1 /* aclparse.c - routines to parse and check acl's */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 1998-2010 The OpenLDAP Foundation.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted only as authorized by the OpenLDAP
12 * A copy of this license is available in the file LICENSE in the
13 * top-level directory of the distribution or, alternatively, at
14 * <http://www.OpenLDAP.org/license.html>.
16 /* Portions Copyright (c) 1995 Regents of the University of Michigan.
17 * All rights reserved.
19 * Redistribution and use in source and binary forms are permitted
20 * provided that this notice is preserved and that due credit is given
21 * to the University of Michigan at Ann Arbor. The name of the University
22 * may not be used to endorse or promote products derived from this
23 * software without specific prior written permission. This software
24 * is provided ``as is'' without express or implied warranty.
33 #include <ac/socket.h>
34 #include <ac/string.h>
35 #include <ac/unistd.h>
41 static const char style_base[] = "base";
42 const char *style_strings[] = {
60 #define ACLBUF_CHUNKSIZE 8192
61 static struct berval aclbuf;
63 static void split(char *line, int splitchar, char **left, char **right);
64 static void access_append(Access **l, Access *a);
65 static void access_free( Access *a );
66 static int acl_usage(void);
68 static void acl_regex_normalized_dn(const char *src, struct berval *pat);
71 static void print_acl(Backend *be, AccessControl *a);
74 static int check_scope( BackendDB *be, AccessControl *a );
87 slap_dynacl_t *da, *tmp;
90 for ( da = b->a_dynacl; da; da = da->da_next ) {
91 if ( strcasecmp( da->da_name, name ) == 0 ) {
92 Debug( LDAP_DEBUG_ANY,
93 "%s: line %d: dynacl \"%s\" already specified.\n",
94 fname, lineno, name );
99 da = slap_dynacl_get( name );
104 tmp = ch_malloc( sizeof( slap_dynacl_t ) );
107 if ( tmp->da_parse ) {
108 rc = ( *tmp->da_parse )( fname, lineno, opts, sty, right, &tmp->da_private );
115 tmp->da_next = b->a_dynacl;
120 #endif /* SLAP_DYNACL */
123 regtest(const char *fname, int lineno, char *pat) {
127 char buf[ SLAP_TEXT_BUFLEN ];
139 for (size = 0, flag = 0; (size < sizeof(buf)) && *sp; sp++) {
141 if (*sp == '$'|| (*sp >= '0' && *sp <= '9')) {
158 if ( size >= (sizeof(buf) - 1) ) {
159 Debug( LDAP_DEBUG_ANY,
160 "%s: line %d: regular expression \"%s\" too large\n",
161 fname, lineno, pat );
163 exit( EXIT_FAILURE );
166 if ((e = regcomp(&re, buf, REG_EXTENDED|REG_ICASE))) {
167 char error[ SLAP_TEXT_BUFLEN ];
169 regerror(e, &re, error, sizeof(error));
171 snprintf( buf, sizeof( buf ),
172 "regular expression \"%s\" bad because of %s",
174 Debug( LDAP_DEBUG_ANY,
176 fname, lineno, buf );
178 exit( EXIT_FAILURE );
186 * Check if the pattern of an ACL, if any, matches the scope
187 * of the backend it is defined within.
189 #define ACL_SCOPE_UNKNOWN (-2)
190 #define ACL_SCOPE_ERR (-1)
191 #define ACL_SCOPE_OK (0)
192 #define ACL_SCOPE_PARTIAL (1)
193 #define ACL_SCOPE_WARN (2)
196 check_scope( BackendDB *be, AccessControl *a )
201 dn = be->be_nsuffix[0];
203 if ( BER_BVISEMPTY( &dn ) ) {
207 if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
208 a->acl_dn_style != ACL_STYLE_REGEX )
210 slap_style_t style = a->acl_dn_style;
212 if ( style == ACL_STYLE_REGEX ) {
213 char dnbuf[SLAP_LDAPDN_MAXLEN + 2];
214 char rebuf[SLAP_LDAPDN_MAXLEN + 1];
219 /* add trailing '$' to database suffix to form
220 * a simple trial regex pattern "<suffix>$" */
221 AC_MEMCPY( dnbuf, be->be_nsuffix[0].bv_val,
222 be->be_nsuffix[0].bv_len );
223 dnbuf[be->be_nsuffix[0].bv_len] = '$';
224 dnbuf[be->be_nsuffix[0].bv_len + 1] = '\0';
226 if ( regcomp( &re, dnbuf, REG_EXTENDED|REG_ICASE ) ) {
227 return ACL_SCOPE_WARN;
230 /* remove trailing ')$', if any, from original
232 rebuflen = a->acl_dn_pat.bv_len;
233 AC_MEMCPY( rebuf, a->acl_dn_pat.bv_val, rebuflen + 1 );
234 if ( rebuf[rebuflen - 1] == '$' ) {
235 rebuf[--rebuflen] = '\0';
237 while ( rebuflen > be->be_nsuffix[0].bv_len && rebuf[rebuflen - 1] == ')' ) {
238 rebuf[--rebuflen] = '\0';
240 if ( rebuflen == be->be_nsuffix[0].bv_len ) {
245 /* not a clear indication of scoping error, though */
246 rc = regexec( &re, rebuf, 0, NULL, 0 )
247 ? ACL_SCOPE_WARN : ACL_SCOPE_OK;
254 patlen = a->acl_dn_pat.bv_len;
255 /* If backend suffix is longer than pattern,
256 * it is a potential mismatch (in the sense
257 * that a superior naming context could
259 if ( dn.bv_len > patlen ) {
260 /* base is blatantly wrong */
261 if ( style == ACL_STYLE_BASE ) return ACL_SCOPE_ERR;
263 /* a style of one can be wrong if there is
264 * more than one level between the suffix
266 if ( style == ACL_STYLE_ONE ) {
267 ber_len_t rdnlen = 0;
271 if ( !DN_SEPARATOR( dn.bv_val[dn.bv_len - patlen - 1] )) {
272 return ACL_SCOPE_ERR;
277 rdnlen = dn_rdnlen( NULL, &dn );
278 if ( rdnlen != dn.bv_len - patlen - sep )
279 return ACL_SCOPE_ERR;
282 /* if the trailing part doesn't match,
283 * then it's an error */
284 if ( strcmp( a->acl_dn_pat.bv_val,
285 &dn.bv_val[dn.bv_len - patlen] ) != 0 )
287 return ACL_SCOPE_ERR;
290 return ACL_SCOPE_PARTIAL;
296 case ACL_STYLE_CHILDREN:
297 case ACL_STYLE_SUBTREE:
305 if ( dn.bv_len < patlen &&
306 !DN_SEPARATOR( a->acl_dn_pat.bv_val[patlen - dn.bv_len - 1] ))
308 return ACL_SCOPE_ERR;
311 if ( strcmp( &a->acl_dn_pat.bv_val[patlen - dn.bv_len], dn.bv_val )
314 return ACL_SCOPE_ERR;
320 return ACL_SCOPE_UNKNOWN;
333 char *left, *right, *style;
335 AccessControl *a = NULL;
340 for ( i = 1; i < argc; i++ ) {
341 /* to clause - select which entries are protected */
342 if ( strcasecmp( argv[i], "to" ) == 0 ) {
344 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
345 "only one to clause allowed in access line\n",
349 a = (AccessControl *) ch_calloc( 1, sizeof(AccessControl) );
350 a->acl_attrval_style = ACL_STYLE_NONE;
351 for ( ++i; i < argc; i++ ) {
352 if ( strcasecmp( argv[i], "by" ) == 0 ) {
357 if ( strcasecmp( argv[i], "*" ) == 0 ) {
358 if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
359 a->acl_dn_style != ACL_STYLE_REGEX )
361 Debug( LDAP_DEBUG_ANY,
362 "%s: line %d: dn pattern"
363 " already specified in to clause.\n",
368 ber_str2bv( "*", STRLENOF( "*" ), 1, &a->acl_dn_pat );
372 split( argv[i], '=', &left, &right );
373 split( left, '.', &left, &style );
375 if ( right == NULL ) {
376 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
377 "missing \"=\" in \"%s\" in to clause\n",
378 fname, lineno, left );
382 if ( strcasecmp( left, "dn" ) == 0 ) {
383 if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
384 a->acl_dn_style != ACL_STYLE_REGEX )
386 Debug( LDAP_DEBUG_ANY,
387 "%s: line %d: dn pattern"
388 " already specified in to clause.\n",
393 if ( style == NULL || *style == '\0' ||
394 strcasecmp( style, "baseObject" ) == 0 ||
395 strcasecmp( style, "base" ) == 0 ||
396 strcasecmp( style, "exact" ) == 0 )
398 a->acl_dn_style = ACL_STYLE_BASE;
399 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
401 } else if ( strcasecmp( style, "oneLevel" ) == 0 ||
402 strcasecmp( style, "one" ) == 0 )
404 a->acl_dn_style = ACL_STYLE_ONE;
405 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
407 } else if ( strcasecmp( style, "subtree" ) == 0 ||
408 strcasecmp( style, "sub" ) == 0 )
410 if( *right == '\0' ) {
411 ber_str2bv( "*", STRLENOF( "*" ), 1, &a->acl_dn_pat );
414 a->acl_dn_style = ACL_STYLE_SUBTREE;
415 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
418 } else if ( strcasecmp( style, "children" ) == 0 ) {
419 a->acl_dn_style = ACL_STYLE_CHILDREN;
420 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
422 } else if ( strcasecmp( style, "regex" ) == 0 ) {
423 a->acl_dn_style = ACL_STYLE_REGEX;
425 if ( *right == '\0' ) {
426 /* empty regex should match empty DN */
427 a->acl_dn_style = ACL_STYLE_BASE;
428 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
430 } else if ( strcmp(right, "*") == 0
431 || strcmp(right, ".*") == 0
432 || strcmp(right, ".*$") == 0
433 || strcmp(right, "^.*") == 0
434 || strcmp(right, "^.*$") == 0
435 || strcmp(right, ".*$$") == 0
436 || strcmp(right, "^.*$$") == 0 )
438 ber_str2bv( "*", STRLENOF("*"), 1, &a->acl_dn_pat );
441 acl_regex_normalized_dn( right, &a->acl_dn_pat );
445 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
446 "unknown dn style \"%s\" in to clause\n",
447 fname, lineno, style );
454 if ( strcasecmp( left, "filter" ) == 0 ) {
455 if ( (a->acl_filter = str2filter( right )) == NULL ) {
456 Debug( LDAP_DEBUG_ANY,
457 "%s: line %d: bad filter \"%s\" in to clause\n",
458 fname, lineno, right );
462 } else if ( strcasecmp( left, "attr" ) == 0 /* TOLERATED */
463 || strcasecmp( left, "attrs" ) == 0 ) /* DOCUMENTED */
465 if ( strcasecmp( left, "attr" ) == 0 ) {
466 Debug( LDAP_DEBUG_ANY,
467 "%s: line %d: \"attr\" "
468 "is deprecated (and undocumented); "
469 "use \"attrs\" instead.\n",
473 a->acl_attrs = str2anlist( a->acl_attrs,
475 if ( a->acl_attrs == NULL ) {
476 Debug( LDAP_DEBUG_ANY,
477 "%s: line %d: unknown attr \"%s\" in to clause\n",
478 fname, lineno, right );
482 } else if ( strncasecmp( left, "val", 3 ) == 0 ) {
486 if ( !BER_BVISEMPTY( &a->acl_attrval ) ) {
487 Debug( LDAP_DEBUG_ANY,
488 "%s: line %d: attr val already specified in to clause.\n",
492 if ( a->acl_attrs == NULL || !BER_BVISEMPTY( &a->acl_attrs[1].an_name ) )
494 Debug( LDAP_DEBUG_ANY,
495 "%s: line %d: attr val requires a single attribute.\n",
500 ber_str2bv( right, 0, 0, &bv );
501 a->acl_attrval_style = ACL_STYLE_BASE;
503 mr = strchr( left, '/' );
508 a->acl_attrval_mr = mr_find( mr );
509 if ( a->acl_attrval_mr == NULL ) {
510 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
511 "invalid matching rule \"%s\".\n",
516 if( !mr_usable_with_at( a->acl_attrval_mr, a->acl_attrs[ 0 ].an_desc->ad_type ) )
518 char buf[ SLAP_TEXT_BUFLEN ];
520 snprintf( buf, sizeof( buf ),
521 "matching rule \"%s\" use "
522 "with attr \"%s\" not appropriate.",
523 mr, a->acl_attrs[ 0 ].an_name.bv_val );
526 Debug( LDAP_DEBUG_ANY, "%s: line %d: %s\n",
527 fname, lineno, buf );
532 if ( style != NULL ) {
533 if ( strcasecmp( style, "regex" ) == 0 ) {
534 int e = regcomp( &a->acl_attrval_re, bv.bv_val,
535 REG_EXTENDED | REG_ICASE );
537 char err[SLAP_TEXT_BUFLEN],
538 buf[ SLAP_TEXT_BUFLEN ];
540 regerror( e, &a->acl_attrval_re, err, sizeof( err ) );
542 snprintf( buf, sizeof( buf ),
543 "regular expression \"%s\" bad because of %s",
546 Debug( LDAP_DEBUG_ANY, "%s: line %d: %s\n",
547 fname, lineno, buf );
550 a->acl_attrval_style = ACL_STYLE_REGEX;
553 /* FIXME: if the attribute has DN syntax, we might
554 * allow one, subtree and children styles as well */
555 if ( !strcasecmp( style, "base" ) ||
556 !strcasecmp( style, "exact" ) ) {
557 a->acl_attrval_style = ACL_STYLE_BASE;
559 } else if ( a->acl_attrs[0].an_desc->ad_type->
560 sat_syntax == slap_schema.si_syn_distinguishedName )
562 if ( !strcasecmp( style, "baseObject" ) ||
563 !strcasecmp( style, "base" ) )
565 a->acl_attrval_style = ACL_STYLE_BASE;
566 } else if ( !strcasecmp( style, "onelevel" ) ||
567 !strcasecmp( style, "one" ) )
569 a->acl_attrval_style = ACL_STYLE_ONE;
570 } else if ( !strcasecmp( style, "subtree" ) ||
571 !strcasecmp( style, "sub" ) )
573 a->acl_attrval_style = ACL_STYLE_SUBTREE;
574 } else if ( !strcasecmp( style, "children" ) ) {
575 a->acl_attrval_style = ACL_STYLE_CHILDREN;
577 char buf[ SLAP_TEXT_BUFLEN ];
579 snprintf( buf, sizeof( buf ),
580 "unknown val.<style> \"%s\" for attributeType \"%s\" "
583 a->acl_attrs[0].an_desc->ad_cname.bv_val );
585 Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL,
587 fname, lineno, buf );
591 rc = dnNormalize( 0, NULL, NULL, &bv, &a->acl_attrval, NULL );
592 if ( rc != LDAP_SUCCESS ) {
593 char buf[ SLAP_TEXT_BUFLEN ];
595 snprintf( buf, sizeof( buf ),
596 "unable to normalize DN \"%s\" "
597 "for attributeType \"%s\" (%d).",
599 a->acl_attrs[0].an_desc->ad_cname.bv_val,
601 Debug( LDAP_DEBUG_ANY,
603 fname, lineno, buf );
608 char buf[ SLAP_TEXT_BUFLEN ];
610 snprintf( buf, sizeof( buf ),
611 "unknown val.<style> \"%s\" for attributeType \"%s\".",
612 style, a->acl_attrs[0].an_desc->ad_cname.bv_val );
613 Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL,
615 fname, lineno, buf );
621 /* Check for appropriate matching rule */
622 if ( a->acl_attrval_style == ACL_STYLE_REGEX ) {
623 ber_dupbv( &a->acl_attrval, &bv );
625 } else if ( BER_BVISNULL( &a->acl_attrval ) ) {
629 if ( a->acl_attrval_mr == NULL ) {
630 a->acl_attrval_mr = a->acl_attrs[ 0 ].an_desc->ad_type->sat_equality;
633 if ( a->acl_attrval_mr == NULL ) {
634 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
635 "attr \"%s\" does not have an EQUALITY matching rule.\n",
636 fname, lineno, a->acl_attrs[ 0 ].an_name.bv_val );
640 rc = asserted_value_validate_normalize(
641 a->acl_attrs[ 0 ].an_desc,
643 SLAP_MR_EQUALITY|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX,
648 if ( rc != LDAP_SUCCESS ) {
649 char buf[ SLAP_TEXT_BUFLEN ];
651 snprintf( buf, sizeof( buf ), "%s: line %d: "
652 " attr \"%s\" normalization failed (%d: %s)",
654 a->acl_attrs[ 0 ].an_name.bv_val, rc, text );
655 Debug( LDAP_DEBUG_ANY, "%s: line %d: %s.\n",
656 fname, lineno, buf );
662 Debug( LDAP_DEBUG_ANY,
663 "%s: line %d: expecting <what> got \"%s\"\n",
664 fname, lineno, left );
669 if ( !BER_BVISNULL( &a->acl_dn_pat ) &&
670 ber_bvccmp( &a->acl_dn_pat, '*' ) )
672 free( a->acl_dn_pat.bv_val );
673 BER_BVZERO( &a->acl_dn_pat );
674 a->acl_dn_style = ACL_STYLE_REGEX;
677 if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
678 a->acl_dn_style != ACL_STYLE_REGEX )
680 if ( a->acl_dn_style != ACL_STYLE_REGEX ) {
682 rc = dnNormalize( 0, NULL, NULL, &a->acl_dn_pat, &bv, NULL);
683 if ( rc != LDAP_SUCCESS ) {
684 Debug( LDAP_DEBUG_ANY,
685 "%s: line %d: bad DN \"%s\" in to DN clause\n",
686 fname, lineno, a->acl_dn_pat.bv_val );
689 free( a->acl_dn_pat.bv_val );
693 int e = regcomp( &a->acl_dn_re, a->acl_dn_pat.bv_val,
694 REG_EXTENDED | REG_ICASE );
696 char err[ SLAP_TEXT_BUFLEN ],
697 buf[ SLAP_TEXT_BUFLEN ];
699 regerror( e, &a->acl_dn_re, err, sizeof( err ) );
700 snprintf( buf, sizeof( buf ),
701 "regular expression \"%s\" bad because of %s",
703 Debug( LDAP_DEBUG_ANY, "%s: line %d: %s\n",
704 fname, lineno, buf );
710 /* by clause - select who has what access to entries */
711 } else if ( strcasecmp( argv[i], "by" ) == 0 ) {
713 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
714 "to clause required before by clause in access line\n",
720 * by clause consists of <who> and <access>
724 Debug( LDAP_DEBUG_ANY,
725 "%s: line %d: premature EOL: expecting <who>\n",
730 b = (Access *) ch_calloc( 1, sizeof(Access) );
732 ACL_INVALIDATE( b->a_access_mask );
735 for ( ; i < argc; i++ ) {
736 slap_style_t sty = ACL_STYLE_REGEX;
737 char *style_modifier = NULL;
738 char *style_level = NULL;
741 slap_dn_access *bdn = &b->a_dn;
744 split( argv[i], '=', &left, &right );
745 split( left, '.', &left, &style );
747 split( style, ',', &style, &style_modifier );
749 if ( strncasecmp( style, "level", STRLENOF( "level" ) ) == 0 ) {
750 split( style, '{', &style, &style_level );
751 if ( style_level != NULL ) {
752 char *p = strchr( style_level, '}' );
754 Debug( LDAP_DEBUG_ANY,
755 "%s: line %d: premature eol: "
756 "expecting closing '}' in \"level{n}\"\n",
759 } else if ( p == style_level ) {
760 Debug( LDAP_DEBUG_ANY,
761 "%s: line %d: empty level "
771 if ( style == NULL || *style == '\0' ||
772 strcasecmp( style, "exact" ) == 0 ||
773 strcasecmp( style, "baseObject" ) == 0 ||
774 strcasecmp( style, "base" ) == 0 )
776 sty = ACL_STYLE_BASE;
778 } else if ( strcasecmp( style, "onelevel" ) == 0 ||
779 strcasecmp( style, "one" ) == 0 )
783 } else if ( strcasecmp( style, "subtree" ) == 0 ||
784 strcasecmp( style, "sub" ) == 0 )
786 sty = ACL_STYLE_SUBTREE;
788 } else if ( strcasecmp( style, "children" ) == 0 ) {
789 sty = ACL_STYLE_CHILDREN;
791 } else if ( strcasecmp( style, "level" ) == 0 )
793 if ( lutil_atoi( &level, style_level ) != 0 ) {
794 Debug( LDAP_DEBUG_ANY,
795 "%s: line %d: unable to parse level "
801 sty = ACL_STYLE_LEVEL;
803 } else if ( strcasecmp( style, "regex" ) == 0 ) {
804 sty = ACL_STYLE_REGEX;
806 } else if ( strcasecmp( style, "expand" ) == 0 ) {
807 sty = ACL_STYLE_EXPAND;
809 } else if ( strcasecmp( style, "ip" ) == 0 ) {
812 } else if ( strcasecmp( style, "ipv6" ) == 0 ) {
813 #ifndef LDAP_PF_INET6
814 Debug( LDAP_DEBUG_ANY,
815 "%s: line %d: IPv6 not supported\n",
817 #endif /* ! LDAP_PF_INET6 */
818 sty = ACL_STYLE_IPV6;
820 } else if ( strcasecmp( style, "path" ) == 0 ) {
821 sty = ACL_STYLE_PATH;
822 #ifndef LDAP_PF_LOCAL
823 Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL,
825 "\"path\" style modifier is useless without local.\n",
828 #endif /* LDAP_PF_LOCAL */
831 Debug( LDAP_DEBUG_ANY,
832 "%s: line %d: unknown style \"%s\" in by clause\n",
833 fname, lineno, style );
837 if ( style_modifier &&
838 strcasecmp( style_modifier, "expand" ) == 0 )
841 case ACL_STYLE_REGEX:
842 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
843 "\"regex\" style implies \"expand\" modifier.\n",
848 case ACL_STYLE_EXPAND:
852 /* we'll see later if it's pertinent */
858 if ( strncasecmp( left, "real", STRLENOF( "real" ) ) == 0 ) {
861 left += STRLENOF( "real" );
864 if ( strcasecmp( left, "*" ) == 0 ) {
869 ber_str2bv( "*", STRLENOF( "*" ), 1, &bv );
870 sty = ACL_STYLE_REGEX;
872 } else if ( strcasecmp( left, "anonymous" ) == 0 ) {
873 ber_str2bv("anonymous", STRLENOF( "anonymous" ), 1, &bv);
874 sty = ACL_STYLE_ANONYMOUS;
876 } else if ( strcasecmp( left, "users" ) == 0 ) {
877 ber_str2bv("users", STRLENOF( "users" ), 1, &bv);
878 sty = ACL_STYLE_USERS;
880 } else if ( strcasecmp( left, "self" ) == 0 ) {
881 ber_str2bv("self", STRLENOF( "self" ), 1, &bv);
882 sty = ACL_STYLE_SELF;
884 } else if ( strcasecmp( left, "dn" ) == 0 ) {
885 if ( sty == ACL_STYLE_REGEX ) {
886 bdn->a_style = ACL_STYLE_REGEX;
887 if ( right == NULL ) {
892 bdn->a_style = ACL_STYLE_USERS;
894 } else if (*right == '\0' ) {
896 ber_str2bv("anonymous",
897 STRLENOF( "anonymous" ),
899 bdn->a_style = ACL_STYLE_ANONYMOUS;
901 } else if ( strcmp( right, "*" ) == 0 ) {
903 /* any or users? users for now */
907 bdn->a_style = ACL_STYLE_USERS;
909 } else if ( strcmp( right, ".+" ) == 0
910 || strcmp( right, "^.+" ) == 0
911 || strcmp( right, ".+$" ) == 0
912 || strcmp( right, "^.+$" ) == 0
913 || strcmp( right, ".+$$" ) == 0
914 || strcmp( right, "^.+$$" ) == 0 )
919 bdn->a_style = ACL_STYLE_USERS;
921 } else if ( strcmp( right, ".*" ) == 0
922 || strcmp( right, "^.*" ) == 0
923 || strcmp( right, ".*$" ) == 0
924 || strcmp( right, "^.*$" ) == 0
925 || strcmp( right, ".*$$" ) == 0
926 || strcmp( right, "^.*$$" ) == 0 )
933 acl_regex_normalized_dn( right, &bv );
934 if ( !ber_bvccmp( &bv, '*' ) ) {
935 regtest( fname, lineno, bv.bv_val );
939 } else if ( right == NULL || *right == '\0' ) {
940 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
941 "missing \"=\" in (or value after) \"%s\" "
943 fname, lineno, left );
947 ber_str2bv( right, 0, 1, &bv );
954 if ( !BER_BVISNULL( &bv ) ) {
955 if ( !BER_BVISEMPTY( &bdn->a_pat ) ) {
956 Debug( LDAP_DEBUG_ANY,
957 "%s: line %d: dn pattern already specified.\n",
962 if ( sty != ACL_STYLE_REGEX &&
963 sty != ACL_STYLE_ANONYMOUS &&
964 sty != ACL_STYLE_USERS &&
965 sty != ACL_STYLE_SELF &&
968 rc = dnNormalize(0, NULL, NULL,
969 &bv, &bdn->a_pat, NULL);
970 if ( rc != LDAP_SUCCESS ) {
971 Debug( LDAP_DEBUG_ANY,
972 "%s: line %d: bad DN \"%s\" in by DN clause\n",
973 fname, lineno, bv.bv_val );
977 if ( sty == ACL_STYLE_BASE
979 && !BER_BVISNULL( &be->be_rootndn )
980 && dn_match( &bdn->a_pat, &be->be_rootndn ) )
982 Debug( LDAP_DEBUG_ANY,
983 "%s: line %d: rootdn is always granted "
984 "unlimited privileges.\n",
996 for ( exp = strchr( bdn->a_pat.bv_val, '$' );
997 exp && (ber_len_t)(exp - bdn->a_pat.bv_val)
999 exp = strchr( exp, '$' ) )
1001 if ( ( isdigit( (unsigned char) exp[ 1 ] ) ||
1002 exp[ 1 ] == '{' ) ) {
1009 bdn->a_expand = expand;
1012 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1013 "\"expand\" used with no expansions in \"pattern\".\n",
1018 if ( sty == ACL_STYLE_SELF ) {
1019 bdn->a_self_level = level;
1023 Debug( LDAP_DEBUG_ANY,
1024 "%s: line %d: bad negative level \"%d\" "
1025 "in by DN clause\n",
1026 fname, lineno, level );
1028 } else if ( level == 1 ) {
1029 Debug( LDAP_DEBUG_ANY,
1030 "%s: line %d: \"onelevel\" should be used "
1031 "instead of \"level{1}\" in by DN clause\n",
1033 } else if ( level == 0 && sty == ACL_STYLE_LEVEL ) {
1034 Debug( LDAP_DEBUG_ANY,
1035 "%s: line %d: \"base\" should be used "
1036 "instead of \"level{0}\" in by DN clause\n",
1040 bdn->a_level = level;
1045 if ( strcasecmp( left, "dnattr" ) == 0 ) {
1046 if ( right == NULL || right[0] == '\0' ) {
1047 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1048 "missing \"=\" in (or value after) \"%s\" "
1050 fname, lineno, left );
1054 if( bdn->a_at != NULL ) {
1055 Debug( LDAP_DEBUG_ANY,
1056 "%s: line %d: dnattr already specified.\n",
1061 rc = slap_str2ad( right, &bdn->a_at, &text );
1063 if( rc != LDAP_SUCCESS ) {
1064 char buf[ SLAP_TEXT_BUFLEN ];
1066 snprintf( buf, sizeof( buf ),
1067 "dnattr \"%s\": %s",
1069 Debug( LDAP_DEBUG_ANY,
1070 "%s: line %d: %s\n",
1071 fname, lineno, buf );
1076 if( !is_at_syntax( bdn->a_at->ad_type,
1077 SLAPD_DN_SYNTAX ) &&
1078 !is_at_syntax( bdn->a_at->ad_type,
1079 SLAPD_NAMEUID_SYNTAX ))
1081 char buf[ SLAP_TEXT_BUFLEN ];
1083 snprintf( buf, sizeof( buf ),
1085 "inappropriate syntax: %s\n",
1087 bdn->a_at->ad_type->sat_syntax_oid );
1088 Debug( LDAP_DEBUG_ANY,
1089 "%s: line %d: %s\n",
1090 fname, lineno, buf );
1094 if( bdn->a_at->ad_type->sat_equality == NULL ) {
1095 Debug( LDAP_DEBUG_ANY,
1096 "%s: line %d: dnattr \"%s\": "
1097 "inappropriate matching (no EQUALITY)\n",
1098 fname, lineno, right );
1105 if ( strncasecmp( left, "group", STRLENOF( "group" ) ) == 0 ) {
1108 char *attr_name = SLAPD_GROUP_ATTR;
1111 case ACL_STYLE_REGEX:
1112 /* legacy, tolerated */
1113 Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL,
1115 "deprecated group style \"regex\"; "
1116 "use \"expand\" instead.\n",
1118 sty = ACL_STYLE_EXPAND;
1121 case ACL_STYLE_BASE:
1122 /* legal, traditional */
1123 case ACL_STYLE_EXPAND:
1124 /* legal, substring expansion; supersedes regex */
1129 Debug( LDAP_DEBUG_ANY,
1131 "inappropriate style \"%s\" in by clause.\n",
1132 fname, lineno, style );
1136 if ( right == NULL || right[0] == '\0' ) {
1137 Debug( LDAP_DEBUG_ANY,
1139 "missing \"=\" in (or value after) \"%s\" "
1141 fname, lineno, left );
1145 if ( !BER_BVISEMPTY( &b->a_group_pat ) ) {
1146 Debug( LDAP_DEBUG_ANY,
1147 "%s: line %d: group pattern already specified.\n",
1152 /* format of string is
1153 "group/objectClassValue/groupAttrName" */
1154 if ( ( value = strchr(left, '/') ) != NULL ) {
1156 if ( *value && ( name = strchr( value, '/' ) ) != NULL ) {
1161 b->a_group_style = sty;
1162 if ( sty == ACL_STYLE_EXPAND ) {
1163 acl_regex_normalized_dn( right, &bv );
1164 if ( !ber_bvccmp( &bv, '*' ) ) {
1165 regtest( fname, lineno, bv.bv_val );
1167 b->a_group_pat = bv;
1170 ber_str2bv( right, 0, 0, &bv );
1171 rc = dnNormalize( 0, NULL, NULL, &bv,
1172 &b->a_group_pat, NULL );
1173 if ( rc != LDAP_SUCCESS ) {
1174 Debug( LDAP_DEBUG_ANY,
1175 "%s: line %d: bad DN \"%s\".\n",
1176 fname, lineno, right );
1181 if ( value && *value ) {
1182 b->a_group_oc = oc_find( value );
1185 if ( b->a_group_oc == NULL ) {
1186 Debug( LDAP_DEBUG_ANY,
1187 "%s: line %d: group objectclass "
1188 "\"%s\" unknown.\n",
1189 fname, lineno, value );
1194 b->a_group_oc = oc_find( SLAPD_GROUP_CLASS );
1196 if( b->a_group_oc == NULL ) {
1197 Debug( LDAP_DEBUG_ANY,
1198 "%s: line %d: group default objectclass "
1199 "\"%s\" unknown.\n",
1200 fname, lineno, SLAPD_GROUP_CLASS );
1205 if ( is_object_subclass( slap_schema.si_oc_referral,
1208 Debug( LDAP_DEBUG_ANY,
1209 "%s: line %d: group objectclass \"%s\" "
1210 "is subclass of referral.\n",
1211 fname, lineno, value );
1215 if ( is_object_subclass( slap_schema.si_oc_alias,
1218 Debug( LDAP_DEBUG_ANY,
1219 "%s: line %d: group objectclass \"%s\" "
1220 "is subclass of alias.\n",
1221 fname, lineno, value );
1225 if ( name && *name ) {
1231 rc = slap_str2ad( attr_name, &b->a_group_at, &text );
1232 if ( rc != LDAP_SUCCESS ) {
1233 char buf[ SLAP_TEXT_BUFLEN ];
1235 snprintf( buf, sizeof( buf ),
1236 "group \"%s\": %s.",
1238 Debug( LDAP_DEBUG_ANY,
1239 "%s: line %d: %s\n",
1240 fname, lineno, buf );
1244 if ( !is_at_syntax( b->a_group_at->ad_type,
1245 SLAPD_DN_SYNTAX ) /* e.g. "member" */
1246 && !is_at_syntax( b->a_group_at->ad_type,
1247 SLAPD_NAMEUID_SYNTAX ) /* e.g. memberUID */
1248 && !is_at_subtype( b->a_group_at->ad_type,
1249 slap_schema.si_ad_labeledURI->ad_type ) /* e.g. memberURL */ )
1251 char buf[ SLAP_TEXT_BUFLEN ];
1253 snprintf( buf, sizeof( buf ),
1254 "group \"%s\" attr \"%s\": inappropriate syntax: %s; "
1255 "must be " SLAPD_DN_SYNTAX " (DN), "
1256 SLAPD_NAMEUID_SYNTAX " (NameUID) "
1257 "or a subtype of labeledURI.",
1260 at_syntax( b->a_group_at->ad_type ) );
1261 Debug( LDAP_DEBUG_ANY,
1262 "%s: line %d: %s\n",
1263 fname, lineno, buf );
1270 ObjectClass *ocs[2];
1272 ocs[0] = b->a_group_oc;
1275 rc = oc_check_allowed( b->a_group_at->ad_type,
1279 char buf[ SLAP_TEXT_BUFLEN ];
1281 snprintf( buf, sizeof( buf ),
1282 "group: \"%s\" not allowed by \"%s\".",
1283 b->a_group_at->ad_cname.bv_val,
1284 b->a_group_oc->soc_oid );
1285 Debug( LDAP_DEBUG_ANY, "%s: line %d: %s\n",
1286 fname, lineno, buf );
1293 if ( strcasecmp( left, "peername" ) == 0 ) {
1295 case ACL_STYLE_REGEX:
1296 case ACL_STYLE_BASE:
1297 /* legal, traditional */
1298 case ACL_STYLE_EXPAND:
1299 /* cheap replacement to regex for simple expansion */
1301 case ACL_STYLE_IPV6:
1302 case ACL_STYLE_PATH:
1303 /* legal, peername specific */
1307 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1308 "inappropriate style \"%s\" in by clause.\n",
1309 fname, lineno, style );
1313 if ( right == NULL || right[0] == '\0' ) {
1314 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1315 "missing \"=\" in (or value after) \"%s\" "
1317 fname, lineno, left );
1321 if ( !BER_BVISEMPTY( &b->a_peername_pat ) ) {
1322 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1323 "peername pattern already specified.\n",
1328 b->a_peername_style = sty;
1329 if ( sty == ACL_STYLE_REGEX ) {
1330 acl_regex_normalized_dn( right, &bv );
1331 if ( !ber_bvccmp( &bv, '*' ) ) {
1332 regtest( fname, lineno, bv.bv_val );
1334 b->a_peername_pat = bv;
1337 ber_str2bv( right, 0, 1, &b->a_peername_pat );
1339 if ( sty == ACL_STYLE_IP ) {
1344 split( right, '{', &addr, &port );
1345 split( addr, '%', &addr, &mask );
1347 b->a_peername_addr = inet_addr( addr );
1348 if ( b->a_peername_addr == (unsigned long)(-1) ) {
1349 /* illegal address */
1350 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1351 "illegal peername address \"%s\".\n",
1352 fname, lineno, addr );
1356 b->a_peername_mask = (unsigned long)(-1);
1357 if ( mask != NULL ) {
1358 b->a_peername_mask = inet_addr( mask );
1359 if ( b->a_peername_mask ==
1360 (unsigned long)(-1) )
1363 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1364 "illegal peername address mask "
1366 fname, lineno, mask );
1371 b->a_peername_port = -1;
1375 b->a_peername_port = strtol( port, &end, 10 );
1376 if ( end == port || end[0] != '}' ) {
1378 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1379 "illegal peername port specification "
1381 fname, lineno, port );
1386 #ifdef LDAP_PF_INET6
1387 } else if ( sty == ACL_STYLE_IPV6 ) {
1392 split( right, '{', &addr, &port );
1393 split( addr, '%', &addr, &mask );
1395 if ( inet_pton( AF_INET6, addr, &b->a_peername_addr6 ) != 1 ) {
1396 /* illegal address */
1397 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1398 "illegal peername address \"%s\".\n",
1399 fname, lineno, addr );
1403 if ( mask == NULL ) {
1404 mask = "FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF";
1407 if ( inet_pton( AF_INET6, mask, &b->a_peername_mask6 ) != 1 ) {
1409 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1410 "illegal peername address mask "
1412 fname, lineno, mask );
1416 b->a_peername_port = -1;
1420 b->a_peername_port = strtol( port, &end, 10 );
1421 if ( end == port || end[0] != '}' ) {
1423 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1424 "illegal peername port specification "
1426 fname, lineno, port );
1430 #endif /* LDAP_PF_INET6 */
1436 if ( strcasecmp( left, "sockname" ) == 0 ) {
1438 case ACL_STYLE_REGEX:
1439 case ACL_STYLE_BASE:
1440 /* legal, traditional */
1441 case ACL_STYLE_EXPAND:
1442 /* cheap replacement to regex for simple expansion */
1447 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1448 "inappropriate style \"%s\" in by clause\n",
1449 fname, lineno, style );
1453 if ( right == NULL || right[0] == '\0' ) {
1454 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1455 "missing \"=\" in (or value after) \"%s\" "
1457 fname, lineno, left );
1461 if ( !BER_BVISNULL( &b->a_sockname_pat ) ) {
1462 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1463 "sockname pattern already specified.\n",
1468 b->a_sockname_style = sty;
1469 if ( sty == ACL_STYLE_REGEX ) {
1470 acl_regex_normalized_dn( right, &bv );
1471 if ( !ber_bvccmp( &bv, '*' ) ) {
1472 regtest( fname, lineno, bv.bv_val );
1474 b->a_sockname_pat = bv;
1477 ber_str2bv( right, 0, 1, &b->a_sockname_pat );
1482 if ( strcasecmp( left, "domain" ) == 0 ) {
1484 case ACL_STYLE_REGEX:
1485 case ACL_STYLE_BASE:
1486 case ACL_STYLE_SUBTREE:
1487 /* legal, traditional */
1490 case ACL_STYLE_EXPAND:
1491 /* tolerated: means exact,expand */
1493 Debug( LDAP_DEBUG_ANY,
1495 "\"expand\" modifier "
1496 "with \"expand\" style.\n",
1499 sty = ACL_STYLE_BASE;
1505 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1506 "inappropriate style \"%s\" in by clause.\n",
1507 fname, lineno, style );
1511 if ( right == NULL || right[0] == '\0' ) {
1512 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1513 "missing \"=\" in (or value after) \"%s\" "
1515 fname, lineno, left );
1519 if ( !BER_BVISEMPTY( &b->a_domain_pat ) ) {
1520 Debug( LDAP_DEBUG_ANY,
1521 "%s: line %d: domain pattern already specified.\n",
1526 b->a_domain_style = sty;
1527 b->a_domain_expand = expand;
1528 if ( sty == ACL_STYLE_REGEX ) {
1529 acl_regex_normalized_dn( right, &bv );
1530 if ( !ber_bvccmp( &bv, '*' ) ) {
1531 regtest( fname, lineno, bv.bv_val );
1533 b->a_domain_pat = bv;
1536 ber_str2bv( right, 0, 1, &b->a_domain_pat );
1541 if ( strcasecmp( left, "sockurl" ) == 0 ) {
1543 case ACL_STYLE_REGEX:
1544 case ACL_STYLE_BASE:
1545 /* legal, traditional */
1546 case ACL_STYLE_EXPAND:
1547 /* cheap replacement to regex for simple expansion */
1552 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1553 "inappropriate style \"%s\" in by clause.\n",
1554 fname, lineno, style );
1558 if ( right == NULL || right[0] == '\0' ) {
1559 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1560 "missing \"=\" in (or value after) \"%s\" "
1562 fname, lineno, left );
1566 if ( !BER_BVISEMPTY( &b->a_sockurl_pat ) ) {
1567 Debug( LDAP_DEBUG_ANY,
1568 "%s: line %d: sockurl pattern already specified.\n",
1573 b->a_sockurl_style = sty;
1574 if ( sty == ACL_STYLE_REGEX ) {
1575 acl_regex_normalized_dn( right, &bv );
1576 if ( !ber_bvccmp( &bv, '*' ) ) {
1577 regtest( fname, lineno, bv.bv_val );
1579 b->a_sockurl_pat = bv;
1582 ber_str2bv( right, 0, 1, &b->a_sockurl_pat );
1587 if ( strcasecmp( left, "set" ) == 0 ) {
1590 case ACL_STYLE_REGEX:
1591 Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL,
1593 "deprecated set style "
1594 "\"regex\" in <by> clause; "
1595 "use \"expand\" instead.\n",
1597 sty = ACL_STYLE_EXPAND;
1600 case ACL_STYLE_BASE:
1601 case ACL_STYLE_EXPAND:
1605 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1606 "inappropriate style \"%s\" in by clause.\n",
1607 fname, lineno, style );
1611 if ( !BER_BVISEMPTY( &b->a_set_pat ) ) {
1612 Debug( LDAP_DEBUG_ANY,
1613 "%s: line %d: set attribute already specified.\n",
1618 if ( right == NULL || *right == '\0' ) {
1619 Debug( LDAP_DEBUG_ANY,
1620 "%s: line %d: no set is defined.\n",
1625 b->a_set_style = sty;
1626 ber_str2bv( right, 0, 1, &b->a_set_pat );
1636 #if 1 /* tolerate legacy "aci" <who> */
1637 if ( strcasecmp( left, "aci" ) == 0 ) {
1638 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1639 "undocumented deprecated \"aci\" directive "
1640 "is superseded by \"dynacl/aci\".\n",
1645 #endif /* tolerate legacy "aci" <who> */
1646 if ( strncasecmp( left, "dynacl/", STRLENOF( "dynacl/" ) ) == 0 ) {
1647 name = &left[ STRLENOF( "dynacl/" ) ];
1648 opts = strchr( name, '/' );
1656 if ( slap_dynacl_config( fname, lineno, b, name, opts, sty, right ) ) {
1657 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1658 "unable to configure dynacl \"%s\".\n",
1659 fname, lineno, name );
1666 #endif /* SLAP_DYNACL */
1668 if ( strcasecmp( left, "ssf" ) == 0 ) {
1669 if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
1670 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1671 "inappropriate style \"%s\" in by clause.\n",
1672 fname, lineno, style );
1676 if ( b->a_authz.sai_ssf ) {
1677 Debug( LDAP_DEBUG_ANY,
1678 "%s: line %d: ssf attribute already specified.\n",
1683 if ( right == NULL || *right == '\0' ) {
1684 Debug( LDAP_DEBUG_ANY,
1685 "%s: line %d: no ssf is defined.\n",
1690 if ( lutil_atou( &b->a_authz.sai_ssf, right ) != 0 ) {
1691 Debug( LDAP_DEBUG_ANY,
1692 "%s: line %d: unable to parse ssf value (%s).\n",
1693 fname, lineno, right );
1697 if ( !b->a_authz.sai_ssf ) {
1698 Debug( LDAP_DEBUG_ANY,
1699 "%s: line %d: invalid ssf value (%s).\n",
1700 fname, lineno, right );
1706 if ( strcasecmp( left, "transport_ssf" ) == 0 ) {
1707 if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
1708 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1709 "inappropriate style \"%s\" in by clause.\n",
1710 fname, lineno, style );
1714 if ( b->a_authz.sai_transport_ssf ) {
1715 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1716 "transport_ssf attribute already specified.\n",
1721 if ( right == NULL || *right == '\0' ) {
1722 Debug( LDAP_DEBUG_ANY,
1723 "%s: line %d: no transport_ssf is defined.\n",
1728 if ( lutil_atou( &b->a_authz.sai_transport_ssf, right ) != 0 ) {
1729 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1730 "unable to parse transport_ssf value (%s).\n",
1731 fname, lineno, right );
1735 if ( !b->a_authz.sai_transport_ssf ) {
1736 Debug( LDAP_DEBUG_ANY,
1737 "%s: line %d: invalid transport_ssf value (%s).\n",
1738 fname, lineno, right );
1744 if ( strcasecmp( left, "tls_ssf" ) == 0 ) {
1745 if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
1746 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1747 "inappropriate style \"%s\" in by clause.\n",
1748 fname, lineno, style );
1752 if ( b->a_authz.sai_tls_ssf ) {
1753 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1754 "tls_ssf attribute already specified.\n",
1759 if ( right == NULL || *right == '\0' ) {
1760 Debug( LDAP_DEBUG_ANY,
1761 "%s: line %d: no tls_ssf is defined\n",
1766 if ( lutil_atou( &b->a_authz.sai_tls_ssf, right ) != 0 ) {
1767 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1768 "unable to parse tls_ssf value (%s).\n",
1769 fname, lineno, right );
1773 if ( !b->a_authz.sai_tls_ssf ) {
1774 Debug( LDAP_DEBUG_ANY,
1775 "%s: line %d: invalid tls_ssf value (%s).\n",
1776 fname, lineno, right );
1782 if ( strcasecmp( left, "sasl_ssf" ) == 0 ) {
1783 if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
1784 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1785 "inappropriate style \"%s\" in by clause.\n",
1786 fname, lineno, style );
1790 if ( b->a_authz.sai_sasl_ssf ) {
1791 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1792 "sasl_ssf attribute already specified.\n",
1797 if ( right == NULL || *right == '\0' ) {
1798 Debug( LDAP_DEBUG_ANY,
1799 "%s: line %d: no sasl_ssf is defined.\n",
1804 if ( lutil_atou( &b->a_authz.sai_sasl_ssf, right ) != 0 ) {
1805 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1806 "unable to parse sasl_ssf value (%s).\n",
1807 fname, lineno, right );
1811 if ( !b->a_authz.sai_sasl_ssf ) {
1812 Debug( LDAP_DEBUG_ANY,
1813 "%s: line %d: invalid sasl_ssf value (%s).\n",
1814 fname, lineno, right );
1820 if ( right != NULL ) {
1827 if ( i == argc || ( strcasecmp( left, "stop" ) == 0 ) ) {
1828 /* out of arguments or plain stop */
1830 ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
1831 ACL_PRIV_SET( b->a_access_mask, ACL_PRIV_NONE);
1832 b->a_type = ACL_STOP;
1834 access_append( &a->acl_access, b );
1838 if ( strcasecmp( left, "continue" ) == 0 ) {
1839 /* plain continue */
1841 ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
1842 ACL_PRIV_SET( b->a_access_mask, ACL_PRIV_NONE);
1843 b->a_type = ACL_CONTINUE;
1845 access_append( &a->acl_access, b );
1849 if ( strcasecmp( left, "break" ) == 0 ) {
1850 /* plain continue */
1852 ACL_PRIV_ASSIGN(b->a_access_mask, ACL_PRIV_ADDITIVE);
1853 ACL_PRIV_SET( b->a_access_mask, ACL_PRIV_NONE);
1854 b->a_type = ACL_BREAK;
1856 access_append( &a->acl_access, b );
1860 if ( strcasecmp( left, "by" ) == 0 ) {
1861 /* we've gone too far */
1863 ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
1864 ACL_PRIV_SET( b->a_access_mask, ACL_PRIV_NONE);
1865 b->a_type = ACL_STOP;
1867 access_append( &a->acl_access, b );
1875 if ( strncasecmp( left, "self", STRLENOF( "self" ) ) == 0 ) {
1877 lleft = &left[ STRLENOF( "self" ) ];
1879 } else if ( strncasecmp( left, "realself", STRLENOF( "realself" ) ) == 0 ) {
1880 b->a_realdn_self = 1;
1881 lleft = &left[ STRLENOF( "realself" ) ];
1884 ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( lleft ) );
1887 if ( ACL_IS_INVALID( b->a_access_mask ) ) {
1888 Debug( LDAP_DEBUG_ANY,
1889 "%s: line %d: expecting <access> got \"%s\".\n",
1890 fname, lineno, left );
1894 b->a_type = ACL_STOP;
1896 if ( ++i == argc ) {
1897 /* out of arguments or plain stop */
1898 access_append( &a->acl_access, b );
1902 if ( strcasecmp( argv[i], "continue" ) == 0 ) {
1903 /* plain continue */
1904 b->a_type = ACL_CONTINUE;
1906 } else if ( strcasecmp( argv[i], "break" ) == 0 ) {
1907 /* plain continue */
1908 b->a_type = ACL_BREAK;
1910 } else if ( strcasecmp( argv[i], "stop" ) != 0 ) {
1915 access_append( &a->acl_access, b );
1919 Debug( LDAP_DEBUG_ANY,
1920 "%s: line %d: expecting \"to\" "
1921 "or \"by\" got \"%s\"\n",
1922 fname, lineno, argv[i] );
1927 /* if we have no real access clause, complain and do nothing */
1929 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1930 "warning: no access clause(s) specified in access line.\n",
1936 if ( slap_debug & LDAP_DEBUG_ACL ) {
1941 if ( a->acl_access == NULL ) {
1942 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1943 "warning: no by clause(s) specified in access line.\n",
1949 if ( be->be_nsuffix == NULL ) {
1950 Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
1951 "scope checking needs suffix before ACLs.\n",
1953 /* go ahead, since checking is not authoritative */
1954 } else if ( !BER_BVISNULL( &be->be_nsuffix[ 1 ] ) ) {
1955 Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
1956 "scope checking only applies to single-valued "
1957 "suffix databases\n",
1959 /* go ahead, since checking is not authoritative */
1961 switch ( check_scope( be, a ) ) {
1962 case ACL_SCOPE_UNKNOWN:
1963 Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
1964 "cannot assess the validity of the ACL scope within "
1965 "backend naming context\n",
1969 case ACL_SCOPE_WARN:
1970 Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
1971 "ACL could be out of scope within backend naming context\n",
1975 case ACL_SCOPE_PARTIAL:
1976 Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
1977 "ACL appears to be partially out of scope within "
1978 "backend naming context\n",
1983 Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
1984 "ACL appears to be out of scope within "
1985 "backend naming context\n",
1993 acl_append( &be->be_acl, a, pos );
1996 acl_append( &frontendDB->be_acl, a, pos );
2003 if ( b ) access_free( b );
2004 if ( a ) acl_free( a );
2009 accessmask2str( slap_mask_t mask, char *buf, int debug )
2014 assert( buf != NULL );
2016 if ( ACL_IS_INVALID( mask ) ) {
2022 if ( ACL_IS_LEVEL( mask ) ) {
2023 if ( ACL_LVL_IS_NONE(mask) ) {
2024 ptr = lutil_strcopy( ptr, "none" );
2026 } else if ( ACL_LVL_IS_DISCLOSE(mask) ) {
2027 ptr = lutil_strcopy( ptr, "disclose" );
2029 } else if ( ACL_LVL_IS_AUTH(mask) ) {
2030 ptr = lutil_strcopy( ptr, "auth" );
2032 } else if ( ACL_LVL_IS_COMPARE(mask) ) {
2033 ptr = lutil_strcopy( ptr, "compare" );
2035 } else if ( ACL_LVL_IS_SEARCH(mask) ) {
2036 ptr = lutil_strcopy( ptr, "search" );
2038 } else if ( ACL_LVL_IS_READ(mask) ) {
2039 ptr = lutil_strcopy( ptr, "read" );
2041 } else if ( ACL_LVL_IS_WRITE(mask) ) {
2042 ptr = lutil_strcopy( ptr, "write" );
2044 } else if ( ACL_LVL_IS_WADD(mask) ) {
2045 ptr = lutil_strcopy( ptr, "add" );
2047 } else if ( ACL_LVL_IS_WDEL(mask) ) {
2048 ptr = lutil_strcopy( ptr, "delete" );
2050 } else if ( ACL_LVL_IS_MANAGE(mask) ) {
2051 ptr = lutil_strcopy( ptr, "manage" );
2054 ptr = lutil_strcopy( ptr, "unknown" );
2064 if( ACL_IS_ADDITIVE( mask ) ) {
2067 } else if( ACL_IS_SUBTRACTIVE( mask ) ) {
2074 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_MANAGE) ) {
2079 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_WRITE) ) {
2083 } else if ( ACL_PRIV_ISSET(mask, ACL_PRIV_WADD) ) {
2087 } else if ( ACL_PRIV_ISSET(mask, ACL_PRIV_WDEL) ) {
2092 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_READ) ) {
2097 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_SEARCH) ) {
2102 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_COMPARE) ) {
2107 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_AUTH) ) {
2112 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_DISCLOSE) ) {
2117 if ( none && ACL_PRIV_ISSET(mask, ACL_PRIV_NONE) ) {
2126 if ( ACL_IS_LEVEL( mask ) ) {
2136 str2accessmask( const char *str )
2140 if( !ASCII_ALPHA(str[0]) ) {
2143 if ( str[0] == '=' ) {
2146 } else if( str[0] == '+' ) {
2147 ACL_PRIV_ASSIGN(mask, ACL_PRIV_ADDITIVE);
2149 } else if( str[0] == '-' ) {
2150 ACL_PRIV_ASSIGN(mask, ACL_PRIV_SUBSTRACTIVE);
2153 ACL_INVALIDATE(mask);
2157 for( i=1; str[i] != '\0'; i++ ) {
2158 if( TOLOWER((unsigned char) str[i]) == 'm' ) {
2159 ACL_PRIV_SET(mask, ACL_PRIV_MANAGE);
2161 } else if( TOLOWER((unsigned char) str[i]) == 'w' ) {
2162 ACL_PRIV_SET(mask, ACL_PRIV_WRITE);
2164 } else if( TOLOWER((unsigned char) str[i]) == 'a' ) {
2165 ACL_PRIV_SET(mask, ACL_PRIV_WADD);
2167 } else if( TOLOWER((unsigned char) str[i]) == 'z' ) {
2168 ACL_PRIV_SET(mask, ACL_PRIV_WDEL);
2170 } else if( TOLOWER((unsigned char) str[i]) == 'r' ) {
2171 ACL_PRIV_SET(mask, ACL_PRIV_READ);
2173 } else if( TOLOWER((unsigned char) str[i]) == 's' ) {
2174 ACL_PRIV_SET(mask, ACL_PRIV_SEARCH);
2176 } else if( TOLOWER((unsigned char) str[i]) == 'c' ) {
2177 ACL_PRIV_SET(mask, ACL_PRIV_COMPARE);
2179 } else if( TOLOWER((unsigned char) str[i]) == 'x' ) {
2180 ACL_PRIV_SET(mask, ACL_PRIV_AUTH);
2182 } else if( TOLOWER((unsigned char) str[i]) == 'd' ) {
2183 ACL_PRIV_SET(mask, ACL_PRIV_DISCLOSE);
2185 } else if( str[i] == '0' ) {
2186 ACL_PRIV_SET(mask, ACL_PRIV_NONE);
2189 ACL_INVALIDATE(mask);
2197 if ( strcasecmp( str, "none" ) == 0 ) {
2198 ACL_LVL_ASSIGN_NONE(mask);
2200 } else if ( strcasecmp( str, "disclose" ) == 0 ) {
2201 ACL_LVL_ASSIGN_DISCLOSE(mask);
2203 } else if ( strcasecmp( str, "auth" ) == 0 ) {
2204 ACL_LVL_ASSIGN_AUTH(mask);
2206 } else if ( strcasecmp( str, "compare" ) == 0 ) {
2207 ACL_LVL_ASSIGN_COMPARE(mask);
2209 } else if ( strcasecmp( str, "search" ) == 0 ) {
2210 ACL_LVL_ASSIGN_SEARCH(mask);
2212 } else if ( strcasecmp( str, "read" ) == 0 ) {
2213 ACL_LVL_ASSIGN_READ(mask);
2215 } else if ( strcasecmp( str, "add" ) == 0 ) {
2216 ACL_LVL_ASSIGN_WADD(mask);
2218 } else if ( strcasecmp( str, "delete" ) == 0 ) {
2219 ACL_LVL_ASSIGN_WDEL(mask);
2221 } else if ( strcasecmp( str, "write" ) == 0 ) {
2222 ACL_LVL_ASSIGN_WRITE(mask);
2224 } else if ( strcasecmp( str, "manage" ) == 0 ) {
2225 ACL_LVL_ASSIGN_MANAGE(mask);
2228 ACL_INVALIDATE( mask );
2238 "<access clause> ::= access to <what> "
2239 "[ by <who> [ <access> ] [ <control> ] ]+ \n";
2241 "<what> ::= * | dn[.<dnstyle>=<DN>] [filter=<filter>] [attrs=<attrspec>]\n"
2242 "<attrspec> ::= <attrname> [val[/<matchingRule>][.<attrstyle>]=<value>] | <attrlist>\n"
2243 "<attrlist> ::= <attr> [ , <attrlist> ]\n"
2244 "<attr> ::= <attrname> | @<objectClass> | !<objectClass> | entry | children\n";
2247 "<who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ]\n"
2248 "\t[ realanonymous | realusers | realself | realdn[.<dnstyle>]=<DN> ]\n"
2249 "\t[dnattr=<attrname>]\n"
2250 "\t[realdnattr=<attrname>]\n"
2251 "\t[group[/<objectclass>[/<attrname>]][.<style>]=<group>]\n"
2252 "\t[peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>]\n"
2253 "\t[domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>]\n"
2255 "\t[dynacl/<name>[/<options>][.<dynstyle>][=<pattern>]]\n"
2256 #endif /* SLAP_DYNACL */
2257 "\t[ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]\n"
2258 "<style> ::= exact | regex | base(Object)\n"
2259 "<dnstyle> ::= base(Object) | one(level) | sub(tree) | children | "
2261 "<attrstyle> ::= exact | regex | base(Object) | one(level) | "
2262 "sub(tree) | children\n"
2263 "<peernamestyle> ::= exact | regex | ip | ipv6 | path\n"
2264 "<domainstyle> ::= exact | regex | base(Object) | sub(tree)\n"
2265 "<access> ::= [[real]self]{<level>|<priv>}\n"
2266 "<level> ::= none|disclose|auth|compare|search|read|{write|add|delete}|manage\n"
2267 "<priv> ::= {=|+|-}{0|d|x|c|s|r|{w|a|z}|m}+\n"
2268 "<control> ::= [ stop | continue | break ]\n"
2270 #ifdef SLAPD_ACI_ENABLED
2272 "\t<name>=ACI\t<pattern>=<attrname>\n"
2273 #endif /* SLAPD_ACI_ENABLED */
2274 #endif /* ! SLAP_DYNACL */
2277 Debug( LDAP_DEBUG_ANY, "%s%s%s\n", access, what, who );
2283 * Set pattern to a "normalized" DN from src.
2284 * At present it simply eats the (optional) space after
2285 * a RDN separator (,)
2286 * Eventually will evolve in a more complete normalization
2289 acl_regex_normalized_dn(
2291 struct berval *pattern )
2296 str = ch_strdup( src );
2297 len = strlen( src );
2299 for ( p = str; p && p[0]; p++ ) {
2301 if ( p[0] == '\\' && p[1] ) {
2303 * if escaping a hex pair we should
2304 * increment p twice; however, in that
2305 * case the second hex number does
2311 if ( p[0] == ',' && p[1] == ' ' ) {
2315 * too much space should be an error if we are pedantic
2317 for ( q = &p[2]; q[0] == ' '; q++ ) {
2320 AC_MEMCPY( p+1, q, len-(q-str)+1);
2323 pattern->bv_val = str;
2324 pattern->bv_len = p - str;
2337 if ( (*right = strchr( line, splitchar )) != NULL ) {
2338 *((*right)++) = '\0';
2343 access_append( Access **l, Access *a )
2345 for ( ; *l != NULL; l = &(*l)->a_next ) {
2353 acl_append( AccessControl **l, AccessControl *a, int pos )
2357 for (i=0 ; i != pos && *l != NULL; l = &(*l)->acl_next, i++ ) {
2366 access_free( Access *a )
2368 if ( !BER_BVISNULL( &a->a_dn_pat ) ) {
2369 free( a->a_dn_pat.bv_val );
2371 if ( !BER_BVISNULL( &a->a_realdn_pat ) ) {
2372 free( a->a_realdn_pat.bv_val );
2374 if ( !BER_BVISNULL( &a->a_peername_pat ) ) {
2375 free( a->a_peername_pat.bv_val );
2377 if ( !BER_BVISNULL( &a->a_sockname_pat ) ) {
2378 free( a->a_sockname_pat.bv_val );
2380 if ( !BER_BVISNULL( &a->a_domain_pat ) ) {
2381 free( a->a_domain_pat.bv_val );
2383 if ( !BER_BVISNULL( &a->a_sockurl_pat ) ) {
2384 free( a->a_sockurl_pat.bv_val );
2386 if ( !BER_BVISNULL( &a->a_set_pat ) ) {
2387 free( a->a_set_pat.bv_val );
2389 if ( !BER_BVISNULL( &a->a_group_pat ) ) {
2390 free( a->a_group_pat.bv_val );
2393 if ( a->a_dynacl != NULL ) {
2395 for ( da = a->a_dynacl; da; ) {
2396 slap_dynacl_t *tmp = da;
2400 if ( tmp->da_destroy ) {
2401 tmp->da_destroy( tmp->da_private );
2407 #endif /* SLAP_DYNACL */
2412 acl_free( AccessControl *a )
2417 if ( a->acl_filter ) {
2418 filter_free( a->acl_filter );
2420 if ( !BER_BVISNULL( &a->acl_dn_pat ) ) {
2421 if ( a->acl_dn_style == ACL_STYLE_REGEX ) {
2422 regfree( &a->acl_dn_re );
2424 free ( a->acl_dn_pat.bv_val );
2426 if ( a->acl_attrs ) {
2427 for ( an = a->acl_attrs; !BER_BVISNULL( &an->an_name ); an++ ) {
2428 free( an->an_name.bv_val );
2430 free( a->acl_attrs );
2432 if ( a->acl_attrval_style == ACL_STYLE_REGEX ) {
2433 regfree( &a->acl_attrval_re );
2436 if ( !BER_BVISNULL( &a->acl_attrval ) ) {
2437 ber_memfree( a->acl_attrval.bv_val );
2440 for ( ; a->acl_access; a->acl_access = n ) {
2441 n = a->acl_access->a_next;
2442 access_free( a->acl_access );
2448 acl_destroy( AccessControl *a )
2452 for ( ; a; a = n ) {
2457 if ( !BER_BVISNULL( &aclbuf ) ) {
2458 ch_free( aclbuf.bv_val );
2459 BER_BVZERO( &aclbuf );
2464 access2str( slap_access_t access )
2466 if ( access == ACL_NONE ) {
2469 } else if ( access == ACL_DISCLOSE ) {
2472 } else if ( access == ACL_AUTH ) {
2475 } else if ( access == ACL_COMPARE ) {
2478 } else if ( access == ACL_SEARCH ) {
2481 } else if ( access == ACL_READ ) {
2484 } else if ( access == ACL_WRITE ) {
2487 } else if ( access == ACL_WADD ) {
2490 } else if ( access == ACL_WDEL ) {
2493 } else if ( access == ACL_MANAGE ) {
2502 str2access( const char *str )
2504 if ( strcasecmp( str, "none" ) == 0 ) {
2507 } else if ( strcasecmp( str, "disclose" ) == 0 ) {
2508 return ACL_DISCLOSE;
2510 } else if ( strcasecmp( str, "auth" ) == 0 ) {
2513 } else if ( strcasecmp( str, "compare" ) == 0 ) {
2516 } else if ( strcasecmp( str, "search" ) == 0 ) {
2519 } else if ( strcasecmp( str, "read" ) == 0 ) {
2522 } else if ( strcasecmp( str, "write" ) == 0 ) {
2525 } else if ( strcasecmp( str, "add" ) == 0 ) {
2528 } else if ( strcasecmp( str, "delete" ) == 0 ) {
2531 } else if ( strcasecmp( str, "manage" ) == 0 ) {
2535 return( ACL_INVALID_ACCESS );
2539 safe_strncopy( char *ptr, const char *src, size_t n, struct berval *buf )
2541 while ( ptr + n >= buf->bv_val + buf->bv_len ) {
2542 char *tmp = ch_realloc( buf->bv_val, 2*buf->bv_len );
2543 if ( tmp == NULL ) {
2546 ptr = tmp + (ptr - buf->bv_val);
2551 return lutil_strncopy( ptr, src, n );
2555 safe_strcopy( char *ptr, const char *s, struct berval *buf )
2557 size_t n = strlen( s );
2559 return safe_strncopy( ptr, s, n, buf );
2563 safe_strbvcopy( char *ptr, const struct berval *bv, struct berval *buf )
2565 return safe_strncopy( ptr, bv->bv_val, bv->bv_len, buf );
2568 #define acl_safe_strcopy( ptr, s ) safe_strcopy( (ptr), (s), &aclbuf )
2569 #define acl_safe_strncopy( ptr, s, n ) safe_strncopy( (ptr), (s), (n), &aclbuf )
2570 #define acl_safe_strbvcopy( ptr, bv ) safe_strbvcopy( (ptr), (bv), &aclbuf )
2573 dnaccess2text( slap_dn_access *bdn, char *ptr, int is_realdn )
2578 ptr = acl_safe_strcopy( ptr, "real" );
2581 if ( ber_bvccmp( &bdn->a_pat, '*' ) ||
2582 bdn->a_style == ACL_STYLE_ANONYMOUS ||
2583 bdn->a_style == ACL_STYLE_USERS ||
2584 bdn->a_style == ACL_STYLE_SELF )
2587 assert( ! ber_bvccmp( &bdn->a_pat, '*' ) );
2590 ptr = acl_safe_strbvcopy( ptr, &bdn->a_pat );
2591 if ( bdn->a_style == ACL_STYLE_SELF && bdn->a_self_level != 0 ) {
2592 char buf[SLAP_TEXT_BUFLEN];
2593 int n = snprintf( buf, sizeof(buf), ".level{%d}", bdn->a_self_level );
2595 ptr = acl_safe_strncopy( ptr, buf, n );
2600 ptr = acl_safe_strcopy( ptr, "dn." );
2601 if ( bdn->a_style == ACL_STYLE_BASE )
2602 ptr = acl_safe_strcopy( ptr, style_base );
2604 ptr = acl_safe_strcopy( ptr, style_strings[bdn->a_style] );
2605 if ( bdn->a_style == ACL_STYLE_LEVEL ) {
2606 char buf[SLAP_TEXT_BUFLEN];
2607 int n = snprintf( buf, sizeof(buf), "{%d}", bdn->a_level );
2609 ptr = acl_safe_strncopy( ptr, buf, n );
2612 if ( bdn->a_expand ) {
2613 ptr = acl_safe_strcopy( ptr, ",expand" );
2615 ptr = acl_safe_strcopy( ptr, "=\"" );
2616 ptr = acl_safe_strbvcopy( ptr, &bdn->a_pat );
2617 ptr = acl_safe_strcopy( ptr, "\"" );
2623 access2text( Access *b, char *ptr )
2625 char maskbuf[ACCESSMASK_MAXLEN];
2627 ptr = acl_safe_strcopy( ptr, "\tby" );
2629 if ( !BER_BVISEMPTY( &b->a_dn_pat ) ) {
2630 ptr = dnaccess2text( &b->a_dn, ptr, 0 );
2633 ptr = acl_safe_strcopy( ptr, " dnattr=" );
2634 ptr = acl_safe_strbvcopy( ptr, &b->a_dn_at->ad_cname );
2637 if ( !BER_BVISEMPTY( &b->a_realdn_pat ) ) {
2638 ptr = dnaccess2text( &b->a_realdn, ptr, 1 );
2640 if ( b->a_realdn_at ) {
2641 ptr = acl_safe_strcopy( ptr, " realdnattr=" );
2642 ptr = acl_safe_strbvcopy( ptr, &b->a_realdn_at->ad_cname );
2645 if ( !BER_BVISEMPTY( &b->a_group_pat ) ) {
2646 ptr = acl_safe_strcopy( ptr, " group/" );
2647 ptr = acl_safe_strcopy( ptr, b->a_group_oc ?
2648 b->a_group_oc->soc_cname.bv_val : SLAPD_GROUP_CLASS );
2649 ptr = acl_safe_strcopy( ptr, "/" );
2650 ptr = acl_safe_strcopy( ptr, b->a_group_at ?
2651 b->a_group_at->ad_cname.bv_val : SLAPD_GROUP_ATTR );
2652 ptr = acl_safe_strcopy( ptr, "." );
2653 ptr = acl_safe_strcopy( ptr, style_strings[b->a_group_style] );
2654 ptr = acl_safe_strcopy( ptr, "=\"" );
2655 ptr = acl_safe_strbvcopy( ptr, &b->a_group_pat );
2656 ptr = acl_safe_strcopy( ptr, "\"" );
2659 if ( !BER_BVISEMPTY( &b->a_peername_pat ) ) {
2660 ptr = acl_safe_strcopy( ptr, " peername" );
2661 ptr = acl_safe_strcopy( ptr, "." );
2662 ptr = acl_safe_strcopy( ptr, style_strings[b->a_peername_style] );
2663 ptr = acl_safe_strcopy( ptr, "=\"" );
2664 ptr = acl_safe_strbvcopy( ptr, &b->a_peername_pat );
2665 ptr = acl_safe_strcopy( ptr, "\"" );
2668 if ( !BER_BVISEMPTY( &b->a_sockname_pat ) ) {
2669 ptr = acl_safe_strcopy( ptr, " sockname" );
2670 ptr = acl_safe_strcopy( ptr, "." );
2671 ptr = acl_safe_strcopy( ptr, style_strings[b->a_sockname_style] );
2672 ptr = acl_safe_strcopy( ptr, "=\"" );
2673 ptr = acl_safe_strbvcopy( ptr, &b->a_sockname_pat );
2674 ptr = acl_safe_strcopy( ptr, "\"" );
2677 if ( !BER_BVISEMPTY( &b->a_domain_pat ) ) {
2678 ptr = acl_safe_strcopy( ptr, " domain" );
2679 ptr = acl_safe_strcopy( ptr, "." );
2680 ptr = acl_safe_strcopy( ptr, style_strings[b->a_domain_style] );
2681 if ( b->a_domain_expand ) {
2682 ptr = acl_safe_strcopy( ptr, ",expand" );
2684 ptr = acl_safe_strcopy( ptr, "=" );
2685 ptr = acl_safe_strbvcopy( ptr, &b->a_domain_pat );
2688 if ( !BER_BVISEMPTY( &b->a_sockurl_pat ) ) {
2689 ptr = acl_safe_strcopy( ptr, " sockurl" );
2690 ptr = acl_safe_strcopy( ptr, "." );
2691 ptr = acl_safe_strcopy( ptr, style_strings[b->a_sockurl_style] );
2692 ptr = acl_safe_strcopy( ptr, "=\"" );
2693 ptr = acl_safe_strbvcopy( ptr, &b->a_sockurl_pat );
2694 ptr = acl_safe_strcopy( ptr, "\"" );
2697 if ( !BER_BVISEMPTY( &b->a_set_pat ) ) {
2698 ptr = acl_safe_strcopy( ptr, " set" );
2699 ptr = acl_safe_strcopy( ptr, "." );
2700 ptr = acl_safe_strcopy( ptr, style_strings[b->a_set_style] );
2701 ptr = acl_safe_strcopy( ptr, "=\"" );
2702 ptr = acl_safe_strbvcopy( ptr, &b->a_set_pat );
2703 ptr = acl_safe_strcopy( ptr, "\"" );
2707 if ( b->a_dynacl ) {
2710 for ( da = b->a_dynacl; da; da = da->da_next ) {
2711 if ( da->da_unparse ) {
2712 struct berval bv = BER_BVNULL;
2713 (void)( *da->da_unparse )( da->da_private, &bv );
2714 assert( !BER_BVISNULL( &bv ) );
2715 ptr = acl_safe_strbvcopy( ptr, &bv );
2716 ch_free( bv.bv_val );
2720 #endif /* SLAP_DYNACL */
2722 /* Security Strength Factors */
2723 if ( b->a_authz.sai_ssf ) {
2724 char buf[SLAP_TEXT_BUFLEN];
2725 int n = snprintf( buf, sizeof(buf), " ssf=%u",
2726 b->a_authz.sai_ssf );
2727 ptr = acl_safe_strncopy( ptr, buf, n );
2729 if ( b->a_authz.sai_transport_ssf ) {
2730 char buf[SLAP_TEXT_BUFLEN];
2731 int n = snprintf( buf, sizeof(buf), " transport_ssf=%u",
2732 b->a_authz.sai_transport_ssf );
2733 ptr = acl_safe_strncopy( ptr, buf, n );
2735 if ( b->a_authz.sai_tls_ssf ) {
2736 char buf[SLAP_TEXT_BUFLEN];
2737 int n = snprintf( buf, sizeof(buf), " tls_ssf=%u",
2738 b->a_authz.sai_tls_ssf );
2739 ptr = acl_safe_strncopy( ptr, buf, n );
2741 if ( b->a_authz.sai_sasl_ssf ) {
2742 char buf[SLAP_TEXT_BUFLEN];
2743 int n = snprintf( buf, sizeof(buf), " sasl_ssf=%u",
2744 b->a_authz.sai_sasl_ssf );
2745 ptr = acl_safe_strncopy( ptr, buf, n );
2748 ptr = acl_safe_strcopy( ptr, " " );
2749 if ( b->a_dn_self ) {
2750 ptr = acl_safe_strcopy( ptr, "self" );
2751 } else if ( b->a_realdn_self ) {
2752 ptr = acl_safe_strcopy( ptr, "realself" );
2754 ptr = acl_safe_strcopy( ptr, accessmask2str( b->a_access_mask, maskbuf, 0 ));
2755 if ( !maskbuf[0] ) ptr--;
2757 if( b->a_type == ACL_BREAK ) {
2758 ptr = acl_safe_strcopy( ptr, " break" );
2760 } else if( b->a_type == ACL_CONTINUE ) {
2761 ptr = acl_safe_strcopy( ptr, " continue" );
2763 } else if( b->a_type != ACL_STOP ) {
2764 ptr = acl_safe_strcopy( ptr, " unknown-control" );
2766 if ( !maskbuf[0] ) ptr = acl_safe_strcopy( ptr, " stop" );
2768 ptr = acl_safe_strcopy( ptr, "\n" );
2774 acl_unparse( AccessControl *a, struct berval *bv )
2780 if ( BER_BVISNULL( &aclbuf ) ) {
2781 aclbuf.bv_val = ch_malloc( ACLBUF_CHUNKSIZE );
2782 aclbuf.bv_len = ACLBUF_CHUNKSIZE;
2787 ptr = aclbuf.bv_val;
2789 ptr = acl_safe_strcopy( ptr, "to" );
2790 if ( !BER_BVISNULL( &a->acl_dn_pat ) ) {
2792 ptr = acl_safe_strcopy( ptr, " dn." );
2793 if ( a->acl_dn_style == ACL_STYLE_BASE )
2794 ptr = acl_safe_strcopy( ptr, style_base );
2796 ptr = acl_safe_strcopy( ptr, style_strings[a->acl_dn_style] );
2797 ptr = acl_safe_strcopy( ptr, "=\"" );
2798 ptr = acl_safe_strbvcopy( ptr, &a->acl_dn_pat );
2799 ptr = acl_safe_strcopy( ptr, "\"\n" );
2802 if ( a->acl_filter != NULL ) {
2803 struct berval fbv = BER_BVNULL;
2806 filter2bv( a->acl_filter, &fbv );
2807 ptr = acl_safe_strcopy( ptr, " filter=\"" );
2808 ptr = acl_safe_strbvcopy( ptr, &fbv );
2809 ptr = acl_safe_strcopy( ptr, "\"\n" );
2810 ch_free( fbv.bv_val );
2813 if ( a->acl_attrs != NULL ) {
2818 ptr = acl_safe_strcopy( ptr, " attrs=" );
2819 for ( an = a->acl_attrs; an && !BER_BVISNULL( &an->an_name ); an++ ) {
2820 if ( ! first ) ptr = acl_safe_strcopy( ptr, ",");
2822 ptr = acl_safe_strcopy( ptr, ( an->an_flags & SLAP_AN_OCEXCLUDE ) ? "!" : "@" );
2823 ptr = acl_safe_strbvcopy( ptr, &an->an_oc->soc_cname );
2826 ptr = acl_safe_strbvcopy( ptr, &an->an_name );
2830 ptr = acl_safe_strcopy( ptr, "\n" );
2833 if ( !BER_BVISEMPTY( &a->acl_attrval ) ) {
2835 ptr = acl_safe_strcopy( ptr, " val." );
2836 if ( a->acl_attrval_style == ACL_STYLE_BASE &&
2837 a->acl_attrs[0].an_desc->ad_type->sat_syntax ==
2838 slap_schema.si_syn_distinguishedName )
2839 ptr = acl_safe_strcopy( ptr, style_base );
2841 ptr = acl_safe_strcopy( ptr, style_strings[a->acl_attrval_style] );
2842 ptr = acl_safe_strcopy( ptr, "=\"" );
2843 ptr = acl_safe_strbvcopy( ptr, &a->acl_attrval );
2844 ptr = acl_safe_strcopy( ptr, "\"\n" );
2848 ptr = acl_safe_strcopy( ptr, " *\n" );
2851 for ( b = a->acl_access; b != NULL; b = b->a_next ) {
2852 ptr = access2text( b, ptr );
2855 bv->bv_val = aclbuf.bv_val;
2856 bv->bv_len = ptr - bv->bv_val;
2861 print_acl( Backend *be, AccessControl *a )
2865 acl_unparse( a, &bv );
2866 fprintf( stderr, "%s ACL: access %s\n",
2867 be == NULL ? "Global" : "Backend", bv.bv_val );
2869 #endif /* LDAP_DEBUG */