bv.bv_val );
1487 b->a_sockname_pat = bv;
1490 ber_str2bv( right, 0, 1, &b->a_sockname_pat );
1495 if ( strcasecmp( left, "domain" ) == 0 ) {
1497 case ACL_STYLE_REGEX:
1498 case ACL_STYLE_BASE:
1499 case ACL_STYLE_SUBTREE:
1500 /* legal, traditional */
1503 case ACL_STYLE_EXPAND:
1504 /* tolerated: means exact,expand */
1506 Debug( LDAP_DEBUG_ANY,
1508 "\"expand\" modifier "
1509 "with \"expand\" style.\n",
1512 sty = ACL_STYLE_BASE;
1518 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1519 "inappropriate style \"%s\" in by clause.\n",
1520 fname, lineno, style );
1524 if ( right == NULL || right[0] == '\0' ) {
1525 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1526 "missing \"=\" in (or value after) \"%s\" "
1528 fname, lineno, left );
1532 if ( !BER_BVISEMPTY( &b->a_domain_pat ) ) {
1533 Debug( LDAP_DEBUG_ANY,
1534 "%s: line %d: domain pattern already specified.\n",
1539 b->a_domain_style = sty;
1540 b->a_domain_expand = expand;
1541 if ( sty == ACL_STYLE_REGEX ) {
1542 acl_regex_normalized_dn( right, &bv );
1543 if ( !ber_bvccmp( &bv, '*' ) ) {
1544 regtest( fname, lineno, bv.bv_val );
1546 b->a_domain_pat = bv;
1549 ber_str2bv( right, 0, 1, &b->a_domain_pat );
1554 if ( strcasecmp( left, "sockurl" ) == 0 ) {
1556 case ACL_STYLE_REGEX:
1557 case ACL_STYLE_BASE:
1558 /* legal, traditional */
1559 case ACL_STYLE_EXPAND:
1560 /* cheap replacement to regex for simple expansion */
1565 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1566 "inappropriate style \"%s\" in by clause.\n",
1567 fname, lineno, style );
1571 if ( right == NULL || right[0] == '\0' ) {
1572 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1573 "missing \"=\" in (or value after) \"%s\" "
1575 fname, lineno, left );
1579 if ( !BER_BVISEMPTY( &b->a_sockurl_pat ) ) {
1580 Debug( LDAP_DEBUG_ANY,
1581 "%s: line %d: sockurl pattern already specified.\n",
1586 b->a_sockurl_style = sty;
1587 if ( sty == ACL_STYLE_REGEX ) {
1588 acl_regex_normalized_dn( right, &bv );
1589 if ( !ber_bvccmp( &bv, '*' ) ) {
1590 regtest( fname, lineno, bv.bv_val );
1592 b->a_sockurl_pat = bv;
1595 ber_str2bv( right, 0, 1, &b->a_sockurl_pat );
1600 if ( strcasecmp( left, "set" ) == 0 ) {
1603 case ACL_STYLE_REGEX:
1604 Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL,
1606 "deprecated set style "
1607 "\"regex\" in <by> clause; "
1608 "use \"expand\" instead.\n",
1610 sty = ACL_STYLE_EXPAND;
1613 case ACL_STYLE_BASE:
1614 case ACL_STYLE_EXPAND:
1618 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1619 "inappropriate style \"%s\" in by clause.\n",
1620 fname, lineno, style );
1624 if ( !BER_BVISEMPTY( &b->a_set_pat ) ) {
1625 Debug( LDAP_DEBUG_ANY,
1626 "%s: line %d: set attribute already specified.\n",
1631 if ( right == NULL || *right == '\0' ) {
1632 Debug( LDAP_DEBUG_ANY,
1633 "%s: line %d: no set is defined.\n",
1638 b->a_set_style = sty;
1639 ber_str2bv( right, 0, 1, &b->a_set_pat );
1649 #if 1 /* tolerate legacy "aci" <who> */
1650 if ( strcasecmp( left, "aci" ) == 0 ) {
1651 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1652 "undocumented deprecated \"aci\" directive "
1653 "is superseded by \"dynacl/aci\".\n",
1658 #endif /* tolerate legacy "aci" <who> */
1659 if ( strncasecmp( left, "dynacl/", STRLENOF( "dynacl/" ) ) == 0 ) {
1660 name = &left[ STRLENOF( "dynacl/" ) ];
1661 opts = strchr( name, '/' );
1669 if ( slap_dynacl_config( fname, lineno, b, name, opts, sty, right ) ) {
1670 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1671 "unable to configure dynacl \"%s\".\n",
1672 fname, lineno, name );
1679 #endif /* SLAP_DYNACL */
1681 if ( strcasecmp( left, "ssf" ) == 0 ) {
1682 if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
1683 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1684 "inappropriate style \"%s\" in by clause.\n",
1685 fname, lineno, style );
1689 if ( b->a_authz.sai_ssf ) {
1690 Debug( LDAP_DEBUG_ANY,
1691 "%s: line %d: ssf attribute already specified.\n",
1696 if ( right == NULL || *right == '\0' ) {
1697 Debug( LDAP_DEBUG_ANY,
1698 "%s: line %d: no ssf is defined.\n",
1703 if ( lutil_atou( &b->a_authz.sai_ssf, right ) != 0 ) {
1704 Debug( LDAP_DEBUG_ANY,
1705 "%s: line %d: unable to parse ssf value (%s).\n",
1706 fname, lineno, right );
1710 if ( !b->a_authz.sai_ssf ) {
1711 Debug( LDAP_DEBUG_ANY,
1712 "%s: line %d: invalid ssf value (%s).\n",
1713 fname, lineno, right );
1719 if ( strcasecmp( left, "transport_ssf" ) == 0 ) {
1720 if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
1721 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1722 "inappropriate style \"%s\" in by clause.\n",
1723 fname, lineno, style );
1727 if ( b->a_authz.sai_transport_ssf ) {
1728 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1729 "transport_ssf attribute already specified.\n",
1734 if ( right == NULL || *right == '\0' ) {
1735 Debug( LDAP_DEBUG_ANY,
1736 "%s: line %d: no transport_ssf is defined.\n",
1741 if ( lutil_atou( &b->a_authz.sai_transport_ssf, right ) != 0 ) {
1742 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1743 "unable to parse transport_ssf value (%s).\n",
1744 fname, lineno, right );
1748 if ( !b->a_authz.sai_transport_ssf ) {
1749 Debug( LDAP_DEBUG_ANY,
1750 "%s: line %d: invalid transport_ssf value (%s).\n",
1751 fname, lineno, right );
1757 if ( strcasecmp( left, "tls_ssf" ) == 0 ) {
1758 if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
1759 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1760 "inappropriate style \"%s\" in by clause.\n",
1761 fname, lineno, style );
1765 if ( b->a_authz.sai_tls_ssf ) {
1766 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1767 "tls_ssf attribute already specified.\n",
1772 if ( right == NULL || *right == '\0' ) {
1773 Debug( LDAP_DEBUG_ANY,
1774 "%s: line %d: no tls_ssf is defined\n",
1779 if ( lutil_atou( &b->a_authz.sai_tls_ssf, right ) != 0 ) {
1780 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1781 "unable to parse tls_ssf value (%s).\n",
1782 fname, lineno, right );
1786 if ( !b->a_authz.sai_tls_ssf ) {
1787 Debug( LDAP_DEBUG_ANY,
1788 "%s: line %d: invalid tls_ssf value (%s).\n",
1789 fname, lineno, right );
1795 if ( strcasecmp( left, "sasl_ssf" ) == 0 ) {
1796 if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
1797 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1798 "inappropriate style \"%s\" in by clause.\n",
1799 fname, lineno, style );
1803 if ( b->a_authz.sai_sasl_ssf ) {
1804 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1805 "sasl_ssf attribute already specified.\n",
1810 if ( right == NULL || *right == '\0' ) {
1811 Debug( LDAP_DEBUG_ANY,
1812 "%s: line %d: no sasl_ssf is defined.\n",
1817 if ( lutil_atou( &b->a_authz.sai_sasl_ssf, right ) != 0 ) {
1818 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1819 "unable to parse sasl_ssf value (%s).\n",
1820 fname, lineno, right );
1824 if ( !b->a_authz.sai_sasl_ssf ) {
1825 Debug( LDAP_DEBUG_ANY,
1826 "%s: line %d: invalid sasl_ssf value (%s).\n",
1827 fname, lineno, right );
1833 if ( right != NULL ) {
1840 if ( i == argc || ( strcasecmp( left, "stop" ) == 0 ) ) {
1841 /* out of arguments or plain stop */
1843 ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
1844 ACL_PRIV_SET( b->a_access_mask, ACL_PRIV_NONE);
1845 b->a_type = ACL_STOP;
1847 access_append( &a->acl_access, b );
1851 if ( strcasecmp( left, "continue" ) == 0 ) {
1852 /* plain continue */
1854 ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
1855 ACL_PRIV_SET( b->a_access_mask, ACL_PRIV_NONE);
1856 b->a_type = ACL_CONTINUE;
1858 access_append( &a->acl_access, b );
1862 if ( strcasecmp( left, "break" ) == 0 ) {
1863 /* plain continue */
1865 ACL_PRIV_ASSIGN(b->a_access_mask, ACL_PRIV_ADDITIVE);
1866 ACL_PRIV_SET( b->a_access_mask, ACL_PRIV_NONE);
1867 b->a_type = ACL_BREAK;
1869 access_append( &a->acl_access, b );
1873 if ( strcasecmp( left, "by" ) == 0 ) {
1874 /* we've gone too far */
1876 ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
1877 ACL_PRIV_SET( b->a_access_mask, ACL_PRIV_NONE);
1878 b->a_type = ACL_STOP;
1880 access_append( &a->acl_access, b );
1888 if ( strncasecmp( left, "self", STRLENOF( "self" ) ) == 0 ) {
1890 lleft = &left[ STRLENOF( "self" ) ];
1892 } else if ( strncasecmp( left, "realself", STRLENOF( "realself" ) ) == 0 ) {
1893 b->a_realdn_self = 1;
1894 lleft = &left[ STRLENOF( "realself" ) ];
1897 ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( lleft ) );
1900 if ( ACL_IS_INVALID( b->a_access_mask ) ) {
1901 Debug( LDAP_DEBUG_ANY,
1902 "%s: line %d: expecting <access> got \"%s\".\n",
1903 fname, lineno, left );
1907 b->a_type = ACL_STOP;
1909 if ( ++i == argc ) {
1910 /* out of arguments or plain stop */
1911 access_append( &a->acl_access, b );
1915 if ( strcasecmp( argv[i], "continue" ) == 0 ) {
1916 /* plain continue */
1917 b->a_type = ACL_CONTINUE;
1919 } else if ( strcasecmp( argv[i], "break" ) == 0 ) {
1920 /* plain continue */
1921 b->a_type = ACL_BREAK;
1923 } else if ( strcasecmp( argv[i], "stop" ) != 0 ) {
1928 access_append( &a->acl_access, b );
1932 Debug( LDAP_DEBUG_ANY,
1933 "%s: line %d: expecting \"to\" "
1934 "or \"by\" got \"%s\"\n",
1935 fname, lineno, argv[i] );
1940 /* if we have no real access clause, complain and do nothing */
1942 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1943 "warning: no access clause(s) specified in access line.\n",
1949 if ( slap_debug & LDAP_DEBUG_ACL ) {
1954 if ( a->acl_access == NULL ) {
1955 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1956 "warning: no by clause(s) specified in access line.\n",
1962 if ( be->be_nsuffix == NULL ) {
1963 Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
1964 "scope checking needs suffix before ACLs.\n",
1966 /* go ahead, since checking is not authoritative */
1967 } else if ( !BER_BVISNULL( &be->be_nsuffix[ 1 ] ) ) {
1968 Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
1969 "scope checking only applies to single-valued "
1970 "suffix databases\n",
1972 /* go ahead, since checking is not authoritative */
1974 switch ( check_scope( be, a ) ) {
1975 case ACL_SCOPE_UNKNOWN:
1976 Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
1977 "cannot assess the validity of the ACL scope within "
1978 "backend naming context\n",
1982 case ACL_SCOPE_WARN:
1983 Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
1984 "ACL could be out of scope within backend naming context\n",
1988 case ACL_SCOPE_PARTIAL:
1989 Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
1990 "ACL appears to be partially out of scope within "
1991 "backend naming context\n",
1996 Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
1997 "ACL appears to be out of scope within "
1998 "backend naming context\n",
2006 acl_append( &be->be_acl, a, pos );
2009 acl_append( &frontendDB->be_acl, a, pos );
2016 if ( b ) access_free( b );
2017 if ( a ) acl_free( a );
2022 accessmask2str( slap_mask_t mask, char *buf, int debug )
2027 assert( buf != NULL );
2029 if ( ACL_IS_INVALID( mask ) ) {
2035 if ( ACL_IS_LEVEL( mask ) ) {
2036 if ( ACL_LVL_IS_NONE(mask) ) {
2037 ptr = lutil_strcopy( ptr, "none" );
2039 } else if ( ACL_LVL_IS_DISCLOSE(mask) ) {
2040 ptr = lutil_strcopy( ptr, "disclose" );
2042 } else if ( ACL_LVL_IS_AUTH(mask) ) {
2043 ptr = lutil_strcopy( ptr, "auth" );
2045 } else if ( ACL_LVL_IS_COMPARE(mask) ) {
2046 ptr = lutil_strcopy( ptr, "compare" );
2048 } else if ( ACL_LVL_IS_SEARCH(mask) ) {
2049 ptr = lutil_strcopy( ptr, "search" );
2051 } else if ( ACL_LVL_IS_READ(mask) ) {
2052 ptr = lutil_strcopy( ptr, "read" );
2054 } else if ( ACL_LVL_IS_WRITE(mask) ) {
2055 ptr = lutil_strcopy( ptr, "write" );
2057 } else if ( ACL_LVL_IS_WADD(mask) ) {
2058 ptr = lutil_strcopy( ptr, "add" );
2060 } else if ( ACL_LVL_IS_WDEL(mask) ) {
2061 ptr = lutil_strcopy( ptr, "delete" );
2063 } else if ( ACL_LVL_IS_MANAGE(mask) ) {
2064 ptr = lutil_strcopy( ptr, "manage" );
2067 ptr = lutil_strcopy( ptr, "unknown" );
2077 if( ACL_IS_ADDITIVE( mask ) ) {
2080 } else if( ACL_IS_SUBTRACTIVE( mask ) ) {
2087 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_MANAGE) ) {
2092 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_WRITE) ) {
2096 } else if ( ACL_PRIV_ISSET(mask, ACL_PRIV_WADD) ) {
2100 } else if ( ACL_PRIV_ISSET(mask, ACL_PRIV_WDEL) ) {
2105 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_READ) ) {
2110 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_SEARCH) ) {
2115 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_COMPARE) ) {
2120 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_AUTH) ) {
2125 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_DISCLOSE) ) {
2130 if ( none && ACL_PRIV_ISSET(mask, ACL_PRIV_NONE) ) {
2139 if ( ACL_IS_LEVEL( mask ) ) {
2149 str2accessmask( const char *str )
2153 if( !ASCII_ALPHA(str[0]) ) {
2156 if ( str[0] == '=' ) {
2159 } else if( str[0] == '+' ) {
2160 ACL_PRIV_ASSIGN(mask, ACL_PRIV_ADDITIVE);
2162 } else if( str[0] == '-' ) {
2163 ACL_PRIV_ASSIGN(mask, ACL_PRIV_SUBSTRACTIVE);
2166 ACL_INVALIDATE(mask);
2170 for( i=1; str[i] != '\0'; i++ ) {
2171 if( TOLOWER((unsigned char) str[i]) == 'm' ) {
2172 ACL_PRIV_SET(mask, ACL_PRIV_MANAGE);
2174 } else if( TOLOWER((unsigned char) str[i]) == 'w' ) {
2175 ACL_PRIV_SET(mask, ACL_PRIV_WRITE);
2177 } else if( TOLOWER((unsigned char) str[i]) == 'a' ) {
2178 ACL_PRIV_SET(mask, ACL_PRIV_WADD);
2180 } else if( TOLOWER((unsigned char) str[i]) == 'z' ) {
2181 ACL_PRIV_SET(mask, ACL_PRIV_WDEL);
2183 } else if( TOLOWER((unsigned char) str[i]) == 'r' ) {
2184 ACL_PRIV_SET(mask, ACL_PRIV_READ);
2186 } else if( TOLOWER((unsigned char) str[i]) == 's' ) {
2187 ACL_PRIV_SET(mask, ACL_PRIV_SEARCH);
2189 } else if( TOLOWER((unsigned char) str[i]) == 'c' ) {
2190 ACL_PRIV_SET(mask, ACL_PRIV_COMPARE);
2192 } else if( TOLOWER((unsigned char) str[i]) == 'x' ) {
2193 ACL_PRIV_SET(mask, ACL_PRIV_AUTH);
2195 } else if( TOLOWER((unsigned char) str[i]) == 'd' ) {
2196 ACL_PRIV_SET(mask, ACL_PRIV_DISCLOSE);
2198 } else if( str[i] == '0' ) {
2199 ACL_PRIV_SET(mask, ACL_PRIV_NONE);
2202 ACL_INVALIDATE(mask);
2210 if ( strcasecmp( str, "none" ) == 0 ) {
2211 ACL_LVL_ASSIGN_NONE(mask);
2213 } else if ( strcasecmp( str, "disclose" ) == 0 ) {
2214 ACL_LVL_ASSIGN_DISCLOSE(mask);
2216 } else if ( strcasecmp( str, "auth" ) == 0 ) {
2217 ACL_LVL_ASSIGN_AUTH(mask);
2219 } else if ( strcasecmp( str, "compare" ) == 0 ) {
2220 ACL_LVL_ASSIGN_COMPARE(mask);
2222 } else if ( strcasecmp( str, "search" ) == 0 ) {
2223 ACL_LVL_ASSIGN_SEARCH(mask);
2225 } else if ( strcasecmp( str, "read" ) == 0 ) {
2226 ACL_LVL_ASSIGN_READ(mask);
2228 } else if ( strcasecmp( str, "add" ) == 0 ) {
2229 ACL_LVL_ASSIGN_WADD(mask);
2231 } else if ( strcasecmp( str, "delete" ) == 0 ) {
2232 ACL_LVL_ASSIGN_WDEL(mask);
2234 } else if ( strcasecmp( str, "write" ) == 0 ) {
2235 ACL_LVL_ASSIGN_WRITE(mask);
2237 } else if ( strcasecmp( str, "manage" ) == 0 ) {
2238 ACL_LVL_ASSIGN_MANAGE(mask);
2241 ACL_INVALIDATE( mask );
2251 "<access clause> ::= access to <what> "
2252 "[ by <who> [ <access> ] [ <control> ] ]+ \n";
2254 "<what> ::= * | dn[.<dnstyle>=<DN>] [filter=<filter>] [attrs=<attrspec>]\n"
2255 "<attrspec> ::= <attrname> [val[/<matchingRule>][.<attrstyle>]=<value>] | <attrlist>\n"
2256 "<attrlist> ::= <attr> [ , <attrlist> ]\n"
2257 "<attr> ::= <attrname> | @<objectClass> | !<objectClass> | entry | children\n";
2260 "<who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ]\n"
2261 "\t[ realanonymous | realusers | realself | realdn[.<dnstyle>]=<DN> ]\n"
2262 "\t[dnattr=<attrname>]\n"
2263 "\t[realdnattr=<attrname>]\n"
2264 "\t[group[/<objectclass>[/<attrname>]][.<style>]=<group>]\n"
2265 "\t[peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>]\n"
2266 "\t[domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>]\n"
2268 "\t[dynacl/<name>[/<options>][.<dynstyle>][=<pattern>]]\n"
2269 #endif /* SLAP_DYNACL */
2270 "\t[ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]\n"
2271 "<style> ::= exact | regex | base(Object)\n"
2272 "<dnstyle> ::= base(Object) | one(level) | sub(tree) | children | "
2274 "<attrstyle> ::= exact | regex | base(Object) | one(level) | "
2275 "sub(tree) | children\n"
2276 "<peernamestyle> ::= exact | regex | ip | ipv6 | path\n"
2277 "<domainstyle> ::= exact | regex | base(Object) | sub(tree)\n"
2278 "<access> ::= [[real]self]{<level>|<priv>}\n"
2279 "<level> ::= none|disclose|auth|compare|search|read|{write|add|delete}|manage\n"
2280 "<priv> ::= {=|+|-}{0|d|x|c|s|r|{w|a|z}|m}+\n"
2281 "<control> ::= [ stop | continue | break ]\n"
2283 #ifdef SLAPD_ACI_ENABLED
2285 "\t<name>=ACI\t<pattern>=<attrname>\n"
2286 #endif /* SLAPD_ACI_ENABLED */
2287 #endif /* ! SLAP_DYNACL */
2290 Debug( LDAP_DEBUG_ANY, "%s%s%s\n", access, what, who );
2296 * Set pattern to a "normalized" DN from src.
2297 * At present it simply eats the (optional) space after
2298 * a RDN separator (,)
2299 * Eventually will evolve in a more complete normalization
2302 acl_regex_normalized_dn(
2304 struct berval *pattern )
2309 str = ch_strdup( src );
2310 len = strlen( src );
2312 for ( p = str; p && p[0]; p++ ) {
2314 if ( p[0] == '\\' && p[1] ) {
2316 * if escaping a hex pair we should
2317 * increment p twice; however, in that
2318 * case the second hex number does
2324 if ( p[0] == ',' && p[1] == ' ' ) {
2328 * too much space should be an error if we are pedantic
2330 for ( q = &p[2]; q[0] == ' '; q++ ) {
2333 AC_MEMCPY( p+1, q, len-(q-str)+1);
2336 pattern->bv_val = str;
2337 pattern->bv_len = p - str;
2350 if ( (*right = strchr( line, splitchar )) != NULL ) {
2351 *((*right)++) = '\0';
2356 access_append( Access **l, Access *a )
2358 for ( ; *l != NULL; l = &(*l)->a_next ) {
2366 acl_append( AccessControl **l, AccessControl *a, int pos )
2370 for (i=0 ; i != pos && *l != NULL; l = &(*l)->acl_next, i++ ) {
2379 access_free( Access *a )
2381 if ( !BER_BVISNULL( &a->a_dn_pat ) ) {
2382 free( a->a_dn_pat.bv_val );
2384 if ( !BER_BVISNULL( &a->a_realdn_pat ) ) {
2385 free( a->a_realdn_pat.bv_val );
2387 if ( !BER_BVISNULL( &a->a_peername_pat ) ) {
2388 free( a->a_peername_pat.bv_val );
2390 if ( !BER_BVISNULL( &a->a_sockname_pat ) ) {
2391 free( a->a_sockname_pat.bv_val );
2393 if ( !BER_BVISNULL( &a->a_domain_pat ) ) {
2394 free( a->a_domain_pat.bv_val );
2396 if ( !BER_BVISNULL( &a->a_sockurl_pat ) ) {
2397 free( a->a_sockurl_pat.bv_val );
2399 if ( !BER_BVISNULL( &a->a_set_pat ) ) {
2400 free( a->a_set_pat.bv_val );
2402 if ( !BER_BVISNULL( &a->a_group_pat ) ) {
2403 free( a->a_group_pat.bv_val );
2406 if ( a->a_dynacl != NULL ) {
2408 for ( da = a->a_dynacl; da; ) {
2409 slap_dynacl_t *tmp = da;
2413 if ( tmp->da_destroy ) {
2414 tmp->da_destroy( tmp->da_private );
2420 #endif /* SLAP_DYNACL */
2425 acl_free( AccessControl *a )
2430 if ( a->acl_filter ) {
2431 filter_free( a->acl_filter );
2433 if ( !BER_BVISNULL( &a->acl_dn_pat ) ) {
2434 if ( a->acl_dn_style == ACL_STYLE_REGEX ) {
2435 regfree( &a->acl_dn_re );
2437 free ( a->acl_dn_pat.bv_val );
2439 if ( a->acl_attrs ) {
2440 for ( an = a->acl_attrs; !BER_BVISNULL( &an->an_name ); an++ ) {
2441 free( an->an_name.bv_val );
2443 free( a->acl_attrs );
2445 if ( a->acl_attrval_style == ACL_STYLE_REGEX ) {
2446 regfree( &a->acl_attrval_re );
2449 if ( !BER_BVISNULL( &a->acl_attrval ) ) {
2450 ber_memfree( a->acl_attrval.bv_val );
2453 for ( ; a->acl_access; a->acl_access = n ) {
2454 n = a->acl_access->a_next;
2455 access_free( a->acl_access );
2460 /* Because backend_startup uses acl_append to tack on the global_acl to
2461 * the end of each backend's acl, we cannot just take one argument and
2462 * merrily free our way to the end of the list. backend_destroy calls us
2463 * with the be_acl in arg1, and global_acl in arg2 to give us a stopping
2464 * point. config_destroy calls us with global_acl in arg1 and NULL in
2465 * arg2, so we then proceed to polish off the global_acl.
2468 acl_destroy( AccessControl *a, AccessControl *end )
2472 for ( ; a && a != end; a = n ) {
2479 access2str( slap_access_t access )
2481 if ( access == ACL_NONE ) {
2484 } else if ( access == ACL_DISCLOSE ) {
2487 } else if ( access == ACL_AUTH ) {
2490 } else if ( access == ACL_COMPARE ) {
2493 } else if ( access == ACL_SEARCH ) {
2496 } else if ( access == ACL_READ ) {
2499 } else if ( access == ACL_WRITE ) {
2502 } else if ( access == ACL_WADD ) {
2505 } else if ( access == ACL_WDEL ) {
2508 } else if ( access == ACL_MANAGE ) {
2517 str2access( const char *str )
2519 if ( strcasecmp( str, "none" ) == 0 ) {
2522 } else if ( strcasecmp( str, "disclose" ) == 0 ) {
2523 return ACL_DISCLOSE;
2525 } else if ( strcasecmp( str, "auth" ) == 0 ) {
2528 } else if ( strcasecmp( str, "compare" ) == 0 ) {
2531 } else if ( strcasecmp( str, "search" ) == 0 ) {
2534 } else if ( strcasecmp( str, "read" ) == 0 ) {
2537 } else if ( strcasecmp( str, "write" ) == 0 ) {
2540 } else if ( strcasecmp( str, "add" ) == 0 ) {
2543 } else if ( strcasecmp( str, "delete" ) == 0 ) {
2546 } else if ( strcasecmp( str, "manage" ) == 0 ) {
2550 return( ACL_INVALID_ACCESS );
2553 #define ACLBUF_MAXLEN 8192
2555 static char aclbuf[ACLBUF_MAXLEN];
2558 dnaccess2text( slap_dn_access *bdn, char *ptr, int is_realdn )
2563 ptr = lutil_strcopy( ptr, "real" );
2566 if ( ber_bvccmp( &bdn->a_pat, '*' ) ||
2567 bdn->a_style == ACL_STYLE_ANONYMOUS ||
2568 bdn->a_style == ACL_STYLE_USERS ||
2569 bdn->a_style == ACL_STYLE_SELF )
2572 assert( ! ber_bvccmp( &bdn->a_pat, '*' ) );
2575 ptr = lutil_strcopy( ptr, bdn->a_pat.bv_val );
2576 if ( bdn->a_style == ACL_STYLE_SELF && bdn->a_self_level != 0 ) {
2577 int n = sprintf( ptr, ".level{%d}", bdn->a_self_level );
2584 ptr = lutil_strcopy( ptr, "dn." );
2585 if ( bdn->a_style == ACL_STYLE_BASE )
2586 ptr = lutil_strcopy( ptr, style_base );
2588 ptr = lutil_strcopy( ptr, style_strings[bdn->a_style] );
2589 if ( bdn->a_style == ACL_STYLE_LEVEL ) {
2590 int n = sprintf( ptr, "{%d}", bdn->a_level );
2595 if ( bdn->a_expand ) {
2596 ptr = lutil_strcopy( ptr, ",expand" );
2600 ptr = lutil_strcopy( ptr, bdn->a_pat.bv_val );
2607 access2text( Access *b, char *ptr )
2609 char maskbuf[ACCESSMASK_MAXLEN];
2611 ptr = lutil_strcopy( ptr, "\tby" );
2613 if ( !BER_BVISEMPTY( &b->a_dn_pat ) ) {
2614 ptr = dnaccess2text( &b->a_dn, ptr, 0 );
2617 ptr = lutil_strcopy( ptr, " dnattr=" );
2618 ptr = lutil_strcopy( ptr, b->a_dn_at->ad_cname.bv_val );
2621 if ( !BER_BVISEMPTY( &b->a_realdn_pat ) ) {
2622 ptr = dnaccess2text( &b->a_realdn, ptr, 1 );
2624 if ( b->a_realdn_at ) {
2625 ptr = lutil_strcopy( ptr, " realdnattr=" );
2626 ptr = lutil_strcopy( ptr, b->a_realdn_at->ad_cname.bv_val );
2629 if ( !BER_BVISEMPTY( &b->a_group_pat ) ) {
2630 ptr = lutil_strcopy( ptr, " group/" );
2631 ptr = lutil_strcopy( ptr, b->a_group_oc ?
2632 b->a_group_oc->soc_cname.bv_val : SLAPD_GROUP_CLASS );
2634 ptr = lutil_strcopy( ptr, b->a_group_at ?
2635 b->a_group_at->ad_cname.bv_val : SLAPD_GROUP_ATTR );
2637 ptr = lutil_strcopy( ptr, style_strings[b->a_group_style] );
2640 ptr = lutil_strcopy( ptr, b->a_group_pat.bv_val );
2644 if ( !BER_BVISEMPTY( &b->a_peername_pat ) ) {
2645 ptr = lutil_strcopy( ptr, " peername" );
2647 ptr = lutil_strcopy( ptr, style_strings[b->a_peername_style] );
2650 ptr = lutil_strcopy( ptr, b->a_peername_pat.bv_val );
2654 if ( !BER_BVISEMPTY( &b->a_sockname_pat ) ) {
2655 ptr = lutil_strcopy( ptr, " sockname" );
2657 ptr = lutil_strcopy( ptr, style_strings[b->a_sockname_style] );
2660 ptr = lutil_strcopy( ptr, b->a_sockname_pat.bv_val );
2664 if ( !BER_BVISEMPTY( &b->a_domain_pat ) ) {
2665 ptr = lutil_strcopy( ptr, " domain" );
2667 ptr = lutil_strcopy( ptr, style_strings[b->a_domain_style] );
2668 if ( b->a_domain_expand ) {
2669 ptr = lutil_strcopy( ptr, ",expand" );
2672 ptr = lutil_strcopy( ptr, b->a_domain_pat.bv_val );
2675 if ( !BER_BVISEMPTY( &b->a_sockurl_pat ) ) {
2676 ptr = lutil_strcopy( ptr, " sockurl" );
2678 ptr = lutil_strcopy( ptr, style_strings[b->a_sockurl_style] );
2681 ptr = lutil_strcopy( ptr, b->a_sockurl_pat.bv_val );
2685 if ( !BER_BVISEMPTY( &b->a_set_pat ) ) {
2686 ptr = lutil_strcopy( ptr, " set" );
2688 ptr = lutil_strcopy( ptr, style_strings[b->a_set_style] );
2691 ptr = lutil_strcopy( ptr, b->a_set_pat.bv_val );
2696 if ( b->a_dynacl ) {
2699 for ( da = b->a_dynacl; da; da = da->da_next ) {
2700 if ( da->da_unparse ) {
2701 struct berval bv = BER_BVNULL;
2702 (void)( *da->da_unparse )( da->da_private, &bv );
2703 assert( !BER_BVISNULL( &bv ) );
2704 ptr = lutil_strcopy( ptr, bv.bv_val );
2705 ch_free( bv.bv_val );
2709 #endif /* SLAP_DYNACL */
2711 /* Security Strength Factors */
2712 if ( b->a_authz.sai_ssf ) {
2713 ptr += sprintf( ptr, " ssf=%u",
2714 b->a_authz.sai_ssf );
2716 if ( b->a_authz.sai_transport_ssf ) {
2717 ptr += sprintf( ptr, " transport_ssf=%u",
2718 b->a_authz.sai_transport_ssf );
2720 if ( b->a_authz.sai_tls_ssf ) {
2721 ptr += sprintf( ptr, " tls_ssf=%u",
2722 b->a_authz.sai_tls_ssf );
2724 if ( b->a_authz.sai_sasl_ssf ) {
2725 ptr += sprintf( ptr, " sasl_ssf=%u",
2726 b->a_authz.sai_sasl_ssf );
2730 if ( b->a_dn_self ) {
2731 ptr = lutil_strcopy( ptr, "self" );
2732 } else if ( b->a_realdn_self ) {
2733 ptr = lutil_strcopy( ptr, "realself" );
2735 ptr = lutil_strcopy( ptr, accessmask2str( b->a_access_mask, maskbuf, 0 ));
2736 if ( !maskbuf[0] ) ptr--;
2738 if( b->a_type == ACL_BREAK ) {
2739 ptr = lutil_strcopy( ptr, " break" );
2741 } else if( b->a_type == ACL_CONTINUE ) {
2742 ptr = lutil_strcopy( ptr, " continue" );
2744 } else if( b->a_type != ACL_STOP ) {
2745 ptr = lutil_strcopy( ptr, " unknown-control" );
2747 if ( !maskbuf[0] ) ptr = lutil_strcopy( ptr, " stop" );
2755 acl_unparse( AccessControl *a, struct berval *bv )
2761 bv->bv_val = aclbuf;
2766 ptr = lutil_strcopy( ptr, "to" );
2767 if ( !BER_BVISNULL( &a->acl_dn_pat ) ) {
2769 ptr = lutil_strcopy( ptr, " dn." );
2770 if ( a->acl_dn_style == ACL_STYLE_BASE )
2771 ptr = lutil_strcopy( ptr, style_base );
2773 ptr = lutil_strcopy( ptr, style_strings[a->acl_dn_style] );
2776 ptr = lutil_strcopy( ptr, a->acl_dn_pat.bv_val );
2777 ptr = lutil_strcopy( ptr, "\"\n" );
2780 if ( a->acl_filter != NULL ) {
2781 struct berval bv = BER_BVNULL;
2784 filter2bv( a->acl_filter, &bv );
2785 ptr = lutil_strcopy( ptr, " filter=\"" );
2786 ptr = lutil_strcopy( ptr, bv.bv_val );
2789 ch_free( bv.bv_val );
2792 if ( a->acl_attrs != NULL ) {
2797 ptr = lutil_strcopy( ptr, " attrs=" );
2798 for ( an = a->acl_attrs; an && !BER_BVISNULL( &an->an_name ); an++ ) {
2799 if ( ! first ) *ptr++ = ',';
2801 *ptr++ = an->an_oc_exclude ? '!' : '@';
2802 ptr = lutil_strcopy( ptr, an->an_oc->soc_cname.bv_val );
2805 ptr = lutil_strcopy( ptr, an->an_name.bv_val );
2812 if ( !BER_BVISEMPTY( &a->acl_attrval ) ) {
2814 ptr = lutil_strcopy( ptr, " val." );
2815 if ( a->acl_attrval_style == ACL_STYLE_BASE &&
2816 a->acl_attrs[0].an_desc->ad_type->sat_syntax ==
2817 slap_schema.si_syn_distinguishedName )
2818 ptr = lutil_strcopy( ptr, style_base );
2820 ptr = lutil_strcopy( ptr, style_strings[a->acl_attrval_style] );
2823 ptr = lutil_strcopy( ptr, a->acl_attrval.bv_val );
2829 ptr = lutil_strcopy( ptr, " *\n" );
2832 for ( b = a->acl_access; b != NULL; b = b->a_next ) {
2833 ptr = access2text( b, ptr );
2836 bv->bv_len = ptr - bv->bv_val;
2841 print_acl( Backend *be, AccessControl *a )
2845 acl_unparse( a, &bv );
2846 fprintf( stderr, "%s ACL: access %s\n",
2847 be == NULL ? "Global" : "Backend", bv.bv_val );
2849 #endif /* LDAP_DEBUG */