1 /* aclparse.c - routines to parse and check acl's */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 1998-2005 The OpenLDAP Foundation.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted only as authorized by the OpenLDAP
12 * A copy of this license is available in the file LICENSE in the
13 * top-level directory of the distribution or, alternatively, at
14 * <http://www.OpenLDAP.org/license.html>.
16 /* Portions Copyright (c) 1995 Regents of the University of Michigan.
17 * All rights reserved.
19 * Redistribution and use in source and binary forms are permitted
20 * provided that this notice is preserved and that due credit is given
21 * to the University of Michigan at Ann Arbor. The name of the University
22 * may not be used to endorse or promote products derived from this
23 * software without specific prior written permission. This software
24 * is provided ``as is'' without express or implied warranty.
33 #include <ac/socket.h>
34 #include <ac/string.h>
35 #include <ac/unistd.h>
41 static const char style_base[] = "base";
42 char *style_strings[] = {
59 static void split(char *line, int splitchar, char **left, char **right);
60 static void access_append(Access **l, Access *a);
61 static void acl_usage(void) LDAP_GCCATTR((noreturn));
63 static void acl_regex_normalized_dn(const char *src, struct berval *pat);
66 static void print_acl(Backend *be, AccessControl *a);
69 static int check_scope( BackendDB *be, AccessControl *a );
73 slap_dynacl_config( const char *fname, int lineno, Access *b, const char *name, slap_style_t sty, const char *right )
75 slap_dynacl_t *da, *tmp;
78 for ( da = b->a_dynacl; da; da = da->da_next ) {
79 if ( strcasecmp( da->da_name, name ) == 0 ) {
81 "%s: line %d: dynacl \"%s\" already specified.\n",
82 fname, lineno, name );
87 da = slap_dynacl_get( name );
92 tmp = ch_malloc( sizeof( slap_dynacl_t ) );
95 if ( tmp->da_parse ) {
96 rc = ( *tmp->da_parse )( fname, lineno, sty, right, &tmp->da_private );
103 tmp->da_next = b->a_dynacl;
108 #endif /* SLAP_DYNACL */
111 regtest(const char *fname, int lineno, char *pat) {
127 for (size = 0, flag = 0; (size < sizeof(buf)) && *sp; sp++) {
129 if (*sp == '$'|| (*sp >= '0' && *sp <= '9')) {
146 if ( size >= (sizeof(buf) - 1) ) {
148 "%s: line %d: regular expression \"%s\" too large\n",
149 fname, lineno, pat );
153 if ((e = regcomp(&re, buf, REG_EXTENDED|REG_ICASE))) {
155 regerror(e, &re, error, sizeof(error));
157 "%s: line %d: regular expression \"%s\" bad because of %s\n",
158 fname, lineno, pat, error );
167 * Check if the pattern of an ACL, if any, matches the scope
168 * of the backend it is defined within.
170 #define ACL_SCOPE_UNKNOWN (-2)
171 #define ACL_SCOPE_ERR (-1)
172 #define ACL_SCOPE_OK (0)
173 #define ACL_SCOPE_PARTIAL (1)
174 #define ACL_SCOPE_WARN (2)
177 check_scope( BackendDB *be, AccessControl *a )
182 dn = be->be_nsuffix[0];
184 if ( BER_BVISEMPTY( &dn ) ) {
188 if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
189 a->acl_dn_style != ACL_STYLE_REGEX )
191 slap_style_t style = a->acl_dn_style;
193 if ( style == ACL_STYLE_REGEX ) {
194 char dnbuf[SLAP_LDAPDN_MAXLEN + 2];
195 char rebuf[SLAP_LDAPDN_MAXLEN + 1];
200 /* add trailing '$' to database suffix to form
201 * a simple trial regex pattern "<suffix>$" */
202 AC_MEMCPY( dnbuf, be->be_nsuffix[0].bv_val,
203 be->be_nsuffix[0].bv_len );
204 dnbuf[be->be_nsuffix[0].bv_len] = '$';
205 dnbuf[be->be_nsuffix[0].bv_len + 1] = '\0';
207 if ( regcomp( &re, dnbuf, REG_EXTENDED|REG_ICASE ) ) {
208 return ACL_SCOPE_WARN;
211 /* remove trailing ')$', if any, from original
213 rebuflen = a->acl_dn_pat.bv_len;
214 AC_MEMCPY( rebuf, a->acl_dn_pat.bv_val, rebuflen + 1 );
215 if ( rebuf[rebuflen - 1] == '$' ) {
216 rebuf[--rebuflen] = '\0';
218 while ( rebuflen > be->be_nsuffix[0].bv_len && rebuf[rebuflen - 1] == ')' ) {
219 rebuf[--rebuflen] = '\0';
221 if ( rebuflen == be->be_nsuffix[0].bv_len ) {
226 /* not a clear indication of scoping error, though */
227 rc = regexec( &re, rebuf, 0, NULL, 0 )
228 ? ACL_SCOPE_WARN : ACL_SCOPE_OK;
235 patlen = a->acl_dn_pat.bv_len;
236 /* If backend suffix is longer than pattern,
237 * it is a potential mismatch (in the sense
238 * that a superior naming context could
240 if ( dn.bv_len > patlen ) {
241 /* base is blatantly wrong */
242 if ( style == ACL_STYLE_BASE ) return ACL_SCOPE_ERR;
244 /* a style of one can be wrong if there is
245 * more than one level between the suffix
247 if ( style == ACL_STYLE_ONE ) {
248 int rdnlen = -1, sep = 0;
251 if ( !DN_SEPARATOR( dn.bv_val[dn.bv_len - patlen - 1] )) {
252 return ACL_SCOPE_ERR;
257 rdnlen = dn_rdnlen( NULL, &dn );
258 if ( rdnlen != dn.bv_len - patlen - sep )
259 return ACL_SCOPE_ERR;
262 /* if the trailing part doesn't match,
263 * then it's an error */
264 if ( strcmp( a->acl_dn_pat.bv_val,
265 &dn.bv_val[dn.bv_len - patlen] ) != 0 )
267 return ACL_SCOPE_ERR;
270 return ACL_SCOPE_PARTIAL;
276 case ACL_STYLE_CHILDREN:
277 case ACL_STYLE_SUBTREE:
285 if ( dn.bv_len < patlen &&
286 !DN_SEPARATOR( a->acl_dn_pat.bv_val[patlen - dn.bv_len - 1] ))
288 return ACL_SCOPE_ERR;
291 if ( strcmp( &a->acl_dn_pat.bv_val[patlen - dn.bv_len], dn.bv_val )
294 return ACL_SCOPE_ERR;
300 return ACL_SCOPE_UNKNOWN;
313 char *left, *right, *style, *next;
321 for ( i = 1; i < argc; i++ ) {
322 /* to clause - select which entries are protected */
323 if ( strcasecmp( argv[i], "to" ) == 0 ) {
325 fprintf( stderr, "%s: line %d: "
326 "only one to clause allowed in access line\n",
330 a = (AccessControl *) ch_calloc( 1, sizeof(AccessControl) );
331 for ( ++i; i < argc; i++ ) {
332 if ( strcasecmp( argv[i], "by" ) == 0 ) {
337 if ( strcasecmp( argv[i], "*" ) == 0 ) {
338 if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
339 a->acl_dn_style != ACL_STYLE_REGEX )
342 "%s: line %d: dn pattern"
343 " already specified in to clause.\n",
348 ber_str2bv( "*", STRLENOF( "*" ), 1, &a->acl_dn_pat );
352 split( argv[i], '=', &left, &right );
353 split( left, '.', &left, &style );
355 if ( right == NULL ) {
356 fprintf( stderr, "%s: line %d: "
357 "missing \"=\" in \"%s\" in to clause\n",
358 fname, lineno, left );
362 if ( strcasecmp( left, "dn" ) == 0 ) {
363 if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
364 a->acl_dn_style != ACL_STYLE_REGEX )
367 "%s: line %d: dn pattern"
368 " already specified in to clause.\n",
373 if ( style == NULL || *style == '\0' ||
374 strcasecmp( style, "baseObject" ) == 0 ||
375 strcasecmp( style, "base" ) == 0 ||
376 strcasecmp( style, "exact" ) == 0 )
378 a->acl_dn_style = ACL_STYLE_BASE;
379 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
381 } else if ( strcasecmp( style, "oneLevel" ) == 0 ||
382 strcasecmp( style, "one" ) == 0 )
384 a->acl_dn_style = ACL_STYLE_ONE;
385 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
387 } else if ( strcasecmp( style, "subtree" ) == 0 ||
388 strcasecmp( style, "sub" ) == 0 )
390 if( *right == '\0' ) {
391 ber_str2bv( "*", STRLENOF( "*" ), 1, &a->acl_dn_pat );
394 a->acl_dn_style = ACL_STYLE_SUBTREE;
395 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
398 } else if ( strcasecmp( style, "children" ) == 0 ) {
399 a->acl_dn_style = ACL_STYLE_CHILDREN;
400 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
402 } else if ( strcasecmp( style, "regex" ) == 0 ) {
403 a->acl_dn_style = ACL_STYLE_REGEX;
405 if ( *right == '\0' ) {
406 /* empty regex should match empty DN */
407 a->acl_dn_style = ACL_STYLE_BASE;
408 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
410 } else if ( strcmp(right, "*") == 0
411 || strcmp(right, ".*") == 0
412 || strcmp(right, ".*$") == 0
413 || strcmp(right, "^.*") == 0
414 || strcmp(right, "^.*$") == 0
415 || strcmp(right, ".*$$") == 0
416 || strcmp(right, "^.*$$") == 0 )
418 ber_str2bv( "*", STRLENOF("*"), 1, &a->acl_dn_pat );
421 acl_regex_normalized_dn( right, &a->acl_dn_pat );
425 fprintf( stderr, "%s: line %d: "
426 "unknown dn style \"%s\" in to clause\n",
427 fname, lineno, style );
434 if ( strcasecmp( left, "filter" ) == 0 ) {
435 if ( (a->acl_filter = str2filter( right )) == NULL ) {
437 "%s: line %d: bad filter \"%s\" in to clause\n",
438 fname, lineno, right );
442 } else if ( strcasecmp( left, "attr" ) == 0 /* TOLERATED */
443 || strcasecmp( left, "attrs" ) == 0 ) /* DOCUMENTED */
445 a->acl_attrs = str2anlist( a->acl_attrs,
447 if ( a->acl_attrs == NULL ) {
449 "%s: line %d: unknown attr \"%s\" in to clause\n",
450 fname, lineno, right );
454 } else if ( strncasecmp( left, "val", 3 ) == 0 ) {
457 if ( !BER_BVISEMPTY( &a->acl_attrval ) ) {
459 "%s: line %d: attr val already specified in to clause.\n",
463 if ( a->acl_attrs == NULL || !BER_BVISEMPTY( &a->acl_attrs[1].an_name ) )
466 "%s: line %d: attr val requires a single attribute.\n",
471 ber_str2bv( right, 0, 1, &a->acl_attrval );
472 a->acl_attrval_style = ACL_STYLE_BASE;
474 mr = strchr( left, '/' );
479 a->acl_attrval_mr = mr_find( mr );
480 if ( a->acl_attrval_mr == NULL ) {
481 fprintf( stderr, "%s: line %d: "
482 "invalid matching rule \"%s\".\n",
487 if( !mr_usable_with_at( a->acl_attrval_mr, a->acl_attrs[ 0 ].an_desc->ad_type ) )
489 fprintf( stderr, "%s: line %d: "
490 "matching rule \"%s\" use "
491 "with attr \"%s\" not appropriate.\n",
493 a->acl_attrs[ 0 ].an_name.bv_val );
498 if ( style != NULL ) {
499 if ( strcasecmp( style, "regex" ) == 0 ) {
500 int e = regcomp( &a->acl_attrval_re, a->acl_attrval.bv_val,
501 REG_EXTENDED | REG_ICASE | REG_NOSUB );
504 regerror( e, &a->acl_attrval_re, buf, sizeof(buf) );
505 fprintf( stderr, "%s: line %d: "
506 "regular expression \"%s\" bad because of %s\n",
507 fname, lineno, right, buf );
510 a->acl_attrval_style = ACL_STYLE_REGEX;
513 /* FIXME: if the attribute has DN syntax, we might
514 * allow one, subtree and children styles as well */
515 if ( !strcasecmp( style, "base" ) ||
516 !strcasecmp( style, "exact" ) ) {
517 a->acl_attrval_style = ACL_STYLE_BASE;
519 } else if ( a->acl_attrs[0].an_desc->ad_type->
520 sat_syntax == slap_schema.si_syn_distinguishedName )
524 if ( !strcasecmp( style, "baseObject" ) ||
525 !strcasecmp( style, "base" ) )
527 a->acl_attrval_style = ACL_STYLE_BASE;
528 } else if ( !strcasecmp( style, "onelevel" ) ||
529 !strcasecmp( style, "one" ) )
531 a->acl_attrval_style = ACL_STYLE_ONE;
532 } else if ( !strcasecmp( style, "subtree" ) ||
533 !strcasecmp( style, "sub" ) )
535 a->acl_attrval_style = ACL_STYLE_SUBTREE;
536 } else if ( !strcasecmp( style, "children" ) ) {
537 a->acl_attrval_style = ACL_STYLE_CHILDREN;
540 "%s: line %d: unknown val.<style> \"%s\" "
541 "for attributeType \"%s\" with DN syntax; "
543 fname, lineno, style,
544 a->acl_attrs[0].an_desc->ad_cname.bv_val );
545 a->acl_attrval_style = ACL_STYLE_BASE;
549 rc = dnNormalize( 0, NULL, NULL, &bv, &a->acl_attrval, NULL );
550 if ( rc != LDAP_SUCCESS ) {
552 "%s: line %d: unable to normalize DN \"%s\" "
553 "for attributeType \"%s\" (%d).\n",
554 fname, lineno, bv.bv_val,
555 a->acl_attrs[0].an_desc->ad_cname.bv_val, rc );
558 ber_memfree( bv.bv_val );
562 "%s: line %d: unknown val.<style> \"%s\" "
563 "for attributeType \"%s\"; using \"exact\"\n",
564 fname, lineno, style,
565 a->acl_attrs[0].an_desc->ad_cname.bv_val );
566 a->acl_attrval_style = ACL_STYLE_BASE;
571 /* Check for appropriate matching rule */
572 if ( a->acl_attrval_style != ACL_STYLE_REGEX ) {
573 if ( a->acl_attrval_mr == NULL ) {
574 a->acl_attrval_mr = a->acl_attrs[ 0 ].an_desc->ad_type->sat_equality;
577 if ( a->acl_attrval_mr == NULL ) {
578 fprintf( stderr, "%s: line %d: "
579 "attr \"%s\" must have an EQUALITY matching rule.\n",
580 fname, lineno, a->acl_attrs[ 0 ].an_name.bv_val );
587 "%s: line %d: expecting <what> got \"%s\"\n",
588 fname, lineno, left );
593 if ( !BER_BVISNULL( &a->acl_dn_pat ) &&
594 ber_bvccmp( &a->acl_dn_pat, '*' ) )
596 free( a->acl_dn_pat.bv_val );
597 BER_BVZERO( &a->acl_dn_pat );
598 a->acl_dn_style = ACL_STYLE_REGEX;
601 if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
602 a->acl_dn_style != ACL_STYLE_REGEX )
604 if ( a->acl_dn_style != ACL_STYLE_REGEX ) {
606 rc = dnNormalize( 0, NULL, NULL, &a->acl_dn_pat, &bv, NULL);
607 if ( rc != LDAP_SUCCESS ) {
609 "%s: line %d: bad DN \"%s\" in to DN clause\n",
610 fname, lineno, a->acl_dn_pat.bv_val );
613 free( a->acl_dn_pat.bv_val );
617 int e = regcomp( &a->acl_dn_re, a->acl_dn_pat.bv_val,
618 REG_EXTENDED | REG_ICASE );
621 regerror( e, &a->acl_dn_re, buf, sizeof(buf) );
622 fprintf( stderr, "%s: line %d: "
623 "regular expression \"%s\" bad because of %s\n",
624 fname, lineno, right, buf );
630 /* by clause - select who has what access to entries */
631 } else if ( strcasecmp( argv[i], "by" ) == 0 ) {
633 fprintf( stderr, "%s: line %d: "
634 "to clause required before by clause in access line\n",
640 * by clause consists of <who> and <access>
643 b = (Access *) ch_calloc( 1, sizeof(Access) );
645 ACL_INVALIDATE( b->a_access_mask );
649 "%s: line %d: premature eol: expecting <who>\n",
655 for ( ; i < argc; i++ ) {
656 slap_style_t sty = ACL_STYLE_REGEX;
657 char *style_modifier = NULL;
658 char *style_level = NULL;
661 slap_dn_access *bdn = &b->a_dn;
664 split( argv[i], '=', &left, &right );
665 split( left, '.', &left, &style );
667 split( style, ',', &style, &style_modifier );
669 if ( strncasecmp( style, "level", STRLENOF( "level" ) ) == 0 ) {
670 split( style, '{', &style, &style_level );
671 if ( style_level != NULL ) {
672 char *p = strchr( style_level, '}' );
675 "%s: line %d: premature eol: "
676 "expecting closing '}' in \"level{n}\"\n",
679 } else if ( p == style_level ) {
681 "%s: line %d: empty level "
691 if ( style == NULL || *style == '\0' ||
692 strcasecmp( style, "exact" ) == 0 ||
693 strcasecmp( style, "baseObject" ) == 0 ||
694 strcasecmp( style, "base" ) == 0 )
696 sty = ACL_STYLE_BASE;
698 } else if ( strcasecmp( style, "onelevel" ) == 0 ||
699 strcasecmp( style, "one" ) == 0 )
703 } else if ( strcasecmp( style, "subtree" ) == 0 ||
704 strcasecmp( style, "sub" ) == 0 )
706 sty = ACL_STYLE_SUBTREE;
708 } else if ( strcasecmp( style, "children" ) == 0 ) {
709 sty = ACL_STYLE_CHILDREN;
711 } else if ( strcasecmp( style, "level" ) == 0 )
715 level = strtol( style_level, &next, 10 );
716 if ( next[0] != '\0' ) {
718 "%s: line %d: unable to parse level "
724 sty = ACL_STYLE_LEVEL;
726 } else if ( strcasecmp( style, "regex" ) == 0 ) {
727 sty = ACL_STYLE_REGEX;
729 } else if ( strcasecmp( style, "expand" ) == 0 ) {
730 sty = ACL_STYLE_EXPAND;
732 } else if ( strcasecmp( style, "ip" ) == 0 ) {
735 } else if ( strcasecmp( style, "path" ) == 0 ) {
736 sty = ACL_STYLE_PATH;
737 #ifndef LDAP_PF_LOCAL
738 fprintf( stderr, "%s: line %d: "
739 "path style modifier is useless without local\n",
741 #endif /* LDAP_PF_LOCAL */
745 "%s: line %d: unknown style \"%s\" in by clause\n",
746 fname, lineno, style );
750 if ( style_modifier &&
751 strcasecmp( style_modifier, "expand" ) == 0 )
754 case ACL_STYLE_REGEX:
755 fprintf( stderr, "%s: line %d: "
756 "\"regex\" style implies "
757 "\"expand\" modifier"
758 SLAPD_CONF_UNKNOWN_IGNORED ".\n",
760 #ifdef SLAPD_CONF_UNKNOWN_BAILOUT
762 #endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
765 case ACL_STYLE_EXPAND:
767 /* FIXME: now it's legal... */
768 fprintf( stderr, "%s: line %d: "
769 "\"expand\" style used "
770 "in conjunction with "
771 "\"expand\" modifier"
772 SLAPD_CONF_UNKNOWN_IGNORED ".\n",
774 #ifdef SLAPD_CONF_UNKNOWN_BAILOUT
776 #endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
781 /* we'll see later if it's pertinent */
787 /* expand in <who> needs regex in <what> */
788 if ( ( sty == ACL_STYLE_EXPAND || expand )
789 && a->acl_dn_style != ACL_STYLE_REGEX )
791 fprintf( stderr, "%s: line %d: "
792 "\"expand\" style or modifier used "
793 "in conjunction with "
794 "a non-regex <what> clause\n",
798 if ( strncasecmp( left, "real", STRLENOF( "real" ) ) == 0 ) {
801 left += STRLENOF( "real" );
804 if ( strcasecmp( left, "*" ) == 0 ) {
809 ber_str2bv( "*", STRLENOF( "*" ), 1, &bv );
810 sty = ACL_STYLE_REGEX;
812 } else if ( strcasecmp( left, "anonymous" ) == 0 ) {
813 ber_str2bv("anonymous", STRLENOF( "anonymous" ), 1, &bv);
814 sty = ACL_STYLE_ANONYMOUS;
816 } else if ( strcasecmp( left, "users" ) == 0 ) {
817 ber_str2bv("users", STRLENOF( "users" ), 1, &bv);
818 sty = ACL_STYLE_USERS;
820 } else if ( strcasecmp( left, "self" ) == 0 ) {
821 ber_str2bv("self", STRLENOF( "self" ), 1, &bv);
822 sty = ACL_STYLE_SELF;
824 } else if ( strcasecmp( left, "dn" ) == 0 ) {
825 if ( sty == ACL_STYLE_REGEX ) {
826 bdn->a_style = ACL_STYLE_REGEX;
827 if ( right == NULL ) {
832 bdn->a_style = ACL_STYLE_USERS;
834 } else if (*right == '\0' ) {
836 ber_str2bv("anonymous",
837 STRLENOF( "anonymous" ),
839 bdn->a_style = ACL_STYLE_ANONYMOUS;
841 } else if ( strcmp( right, "*" ) == 0 ) {
843 /* any or users? users for now */
847 bdn->a_style = ACL_STYLE_USERS;
849 } else if ( strcmp( right, ".+" ) == 0
850 || strcmp( right, "^.+" ) == 0
851 || strcmp( right, ".+$" ) == 0
852 || strcmp( right, "^.+$" ) == 0
853 || strcmp( right, ".+$$" ) == 0
854 || strcmp( right, "^.+$$" ) == 0 )
859 bdn->a_style = ACL_STYLE_USERS;
861 } else if ( strcmp( right, ".*" ) == 0
862 || strcmp( right, "^.*" ) == 0
863 || strcmp( right, ".*$" ) == 0
864 || strcmp( right, "^.*$" ) == 0
865 || strcmp( right, ".*$$" ) == 0
866 || strcmp( right, "^.*$$" ) == 0 )
873 acl_regex_normalized_dn( right, &bv );
874 if ( !ber_bvccmp( &bv, '*' ) ) {
875 regtest( fname, lineno, bv.bv_val );
879 } else if ( right == NULL || *right == '\0' ) {
880 fprintf( stderr, "%s: line %d: "
881 "missing \"=\" in (or value after) \"%s\" "
883 fname, lineno, left );
887 ber_str2bv( right, 0, 1, &bv );
894 if ( !BER_BVISNULL( &bv ) ) {
895 if ( !BER_BVISEMPTY( &bdn->a_pat ) ) {
897 "%s: line %d: dn pattern already specified.\n",
902 if ( sty != ACL_STYLE_REGEX &&
903 sty != ACL_STYLE_ANONYMOUS &&
904 sty != ACL_STYLE_USERS &&
905 sty != ACL_STYLE_SELF &&
908 rc = dnNormalize(0, NULL, NULL,
909 &bv, &bdn->a_pat, NULL);
910 if ( rc != LDAP_SUCCESS ) {
912 "%s: line %d: bad DN \"%s\" in by DN clause\n",
913 fname, lineno, bv.bv_val );
926 for ( exp = strchr( bdn->a_pat.bv_val, '$' );
927 exp && exp - bdn->a_pat.bv_val < bdn->a_pat.bv_len;
928 exp = strchr( exp, '$' ) )
930 if ( isdigit( exp[ 1 ] ) ) {
937 bdn->a_expand = expand;
941 "%s: line %d: \"expand\" used "
942 "with no expansions in \"pattern\""
943 SLAPD_CONF_UNKNOWN_IGNORED ".\n",
945 #ifdef SLAPD_CONF_UNKNOWN_BAILOUT
947 #endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
950 if ( sty == ACL_STYLE_SELF ) {
951 bdn->a_self_level = level;
956 "%s: line %d: bad negative level \"%d\" "
958 fname, lineno, level );
960 } else if ( level == 1 ) {
962 "%s: line %d: \"onelevel\" should be used "
963 "instead of \"level{1}\" in by DN clause\n",
965 } else if ( level == 0 && sty == ACL_STYLE_LEVEL ) {
967 "%s: line %d: \"base\" should be used "
968 "instead of \"level{0}\" in by DN clause\n",
972 bdn->a_level = level;
977 if ( strcasecmp( left, "dnattr" ) == 0 ) {
978 if ( right == NULL || right[0] == '\0' ) {
979 fprintf( stderr, "%s: line %d: "
980 "missing \"=\" in (or value after) \"%s\" "
982 fname, lineno, left );
986 if( bdn->a_at != NULL ) {
988 "%s: line %d: dnattr already specified.\n",
993 rc = slap_str2ad( right, &bdn->a_at, &text );
995 if( rc != LDAP_SUCCESS ) {
997 "%s: line %d: dnattr \"%s\": %s\n",
998 fname, lineno, right, text );
1003 if( !is_at_syntax( bdn->a_at->ad_type,
1004 SLAPD_DN_SYNTAX ) &&
1005 !is_at_syntax( bdn->a_at->ad_type,
1006 SLAPD_NAMEUID_SYNTAX ))
1009 "%s: line %d: dnattr \"%s\": "
1010 "inappropriate syntax: %s\n",
1011 fname, lineno, right,
1012 bdn->a_at->ad_type->sat_syntax_oid );
1016 if( bdn->a_at->ad_type->sat_equality == NULL ) {
1018 "%s: line %d: dnattr \"%s\": "
1019 "inappropriate matching (no EQUALITY)\n",
1020 fname, lineno, right );
1027 if ( strncasecmp( left, "group", STRLENOF( "group" ) ) == 0 ) {
1032 case ACL_STYLE_REGEX:
1033 /* legacy, tolerated */
1034 fprintf( stderr, "%s: line %d: "
1035 "deprecated group style \"regex\"; "
1036 "use \"expand\" instead\n",
1038 sty = ACL_STYLE_EXPAND;
1041 case ACL_STYLE_BASE:
1042 /* legal, traditional */
1043 case ACL_STYLE_EXPAND:
1044 /* legal, substring expansion; supersedes regex */
1049 fprintf( stderr, "%s: line %d: "
1050 "inappropriate style \"%s\" in by clause\n",
1051 fname, lineno, style );
1055 if ( right == NULL || right[0] == '\0' ) {
1056 fprintf( stderr, "%s: line %d: "
1057 "missing \"=\" in (or value after) \"%s\" "
1059 fname, lineno, left );
1063 if ( !BER_BVISEMPTY( &b->a_group_pat ) ) {
1065 "%s: line %d: group pattern already specified.\n",
1070 /* format of string is
1071 "group/objectClassValue/groupAttrName" */
1072 if ( ( value = strchr(left, '/') ) != NULL ) {
1074 if ( *value && ( name = strchr( value, '/' ) ) != NULL ) {
1079 b->a_group_style = sty;
1080 if ( sty == ACL_STYLE_EXPAND ) {
1081 acl_regex_normalized_dn( right, &bv );
1082 if ( !ber_bvccmp( &bv, '*' ) ) {
1083 regtest( fname, lineno, bv.bv_val );
1085 b->a_group_pat = bv;
1088 ber_str2bv( right, 0, 0, &bv );
1089 rc = dnNormalize( 0, NULL, NULL, &bv,
1090 &b->a_group_pat, NULL );
1091 if ( rc != LDAP_SUCCESS ) {
1093 "%s: line %d: bad DN \"%s\"\n",
1094 fname, lineno, right );
1099 if ( value && *value ) {
1100 b->a_group_oc = oc_find( value );
1103 if ( b->a_group_oc == NULL ) {
1105 "%s: line %d: group objectclass "
1107 fname, lineno, value );
1112 b->a_group_oc = oc_find( SLAPD_GROUP_CLASS );
1114 if( b->a_group_oc == NULL ) {
1116 "%s: line %d: group default objectclass "
1118 fname, lineno, SLAPD_GROUP_CLASS );
1123 if ( is_object_subclass( slap_schema.si_oc_referral,
1127 "%s: line %d: group objectclass \"%s\" "
1128 "is subclass of referral\n",
1129 fname, lineno, value );
1133 if ( is_object_subclass( slap_schema.si_oc_alias,
1137 "%s: line %d: group objectclass \"%s\" "
1138 "is subclass of alias\n",
1139 fname, lineno, value );
1143 if ( name && *name ) {
1144 rc = slap_str2ad( name, &b->a_group_at, &text );
1146 if( rc != LDAP_SUCCESS ) {
1148 "%s: line %d: group \"%s\": %s\n",
1149 fname, lineno, right, text );
1155 rc = slap_str2ad( SLAPD_GROUP_ATTR, &b->a_group_at, &text );
1157 if ( rc != LDAP_SUCCESS ) {
1159 "%s: line %d: group \"%s\": %s\n",
1160 fname, lineno, SLAPD_GROUP_ATTR, text );
1165 if ( !is_at_syntax( b->a_group_at->ad_type,
1166 SLAPD_DN_SYNTAX ) &&
1167 !is_at_syntax( b->a_group_at->ad_type,
1168 SLAPD_NAMEUID_SYNTAX ) &&
1169 !is_at_subtype( b->a_group_at->ad_type, slap_schema.si_ad_labeledURI->ad_type ) )
1172 "%s: line %d: group \"%s\": inappropriate syntax: %s\n",
1173 fname, lineno, right,
1174 b->a_group_at->ad_type->sat_syntax_oid );
1181 struct berval vals[2];
1183 ber_str2bv( b->a_group_oc->soc_oid, 0, 0, &vals[0] );
1184 BER_BVZERO( &vals[1] );
1186 rc = oc_check_allowed( b->a_group_at->ad_type,
1190 fprintf( stderr, "%s: line %d: "
1191 "group: \"%s\" not allowed by \"%s\"\n",
1193 b->a_group_at->ad_cname.bv_val,
1194 b->a_group_oc->soc_oid );
1201 if ( strcasecmp( left, "peername" ) == 0 ) {
1203 case ACL_STYLE_REGEX:
1204 case ACL_STYLE_BASE:
1205 /* legal, traditional */
1206 case ACL_STYLE_EXPAND:
1207 /* cheap replacement to regex for simple expansion */
1209 case ACL_STYLE_PATH:
1210 /* legal, peername specific */
1214 fprintf( stderr, "%s: line %d: "
1215 "inappropriate style \"%s\" in by clause\n",
1216 fname, lineno, style );
1220 if ( right == NULL || right[0] == '\0' ) {
1221 fprintf( stderr, "%s: line %d: "
1222 "missing \"=\" in (or value after) \"%s\" "
1224 fname, lineno, left );
1228 if ( !BER_BVISEMPTY( &b->a_peername_pat ) ) {
1229 fprintf( stderr, "%s: line %d: "
1230 "peername pattern already specified.\n",
1235 b->a_peername_style = sty;
1236 if ( sty == ACL_STYLE_REGEX ) {
1237 acl_regex_normalized_dn( right, &bv );
1238 if ( !ber_bvccmp( &bv, '*' ) ) {
1239 regtest( fname, lineno, bv.bv_val );
1241 b->a_peername_pat = bv;
1244 ber_str2bv( right, 0, 1, &b->a_peername_pat );
1246 if ( sty == ACL_STYLE_IP ) {
1251 split( right, '{', &addr, &port );
1252 split( addr, '%', &addr, &mask );
1254 b->a_peername_addr = inet_addr( addr );
1255 if ( b->a_peername_addr == (unsigned long)(-1) ) {
1256 /* illegal address */
1257 fprintf( stderr, "%s: line %d: "
1258 "illegal peername address \"%s\".\n",
1259 fname, lineno, addr );
1263 b->a_peername_mask = (unsigned long)(-1);
1264 if ( mask != NULL ) {
1265 b->a_peername_mask = inet_addr( mask );
1266 if ( b->a_peername_mask ==
1267 (unsigned long)(-1) )
1270 fprintf( stderr, "%s: line %d: "
1271 "illegal peername address mask "
1273 fname, lineno, mask );
1278 b->a_peername_port = -1;
1282 b->a_peername_port = strtol( port, &end, 10 );
1283 if ( end[0] != '}' ) {
1285 fprintf( stderr, "%s: line %d: "
1286 "illegal peername port specification "
1288 fname, lineno, port );
1297 if ( strcasecmp( left, "sockname" ) == 0 ) {
1299 case ACL_STYLE_REGEX:
1300 case ACL_STYLE_BASE:
1301 /* legal, traditional */
1302 case ACL_STYLE_EXPAND:
1303 /* cheap replacement to regex for simple expansion */
1308 fprintf( stderr, "%s: line %d: "
1309 "inappropriate style \"%s\" in by clause\n",
1310 fname, lineno, style );
1314 if ( right == NULL || right[0] == '\0' ) {
1315 fprintf( stderr, "%s: line %d: "
1316 "missing \"=\" in (or value after) \"%s\" "
1318 fname, lineno, left );
1322 if ( !BER_BVISNULL( &b->a_sockname_pat ) ) {
1323 fprintf( stderr, "%s: line %d: "
1324 "sockname pattern already specified.\n",
1329 b->a_sockname_style = sty;
1330 if ( sty == ACL_STYLE_REGEX ) {
1331 acl_regex_normalized_dn( right, &bv );
1332 if ( !ber_bvccmp( &bv, '*' ) ) {
1333 regtest( fname, lineno, bv.bv_val );
1335 b->a_sockname_pat = bv;
1338 ber_str2bv( right, 0, 1, &b->a_sockname_pat );
1343 if ( strcasecmp( left, "domain" ) == 0 ) {
1345 case ACL_STYLE_REGEX:
1346 case ACL_STYLE_BASE:
1347 case ACL_STYLE_SUBTREE:
1348 /* legal, traditional */
1351 case ACL_STYLE_EXPAND:
1352 /* tolerated: means exact,expand */
1356 "\"expand\" modifier "
1357 "with \"expand\" style\n",
1360 sty = ACL_STYLE_BASE;
1366 fprintf( stderr, "%s: line %d: "
1367 "inappropriate style \"%s\" in by clause\n",
1368 fname, lineno, style );
1372 if ( right == NULL || right[0] == '\0' ) {
1373 fprintf( stderr, "%s: line %d: "
1374 "missing \"=\" in (or value after) \"%s\" "
1376 fname, lineno, left );
1380 if ( !BER_BVISEMPTY( &b->a_domain_pat ) ) {
1382 "%s: line %d: domain pattern already specified.\n",
1387 b->a_domain_style = sty;
1388 b->a_domain_expand = expand;
1389 if ( sty == ACL_STYLE_REGEX ) {
1390 acl_regex_normalized_dn( right, &bv );
1391 if ( !ber_bvccmp( &bv, '*' ) ) {
1392 regtest( fname, lineno, bv.bv_val );
1394 b->a_domain_pat = bv;
1397 ber_str2bv( right, 0, 1, &b->a_domain_pat );
1402 if ( strcasecmp( left, "sockurl" ) == 0 ) {
1404 case ACL_STYLE_REGEX:
1405 case ACL_STYLE_BASE:
1406 /* legal, traditional */
1407 case ACL_STYLE_EXPAND:
1408 /* cheap replacement to regex for simple expansion */
1413 fprintf( stderr, "%s: line %d: "
1414 "inappropriate style \"%s\" in by clause\n",
1415 fname, lineno, style );
1419 if ( right == NULL || right[0] == '\0' ) {
1420 fprintf( stderr, "%s: line %d: "
1421 "missing \"=\" in (or value after) \"%s\" "
1423 fname, lineno, left );
1427 if ( !BER_BVISEMPTY( &b->a_sockurl_pat ) ) {
1429 "%s: line %d: sockurl pattern already specified.\n",
1434 b->a_sockurl_style = sty;
1435 if ( sty == ACL_STYLE_REGEX ) {
1436 acl_regex_normalized_dn( right, &bv );
1437 if ( !ber_bvccmp( &bv, '*' ) ) {
1438 regtest( fname, lineno, bv.bv_val );
1440 b->a_sockurl_pat = bv;
1443 ber_str2bv( right, 0, 1, &b->a_sockurl_pat );
1448 if ( strcasecmp( left, "set" ) == 0 ) {
1451 case ACL_STYLE_REGEX:
1452 fprintf( stderr, "%s: line %d: "
1453 "deprecated set style "
1454 "\"regex\" in <by> clause; "
1455 "use \"expand\" instead\n",
1457 sty = ACL_STYLE_EXPAND;
1460 case ACL_STYLE_BASE:
1461 case ACL_STYLE_EXPAND:
1465 fprintf( stderr, "%s: line %d: "
1466 "inappropriate style \"%s\" in by clause\n",
1467 fname, lineno, style );
1471 if ( !BER_BVISEMPTY( &b->a_set_pat ) ) {
1473 "%s: line %d: set attribute already specified.\n",
1478 if ( right == NULL || *right == '\0' ) {
1480 "%s: line %d: no set is defined\n",
1485 b->a_set_style = sty;
1486 ber_str2bv( right, 0, 1, &b->a_set_pat );
1495 if ( strcasecmp( left, "aci" ) == 0 ) {
1498 } else if ( strncasecmp( left, "dynacl/", STRLENOF( "dynacl/" ) ) == 0 ) {
1499 name = &left[ STRLENOF( "dynacl/" ) ];
1503 if ( slap_dynacl_config( fname, lineno, b, name, sty, right ) ) {
1504 fprintf( stderr, "%s: line %d: "
1505 "unable to configure dynacl \"%s\"\n",
1506 fname, lineno, name );
1513 #else /* ! SLAP_DYNACL */
1515 #ifdef SLAPD_ACI_ENABLED
1516 if ( strcasecmp( left, "aci" ) == 0 ) {
1517 if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
1518 fprintf( stderr, "%s: line %d: "
1519 "inappropriate style \"%s\" in by clause\n",
1520 fname, lineno, style );
1524 if( b->a_aci_at != NULL ) {
1526 "%s: line %d: aci attribute already specified.\n",
1531 if ( right != NULL && *right != '\0' ) {
1532 rc = slap_str2ad( right, &b->a_aci_at, &text );
1534 if( rc != LDAP_SUCCESS ) {
1536 "%s: line %d: aci \"%s\": %s\n",
1537 fname, lineno, right, text );
1542 b->a_aci_at = slap_schema.si_ad_aci;
1545 if( !is_at_syntax( b->a_aci_at->ad_type,
1548 fprintf( stderr, "%s: line %d: "
1549 "aci \"%s\": inappropriate syntax: %s\n",
1550 fname, lineno, right,
1551 b->a_aci_at->ad_type->sat_syntax_oid );
1557 #endif /* SLAPD_ACI_ENABLED */
1558 #endif /* ! SLAP_DYNACL */
1560 if ( strcasecmp( left, "ssf" ) == 0 ) {
1561 if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
1562 fprintf( stderr, "%s: line %d: "
1563 "inappropriate style \"%s\" in by clause\n",
1564 fname, lineno, style );
1568 if ( b->a_authz.sai_ssf ) {
1570 "%s: line %d: ssf attribute already specified.\n",
1575 if ( right == NULL || *right == '\0' ) {
1577 "%s: line %d: no ssf is defined\n",
1582 b->a_authz.sai_ssf = strtol( right, &next, 10 );
1583 if ( next == NULL || next[0] != '\0' ) {
1585 "%s: line %d: unable to parse ssf value (%s)\n",
1586 fname, lineno, right );
1590 if ( !b->a_authz.sai_ssf ) {
1592 "%s: line %d: invalid ssf value (%s)\n",
1593 fname, lineno, right );
1599 if ( strcasecmp( left, "transport_ssf" ) == 0 ) {
1600 if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
1601 fprintf( stderr, "%s: line %d: "
1602 "inappropriate style \"%s\" in by clause\n",
1603 fname, lineno, style );
1607 if ( b->a_authz.sai_transport_ssf ) {
1608 fprintf( stderr, "%s: line %d: "
1609 "transport_ssf attribute already specified.\n",
1614 if ( right == NULL || *right == '\0' ) {
1616 "%s: line %d: no transport_ssf is defined\n",
1621 b->a_authz.sai_transport_ssf = strtol( right, &next, 10 );
1622 if ( next == NULL || next[0] != '\0' ) {
1623 fprintf( stderr, "%s: line %d: "
1624 "unable to parse transport_ssf value (%s)\n",
1625 fname, lineno, right );
1629 if ( !b->a_authz.sai_transport_ssf ) {
1631 "%s: line %d: invalid transport_ssf value (%s)\n",
1632 fname, lineno, right );
1638 if ( strcasecmp( left, "tls_ssf" ) == 0 ) {
1639 if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
1640 fprintf( stderr, "%s: line %d: "
1641 "inappropriate style \"%s\" in by clause\n",
1642 fname, lineno, style );
1646 if ( b->a_authz.sai_tls_ssf ) {
1647 fprintf( stderr, "%s: line %d: "
1648 "tls_ssf attribute already specified.\n",
1653 if ( right == NULL || *right == '\0' ) {
1655 "%s: line %d: no tls_ssf is defined\n",
1660 b->a_authz.sai_tls_ssf = strtol( right, &next, 10 );
1661 if ( next == NULL || next[0] != '\0' ) {
1662 fprintf( stderr, "%s: line %d: "
1663 "unable to parse tls_ssf value (%s)\n",
1664 fname, lineno, right );
1668 if ( !b->a_authz.sai_tls_ssf ) {
1670 "%s: line %d: invalid tls_ssf value (%s)\n",
1671 fname, lineno, right );
1677 if ( strcasecmp( left, "sasl_ssf" ) == 0 ) {
1678 if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
1679 fprintf( stderr, "%s: line %d: "
1680 "inappropriate style \"%s\" in by clause\n",
1681 fname, lineno, style );
1685 if ( b->a_authz.sai_sasl_ssf ) {
1686 fprintf( stderr, "%s: line %d: "
1687 "sasl_ssf attribute already specified.\n",
1692 if ( right == NULL || *right == '\0' ) {
1694 "%s: line %d: no sasl_ssf is defined\n",
1699 b->a_authz.sai_sasl_ssf = strtol( right, &next, 10 );
1700 if ( next == NULL || next[0] != '\0' ) {
1701 fprintf( stderr, "%s: line %d: "
1702 "unable to parse sasl_ssf value (%s)\n",
1703 fname, lineno, right );
1707 if ( !b->a_authz.sai_sasl_ssf ) {
1709 "%s: line %d: invalid sasl_ssf value (%s)\n",
1710 fname, lineno, right );
1716 if ( right != NULL ) {
1723 if ( i == argc || ( strcasecmp( left, "stop" ) == 0 ) ) {
1724 /* out of arguments or plain stop */
1726 ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
1727 b->a_type = ACL_STOP;
1729 access_append( &a->acl_access, b );
1733 if ( strcasecmp( left, "continue" ) == 0 ) {
1734 /* plain continue */
1736 ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
1737 b->a_type = ACL_CONTINUE;
1739 access_append( &a->acl_access, b );
1743 if ( strcasecmp( left, "break" ) == 0 ) {
1744 /* plain continue */
1746 ACL_PRIV_ASSIGN(b->a_access_mask, ACL_PRIV_ADDITIVE);
1747 b->a_type = ACL_BREAK;
1749 access_append( &a->acl_access, b );
1753 if ( strcasecmp( left, "by" ) == 0 ) {
1754 /* we've gone too far */
1756 ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
1757 b->a_type = ACL_STOP;
1759 access_append( &a->acl_access, b );
1764 if ( strncasecmp( left, "self", STRLENOF( "self" ) ) == 0 ) {
1766 ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( &left[ STRLENOF( "self" ) ] ) );
1768 } else if ( strncasecmp( left, "realself", STRLENOF( "realself" ) ) == 0 ) {
1769 b->a_realdn_self = 1;
1770 ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( &left[ STRLENOF( "realself" ) ] ) );
1773 ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( left ) );
1776 if ( ACL_IS_INVALID( b->a_access_mask ) ) {
1778 "%s: line %d: expecting <access> got \"%s\"\n",
1779 fname, lineno, left );
1783 b->a_type = ACL_STOP;
1785 if ( ++i == argc ) {
1786 /* out of arguments or plain stop */
1787 access_append( &a->acl_access, b );
1791 if ( strcasecmp( argv[i], "continue" ) == 0 ) {
1792 /* plain continue */
1793 b->a_type = ACL_CONTINUE;
1795 } else if ( strcasecmp( argv[i], "break" ) == 0 ) {
1796 /* plain continue */
1797 b->a_type = ACL_BREAK;
1799 } else if ( strcasecmp( argv[i], "stop" ) != 0 ) {
1804 access_append( &a->acl_access, b );
1808 "%s: line %d: expecting \"to\" "
1809 "or \"by\" got \"%s\"\n",
1810 fname, lineno, argv[i] );
1815 /* if we have no real access clause, complain and do nothing */
1817 fprintf( stderr, "%s: line %d: "
1818 "warning: no access clause(s) specified in access line\n",
1823 if ( ldap_debug & LDAP_DEBUG_ACL ) {
1828 if ( a->acl_access == NULL ) {
1829 fprintf( stderr, "%s: line %d: "
1830 "warning: no by clause(s) specified in access line\n",
1835 if ( !BER_BVISNULL( &be->be_nsuffix[ 1 ] ) ) {
1836 fprintf( stderr, "%s: line %d: warning: "
1837 "scope checking only applies to single-valued "
1838 "suffix databases\n",
1840 /* go ahead, since checking is not authoritative */
1843 switch ( check_scope( be, a ) ) {
1844 case ACL_SCOPE_UNKNOWN:
1845 fprintf( stderr, "%s: line %d: warning: "
1846 "cannot assess the validity of the ACL scope within "
1847 "backend naming context\n",
1851 case ACL_SCOPE_WARN:
1852 fprintf( stderr, "%s: line %d: warning: "
1853 "ACL could be out of scope within backend naming context\n",
1857 case ACL_SCOPE_PARTIAL:
1858 fprintf( stderr, "%s: line %d: warning: "
1859 "ACL appears to be partially out of scope within "
1860 "backend naming context\n",
1865 fprintf( stderr, "%s: line %d: warning: "
1866 "ACL appears to be out of scope within "
1867 "backend naming context\n",
1874 acl_append( &be->be_acl, a, pos );
1877 acl_append( &frontendDB->be_acl, a, pos );
1883 accessmask2str( slap_mask_t mask, char *buf, int debug )
1888 assert( buf != NULL );
1890 if ( ACL_IS_INVALID( mask ) ) {
1896 if ( ACL_IS_LEVEL( mask ) ) {
1897 if ( ACL_LVL_IS_NONE(mask) ) {
1898 ptr = lutil_strcopy( ptr, "none" );
1900 } else if ( ACL_LVL_IS_DISCLOSE(mask) ) {
1901 ptr = lutil_strcopy( ptr, "disclose" );
1903 } else if ( ACL_LVL_IS_AUTH(mask) ) {
1904 ptr = lutil_strcopy( ptr, "auth" );
1906 } else if ( ACL_LVL_IS_COMPARE(mask) ) {
1907 ptr = lutil_strcopy( ptr, "compare" );
1909 } else if ( ACL_LVL_IS_SEARCH(mask) ) {
1910 ptr = lutil_strcopy( ptr, "search" );
1912 } else if ( ACL_LVL_IS_READ(mask) ) {
1913 ptr = lutil_strcopy( ptr, "read" );
1915 } else if ( ACL_LVL_IS_WRITE(mask) ) {
1916 ptr = lutil_strcopy( ptr, "write" );
1918 } else if ( ACL_LVL_IS_WADD(mask) ) {
1919 ptr = lutil_strcopy( ptr, "add" );
1921 } else if ( ACL_LVL_IS_WDEL(mask) ) {
1922 ptr = lutil_strcopy( ptr, "delete" );
1924 } else if ( ACL_LVL_IS_MANAGE(mask) ) {
1925 ptr = lutil_strcopy( ptr, "manage" );
1928 ptr = lutil_strcopy( ptr, "unknown" );
1938 if( ACL_IS_ADDITIVE( mask ) ) {
1941 } else if( ACL_IS_SUBTRACTIVE( mask ) ) {
1948 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_MANAGE) ) {
1953 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_WRITE) ) {
1957 } else if ( ACL_PRIV_ISSET(mask, ACL_PRIV_WADD) ) {
1961 } else if ( ACL_PRIV_ISSET(mask, ACL_PRIV_WDEL) ) {
1966 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_READ) ) {
1971 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_SEARCH) ) {
1976 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_COMPARE) ) {
1981 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_AUTH) ) {
1986 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_DISCLOSE) ) {
1991 if ( none && ACL_PRIV_ISSET(mask, ACL_PRIV_NONE) ) {
2000 if ( ACL_IS_LEVEL( mask ) ) {
2010 str2accessmask( const char *str )
2014 if( !ASCII_ALPHA(str[0]) ) {
2017 if ( str[0] == '=' ) {
2020 } else if( str[0] == '+' ) {
2021 ACL_PRIV_ASSIGN(mask, ACL_PRIV_ADDITIVE);
2023 } else if( str[0] == '-' ) {
2024 ACL_PRIV_ASSIGN(mask, ACL_PRIV_SUBSTRACTIVE);
2027 ACL_INVALIDATE(mask);
2031 for( i=1; str[i] != '\0'; i++ ) {
2032 if( TOLOWER((unsigned char) str[i]) == 'm' ) {
2033 ACL_PRIV_SET(mask, ACL_PRIV_MANAGE);
2035 } else if( TOLOWER((unsigned char) str[i]) == 'w' ) {
2036 ACL_PRIV_SET(mask, ACL_PRIV_WRITE);
2038 } else if( TOLOWER((unsigned char) str[i]) == 'a' ) {
2039 ACL_PRIV_SET(mask, ACL_PRIV_WADD);
2041 } else if( TOLOWER((unsigned char) str[i]) == 'z' ) {
2042 ACL_PRIV_SET(mask, ACL_PRIV_WDEL);
2044 } else if( TOLOWER((unsigned char) str[i]) == 'r' ) {
2045 ACL_PRIV_SET(mask, ACL_PRIV_READ);
2047 } else if( TOLOWER((unsigned char) str[i]) == 's' ) {
2048 ACL_PRIV_SET(mask, ACL_PRIV_SEARCH);
2050 } else if( TOLOWER((unsigned char) str[i]) == 'c' ) {
2051 ACL_PRIV_SET(mask, ACL_PRIV_COMPARE);
2053 } else if( TOLOWER((unsigned char) str[i]) == 'x' ) {
2054 ACL_PRIV_SET(mask, ACL_PRIV_AUTH);
2056 } else if( TOLOWER((unsigned char) str[i]) == 'd' ) {
2057 ACL_PRIV_SET(mask, ACL_PRIV_DISCLOSE);
2059 } else if( str[i] != '0' ) {
2060 ACL_INVALIDATE(mask);
2068 if ( strcasecmp( str, "none" ) == 0 ) {
2069 ACL_LVL_ASSIGN_NONE(mask);
2071 } else if ( strcasecmp( str, "disclose" ) == 0 ) {
2072 ACL_LVL_ASSIGN_DISCLOSE(mask);
2074 } else if ( strcasecmp( str, "auth" ) == 0 ) {
2075 ACL_LVL_ASSIGN_AUTH(mask);
2077 } else if ( strcasecmp( str, "compare" ) == 0 ) {
2078 ACL_LVL_ASSIGN_COMPARE(mask);
2080 } else if ( strcasecmp( str, "search" ) == 0 ) {
2081 ACL_LVL_ASSIGN_SEARCH(mask);
2083 } else if ( strcasecmp( str, "read" ) == 0 ) {
2084 ACL_LVL_ASSIGN_READ(mask);
2086 } else if ( strcasecmp( str, "add" ) == 0 ) {
2087 ACL_LVL_ASSIGN_WADD(mask);
2089 } else if ( strcasecmp( str, "delete" ) == 0 ) {
2090 ACL_LVL_ASSIGN_WDEL(mask);
2092 } else if ( strcasecmp( str, "write" ) == 0 ) {
2093 ACL_LVL_ASSIGN_WRITE(mask);
2095 } else if ( strcasecmp( str, "manage" ) == 0 ) {
2096 ACL_LVL_ASSIGN_MANAGE(mask);
2099 ACL_INVALIDATE( mask );
2108 fprintf( stderr, "%s%s%s\n",
2109 "<access clause> ::= access to <what> "
2110 "[ by <who> <access> [ <control> ] ]+ \n"
2111 "<what> ::= * | [dn[.<dnstyle>]=<DN>] [filter=<filter>] [attrs=<attrlist>]\n"
2112 "<attrlist> ::= <attr> [val[/matchingRule][.<attrstyle>]=<value>] | <attr> , <attrlist>\n"
2113 "<attr> ::= <attrname> | entry | children\n",
2114 "<who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ]\n"
2115 "\t[ realanonymous | realusers | realself | realdn[.<dnstyle>]=<DN> ]\n"
2116 "\t[dnattr=<attrname>]\n"
2117 "\t[realdnattr=<attrname>]\n"
2118 "\t[group[/<objectclass>[/<attrname>]][.<style>]=<group>]\n"
2119 "\t[peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>]\n"
2120 "\t[domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>]\n"
2121 #ifdef SLAPD_ACI_ENABLED
2122 "\t[aci=[<attrname>]]\n"
2125 "\t[dynacl/<name>[.<dynstyle>][=<pattern>]]\n"
2126 #endif /* SLAP_DYNACL */
2127 "\t[ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]\n",
2128 "<style> ::= exact | regex | base(Object)\n"
2129 "<dnstyle> ::= base(Object) | one(level) | sub(tree) | children | "
2131 "<attrstyle> ::= exact | regex | base(Object) | one(level) | "
2132 "sub(tree) | children\n"
2133 "<peernamestyle> ::= exact | regex | ip | path\n"
2134 "<domainstyle> ::= exact | regex | base(Object) | sub(tree)\n"
2135 "<access> ::= [[real]self]{<level>|<priv>}\n"
2136 "<level> ::= none|disclose|auth|compare|search|read|{write|add|delete}|manage\n"
2137 "<priv> ::= {=|+|-}{0|d|x|c|s|r|{w|a|z}|m}+\n"
2138 "<control> ::= [ stop | continue | break ]\n"
2140 exit( EXIT_FAILURE );
2144 * Set pattern to a "normalized" DN from src.
2145 * At present it simply eats the (optional) space after
2146 * a RDN separator (,)
2147 * Eventually will evolve in a more complete normalization
2150 acl_regex_normalized_dn(
2152 struct berval *pattern )
2157 str = ch_strdup( src );
2158 len = strlen( src );
2160 for ( p = str; p && p[0]; p++ ) {
2162 if ( p[0] == '\\' && p[1] ) {
2164 * if escaping a hex pair we should
2165 * increment p twice; however, in that
2166 * case the second hex number does
2172 if ( p[0] == ',' && p[1] == ' ' ) {
2176 * too much space should be an error if we are pedantic
2178 for ( q = &p[2]; q[0] == ' '; q++ ) {
2181 AC_MEMCPY( p+1, q, len-(q-str)+1);
2184 pattern->bv_val = str;
2185 pattern->bv_len = p - str;
2198 if ( (*right = strchr( line, splitchar )) != NULL ) {
2199 *((*right)++) = '\0';
2204 access_append( Access **l, Access *a )
2206 for ( ; *l != NULL; l = &(*l)->a_next ) {
2214 acl_append( AccessControl **l, AccessControl *a, int pos )
2218 for (i=0 ; i != pos && *l != NULL; l = &(*l)->acl_next, i++ ) {
2227 access_free( Access *a )
2229 if ( !BER_BVISNULL( &a->a_dn_pat ) ) {
2230 free( a->a_dn_pat.bv_val );
2232 if ( !BER_BVISNULL( &a->a_realdn_pat ) ) {
2233 free( a->a_realdn_pat.bv_val );
2235 if ( !BER_BVISNULL( &a->a_peername_pat ) ) {
2236 free( a->a_peername_pat.bv_val );
2238 if ( !BER_BVISNULL( &a->a_sockname_pat ) ) {
2239 free( a->a_sockname_pat.bv_val );
2241 if ( !BER_BVISNULL( &a->a_domain_pat ) ) {
2242 free( a->a_domain_pat.bv_val );
2244 if ( !BER_BVISNULL( &a->a_sockurl_pat ) ) {
2245 free( a->a_sockurl_pat.bv_val );
2247 if ( !BER_BVISNULL( &a->a_set_pat ) ) {
2248 free( a->a_set_pat.bv_val );
2250 if ( !BER_BVISNULL( &a->a_group_pat ) ) {
2251 free( a->a_group_pat.bv_val );
2254 if ( a->a_dynacl != NULL ) {
2256 for ( da = a->a_dynacl; da; ) {
2257 slap_dynacl_t *tmp = da;
2261 if ( tmp->da_destroy ) {
2262 tmp->da_destroy( tmp->da_private );
2268 #endif /* SLAP_DYNACL */
2273 acl_free( AccessControl *a )
2278 if ( a->acl_filter ) {
2279 filter_free( a->acl_filter );
2281 if ( !BER_BVISNULL( &a->acl_dn_pat ) ) {
2282 if ( a->acl_dn_style == ACL_STYLE_REGEX ) {
2283 regfree( &a->acl_dn_re );
2285 free ( a->acl_dn_pat.bv_val );
2287 if ( a->acl_attrs ) {
2288 for ( an = a->acl_attrs; !BER_BVISNULL( &an->an_name ); an++ ) {
2289 free( an->an_name.bv_val );
2291 free( a->acl_attrs );
2293 for ( ; a->acl_access; a->acl_access = n ) {
2294 n = a->acl_access->a_next;
2295 access_free( a->acl_access );
2300 /* Because backend_startup uses acl_append to tack on the global_acl to
2301 * the end of each backend's acl, we cannot just take one argument and
2302 * merrily free our way to the end of the list. backend_destroy calls us
2303 * with the be_acl in arg1, and global_acl in arg2 to give us a stopping
2304 * point. config_destroy calls us with global_acl in arg1 and NULL in
2305 * arg2, so we then proceed to polish off the global_acl.
2308 acl_destroy( AccessControl *a, AccessControl *end )
2312 for ( ; a && a != end; a = n ) {
2319 access2str( slap_access_t access )
2321 if ( access == ACL_NONE ) {
2324 } else if ( access == ACL_DISCLOSE ) {
2327 } else if ( access == ACL_AUTH ) {
2330 } else if ( access == ACL_COMPARE ) {
2333 } else if ( access == ACL_SEARCH ) {
2336 } else if ( access == ACL_READ ) {
2339 } else if ( access == ACL_WRITE ) {
2342 } else if ( access == ACL_WADD ) {
2345 } else if ( access == ACL_WDEL ) {
2348 } else if ( access == ACL_MANAGE ) {
2357 str2access( const char *str )
2359 if ( strcasecmp( str, "none" ) == 0 ) {
2362 } else if ( strcasecmp( str, "disclose" ) == 0 ) {
2363 #ifndef SLAP_ACL_HONOR_DISCLOSE
2364 fprintf( stderr, "str2access: warning, "
2365 "\"disclose\" privilege disabled.\n" );
2366 #endif /* SLAP_ACL_HONOR_DISCLOSE */
2367 return ACL_DISCLOSE;
2369 } else if ( strcasecmp( str, "auth" ) == 0 ) {
2372 } else if ( strcasecmp( str, "compare" ) == 0 ) {
2375 } else if ( strcasecmp( str, "search" ) == 0 ) {
2378 } else if ( strcasecmp( str, "read" ) == 0 ) {
2381 } else if ( strcasecmp( str, "write" ) == 0 ) {
2384 } else if ( strcasecmp( str, "add" ) == 0 ) {
2387 } else if ( strcasecmp( str, "delete" ) == 0 ) {
2390 } else if ( strcasecmp( str, "manage" ) == 0 ) {
2394 return( ACL_INVALID_ACCESS );
2397 #define ACLBUF_MAXLEN 8192
2399 static char aclbuf[ACLBUF_MAXLEN];
2402 dnaccess2text( slap_dn_access *bdn, char *ptr, int is_realdn )
2407 ptr = lutil_strcopy( ptr, "real" );
2410 if ( ber_bvccmp( &bdn->a_pat, '*' ) ||
2411 bdn->a_style == ACL_STYLE_ANONYMOUS ||
2412 bdn->a_style == ACL_STYLE_USERS ||
2413 bdn->a_style == ACL_STYLE_SELF )
2416 assert( ! ber_bvccmp( &bdn->a_pat, '*' ) );
2419 ptr = lutil_strcopy( ptr, bdn->a_pat.bv_val );
2420 if ( bdn->a_style == ACL_STYLE_SELF && bdn->a_self_level != 0 ) {
2421 int n = sprintf( ptr, ".level{%d}", bdn->a_self_level );
2428 ptr = lutil_strcopy( ptr, "dn." );
2429 if ( bdn->a_style == ACL_STYLE_BASE )
2430 ptr = lutil_strcopy( ptr, style_base );
2432 ptr = lutil_strcopy( ptr, style_strings[bdn->a_style] );
2433 if ( bdn->a_style == ACL_STYLE_LEVEL ) {
2434 int n = sprintf( ptr, "{%d}", bdn->a_level );
2439 if ( bdn->a_expand ) {
2440 ptr = lutil_strcopy( ptr, ",expand" );
2444 ptr = lutil_strcopy( ptr, bdn->a_pat.bv_val );
2451 access2text( Access *b, char *ptr )
2453 char maskbuf[ACCESSMASK_MAXLEN];
2455 ptr = lutil_strcopy( ptr, "\tby" );
2457 if ( !BER_BVISEMPTY( &b->a_dn_pat ) ) {
2458 ptr = dnaccess2text( &b->a_dn, ptr, 0 );
2461 ptr = lutil_strcopy( ptr, " dnattr=" );
2462 ptr = lutil_strcopy( ptr, b->a_dn_at->ad_cname.bv_val );
2465 if ( !BER_BVISEMPTY( &b->a_realdn_pat ) ) {
2466 ptr = dnaccess2text( &b->a_realdn, ptr, 1 );
2468 if ( b->a_realdn_at ) {
2469 ptr = lutil_strcopy( ptr, " realdnattr=" );
2470 ptr = lutil_strcopy( ptr, b->a_realdn_at->ad_cname.bv_val );
2473 if ( !BER_BVISEMPTY( &b->a_group_pat ) ) {
2474 ptr = lutil_strcopy( ptr, " group/" );
2475 ptr = lutil_strcopy( ptr, b->a_group_oc ?
2476 b->a_group_oc->soc_cname.bv_val : SLAPD_GROUP_CLASS );
2478 ptr = lutil_strcopy( ptr, b->a_group_at ?
2479 b->a_group_at->ad_cname.bv_val : SLAPD_GROUP_ATTR );
2481 ptr = lutil_strcopy( ptr, style_strings[b->a_group_style] );
2484 ptr = lutil_strcopy( ptr, b->a_group_pat.bv_val );
2488 if ( !BER_BVISEMPTY( &b->a_peername_pat ) ) {
2489 ptr = lutil_strcopy( ptr, " peername" );
2491 ptr = lutil_strcopy( ptr, style_strings[b->a_peername_style] );
2494 ptr = lutil_strcopy( ptr, b->a_peername_pat.bv_val );
2498 if ( !BER_BVISEMPTY( &b->a_sockname_pat ) ) {
2499 ptr = lutil_strcopy( ptr, " sockname" );
2501 ptr = lutil_strcopy( ptr, style_strings[b->a_sockname_style] );
2504 ptr = lutil_strcopy( ptr, b->a_sockname_pat.bv_val );
2508 if ( !BER_BVISEMPTY( &b->a_domain_pat ) ) {
2509 ptr = lutil_strcopy( ptr, " domain" );
2511 ptr = lutil_strcopy( ptr, style_strings[b->a_domain_style] );
2512 if ( b->a_domain_expand ) {
2513 ptr = lutil_strcopy( ptr, ",expand" );
2516 ptr = lutil_strcopy( ptr, b->a_domain_pat.bv_val );
2519 if ( !BER_BVISEMPTY( &b->a_sockurl_pat ) ) {
2520 ptr = lutil_strcopy( ptr, " sockurl" );
2522 ptr = lutil_strcopy( ptr, style_strings[b->a_sockurl_style] );
2525 ptr = lutil_strcopy( ptr, b->a_sockurl_pat.bv_val );
2529 if ( !BER_BVISEMPTY( &b->a_set_pat ) ) {
2530 ptr = lutil_strcopy( ptr, " set" );
2532 ptr = lutil_strcopy( ptr, style_strings[b->a_set_style] );
2535 ptr = lutil_strcopy( ptr, b->a_set_pat.bv_val );
2540 if ( b->a_dynacl ) {
2543 for ( da = b->a_dynacl; da; da = da->da_next ) {
2544 if ( da->da_unparse ) {
2545 struct berval bv = BER_BVNULL;
2546 (void)( *da->da_unparse )( da->da_private, &bv );
2547 assert( !BER_BVISNULL( &bv ) );
2548 ptr = lutil_strcopy( ptr, bv.bv_val );
2549 ch_free( bv.bv_val );
2553 #else /* ! SLAP_DYNACL */
2554 #ifdef SLAPD_ACI_ENABLED
2555 if ( b->a_aci_at != NULL ) {
2556 ptr = lutil_strcopy( ptr, " aci=" );
2557 ptr = lutil_strcopy( ptr, b->a_aci_at->ad_cname.bv_val );
2560 #endif /* SLAP_DYNACL */
2562 /* Security Strength Factors */
2563 if ( b->a_authz.sai_ssf ) {
2564 ptr += sprintf( ptr, " ssf=%u",
2565 b->a_authz.sai_ssf );
2567 if ( b->a_authz.sai_transport_ssf ) {
2568 ptr += sprintf( ptr, " transport_ssf=%u",
2569 b->a_authz.sai_transport_ssf );
2571 if ( b->a_authz.sai_tls_ssf ) {
2572 ptr += sprintf( ptr, " tls_ssf=%u",
2573 b->a_authz.sai_tls_ssf );
2575 if ( b->a_authz.sai_sasl_ssf ) {
2576 ptr += sprintf( ptr, " sasl_ssf=%u",
2577 b->a_authz.sai_sasl_ssf );
2581 if ( b->a_dn_self ) {
2582 ptr = lutil_strcopy( ptr, "self" );
2583 } else if ( b->a_realdn_self ) {
2584 ptr = lutil_strcopy( ptr, "realself" );
2586 ptr = lutil_strcopy( ptr, accessmask2str( b->a_access_mask, maskbuf, 0 ));
2587 if ( !maskbuf[0] ) ptr--;
2589 if( b->a_type == ACL_BREAK ) {
2590 ptr = lutil_strcopy( ptr, " break" );
2592 } else if( b->a_type == ACL_CONTINUE ) {
2593 ptr = lutil_strcopy( ptr, " continue" );
2595 } else if( b->a_type != ACL_STOP ) {
2596 ptr = lutil_strcopy( ptr, " unknown-control" );
2598 if ( !maskbuf[0] ) ptr = lutil_strcopy( ptr, " stop" );
2606 acl_unparse( AccessControl *a, struct berval *bv )
2612 bv->bv_val = aclbuf;
2617 ptr = lutil_strcopy( ptr, "to" );
2618 if ( !BER_BVISNULL( &a->acl_dn_pat ) ) {
2620 ptr = lutil_strcopy( ptr, " dn." );
2621 if ( a->acl_dn_style == ACL_STYLE_BASE )
2622 ptr = lutil_strcopy( ptr, style_base );
2624 ptr = lutil_strcopy( ptr, style_strings[a->acl_dn_style] );
2627 ptr = lutil_strcopy( ptr, a->acl_dn_pat.bv_val );
2628 ptr = lutil_strcopy( ptr, "\"\n" );
2631 if ( a->acl_filter != NULL ) {
2632 struct berval bv = BER_BVNULL;
2635 filter2bv( a->acl_filter, &bv );
2636 ptr = lutil_strcopy( ptr, " filter=\"" );
2637 ptr = lutil_strcopy( ptr, bv.bv_val );
2640 ch_free( bv.bv_val );
2643 if ( a->acl_attrs != NULL ) {
2648 ptr = lutil_strcopy( ptr, " attrs=" );
2649 for ( an = a->acl_attrs; an && !BER_BVISNULL( &an->an_name ); an++ ) {
2650 if ( ! first ) *ptr++ = ',';
2652 *ptr++ = an->an_oc_exclude ? '!' : '@';
2653 ptr = lutil_strcopy( ptr, an->an_oc->soc_cname.bv_val );
2656 ptr = lutil_strcopy( ptr, an->an_name.bv_val );
2663 if ( !BER_BVISEMPTY( &a->acl_attrval ) ) {
2665 ptr = lutil_strcopy( ptr, " val." );
2666 if ( a->acl_attrval_style == ACL_STYLE_BASE &&
2667 a->acl_attrs[0].an_desc->ad_type->sat_syntax ==
2668 slap_schema.si_syn_distinguishedName )
2669 ptr = lutil_strcopy( ptr, style_base );
2671 ptr = lutil_strcopy( ptr, style_strings[a->acl_attrval_style] );
2674 ptr = lutil_strcopy( ptr, a->acl_attrval.bv_val );
2680 ptr = lutil_strcopy( ptr, " *\n" );
2683 for ( b = a->acl_access; b != NULL; b = b->a_next ) {
2684 ptr = access2text( b, ptr );
2687 bv->bv_len = ptr - bv->bv_val;
2693 print_acl( Backend *be, AccessControl *a )
2697 acl_unparse( a, &bv );
2698 fprintf( stderr, "%s ACL: access %s\n",
2699 be == NULL ? "Global" : "Backend", bv.bv_val );
2701 #endif /* LDAP_DEBUG */