1 /* aclparse.c - routines to parse and check acl's */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 1998-2006 The OpenLDAP Foundation.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted only as authorized by the OpenLDAP
12 * A copy of this license is available in the file LICENSE in the
13 * top-level directory of the distribution or, alternatively, at
14 * <http://www.OpenLDAP.org/license.html>.
16 /* Portions Copyright (c) 1995 Regents of the University of Michigan.
17 * All rights reserved.
19 * Redistribution and use in source and binary forms are permitted
20 * provided that this notice is preserved and that due credit is given
21 * to the University of Michigan at Ann Arbor. The name of the University
22 * may not be used to endorse or promote products derived from this
23 * software without specific prior written permission. This software
24 * is provided ``as is'' without express or implied warranty.
33 #include <ac/socket.h>
34 #include <ac/string.h>
35 #include <ac/unistd.h>
41 static const char style_base[] = "base";
42 char *style_strings[] = {
59 static void split(char *line, int splitchar, char **left, char **right);
60 static void access_append(Access **l, Access *a);
61 static void access_free( Access *a );
62 static int acl_usage(void);
64 static void acl_regex_normalized_dn(const char *src, struct berval *pat);
67 static void print_acl(Backend *be, AccessControl *a);
70 static int check_scope( BackendDB *be, AccessControl *a );
83 slap_dynacl_t *da, *tmp;
86 for ( da = b->a_dynacl; da; da = da->da_next ) {
87 if ( strcasecmp( da->da_name, name ) == 0 ) {
88 Debug( LDAP_DEBUG_ANY,
89 "%s: line %d: dynacl \"%s\" already specified.\n",
90 fname, lineno, name );
95 da = slap_dynacl_get( name );
100 tmp = ch_malloc( sizeof( slap_dynacl_t ) );
103 if ( tmp->da_parse ) {
104 rc = ( *tmp->da_parse )( fname, lineno, opts, sty, right, &tmp->da_private );
111 tmp->da_next = b->a_dynacl;
116 #endif /* SLAP_DYNACL */
119 regtest(const char *fname, int lineno, char *pat) {
123 char buf[ SLAP_TEXT_BUFLEN ];
135 for (size = 0, flag = 0; (size < sizeof(buf)) && *sp; sp++) {
137 if (*sp == '$'|| (*sp >= '0' && *sp <= '9')) {
154 if ( size >= (sizeof(buf) - 1) ) {
155 Debug( LDAP_DEBUG_ANY,
156 "%s: line %d: regular expression \"%s\" too large\n",
157 fname, lineno, pat );
159 exit( EXIT_FAILURE );
162 if ((e = regcomp(&re, buf, REG_EXTENDED|REG_ICASE))) {
163 char error[ SLAP_TEXT_BUFLEN ];
165 regerror(e, &re, error, sizeof(error));
167 snprintf( buf, sizeof( buf ),
168 "regular expression \"%s\" bad because of %s",
170 Debug( LDAP_DEBUG_ANY,
172 fname, lineno, buf );
174 exit( EXIT_FAILURE );
182 * Check if the pattern of an ACL, if any, matches the scope
183 * of the backend it is defined within.
185 #define ACL_SCOPE_UNKNOWN (-2)
186 #define ACL_SCOPE_ERR (-1)
187 #define ACL_SCOPE_OK (0)
188 #define ACL_SCOPE_PARTIAL (1)
189 #define ACL_SCOPE_WARN (2)
192 check_scope( BackendDB *be, AccessControl *a )
197 dn = be->be_nsuffix[0];
199 if ( BER_BVISEMPTY( &dn ) ) {
203 if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
204 a->acl_dn_style != ACL_STYLE_REGEX )
206 slap_style_t style = a->acl_dn_style;
208 if ( style == ACL_STYLE_REGEX ) {
209 char dnbuf[SLAP_LDAPDN_MAXLEN + 2];
210 char rebuf[SLAP_LDAPDN_MAXLEN + 1];
215 /* add trailing '$' to database suffix to form
216 * a simple trial regex pattern "<suffix>$" */
217 AC_MEMCPY( dnbuf, be->be_nsuffix[0].bv_val,
218 be->be_nsuffix[0].bv_len );
219 dnbuf[be->be_nsuffix[0].bv_len] = '$';
220 dnbuf[be->be_nsuffix[0].bv_len + 1] = '\0';
222 if ( regcomp( &re, dnbuf, REG_EXTENDED|REG_ICASE ) ) {
223 return ACL_SCOPE_WARN;
226 /* remove trailing ')$', if any, from original
228 rebuflen = a->acl_dn_pat.bv_len;
229 AC_MEMCPY( rebuf, a->acl_dn_pat.bv_val, rebuflen + 1 );
230 if ( rebuf[rebuflen - 1] == '$' ) {
231 rebuf[--rebuflen] = '\0';
233 while ( rebuflen > be->be_nsuffix[0].bv_len && rebuf[rebuflen - 1] == ')' ) {
234 rebuf[--rebuflen] = '\0';
236 if ( rebuflen == be->be_nsuffix[0].bv_len ) {
241 /* not a clear indication of scoping error, though */
242 rc = regexec( &re, rebuf, 0, NULL, 0 )
243 ? ACL_SCOPE_WARN : ACL_SCOPE_OK;
250 patlen = a->acl_dn_pat.bv_len;
251 /* If backend suffix is longer than pattern,
252 * it is a potential mismatch (in the sense
253 * that a superior naming context could
255 if ( dn.bv_len > patlen ) {
256 /* base is blatantly wrong */
257 if ( style == ACL_STYLE_BASE ) return ACL_SCOPE_ERR;
259 /* a style of one can be wrong if there is
260 * more than one level between the suffix
262 if ( style == ACL_STYLE_ONE ) {
263 ber_len_t rdnlen = 0;
267 if ( !DN_SEPARATOR( dn.bv_val[dn.bv_len - patlen - 1] )) {
268 return ACL_SCOPE_ERR;
273 rdnlen = dn_rdnlen( NULL, &dn );
274 if ( rdnlen != dn.bv_len - patlen - sep )
275 return ACL_SCOPE_ERR;
278 /* if the trailing part doesn't match,
279 * then it's an error */
280 if ( strcmp( a->acl_dn_pat.bv_val,
281 &dn.bv_val[dn.bv_len - patlen] ) != 0 )
283 return ACL_SCOPE_ERR;
286 return ACL_SCOPE_PARTIAL;
292 case ACL_STYLE_CHILDREN:
293 case ACL_STYLE_SUBTREE:
301 if ( dn.bv_len < patlen &&
302 !DN_SEPARATOR( a->acl_dn_pat.bv_val[patlen - dn.bv_len - 1] ))
304 return ACL_SCOPE_ERR;
307 if ( strcmp( &a->acl_dn_pat.bv_val[patlen - dn.bv_len], dn.bv_val )
310 return ACL_SCOPE_ERR;
316 return ACL_SCOPE_UNKNOWN;
329 char *left, *right, *style;
331 AccessControl *a = NULL;
336 for ( i = 1; i < argc; i++ ) {
337 /* to clause - select which entries are protected */
338 if ( strcasecmp( argv[i], "to" ) == 0 ) {
340 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
341 "only one to clause allowed in access line\n",
345 a = (AccessControl *) ch_calloc( 1, sizeof(AccessControl) );
346 for ( ++i; i < argc; i++ ) {
347 if ( strcasecmp( argv[i], "by" ) == 0 ) {
352 if ( strcasecmp( argv[i], "*" ) == 0 ) {
353 if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
354 a->acl_dn_style != ACL_STYLE_REGEX )
356 Debug( LDAP_DEBUG_ANY,
357 "%s: line %d: dn pattern"
358 " already specified in to clause.\n",
363 ber_str2bv( "*", STRLENOF( "*" ), 1, &a->acl_dn_pat );
367 split( argv[i], '=', &left, &right );
368 split( left, '.', &left, &style );
370 if ( right == NULL ) {
371 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
372 "missing \"=\" in \"%s\" in to clause\n",
373 fname, lineno, left );
377 if ( strcasecmp( left, "dn" ) == 0 ) {
378 if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
379 a->acl_dn_style != ACL_STYLE_REGEX )
381 Debug( LDAP_DEBUG_ANY,
382 "%s: line %d: dn pattern"
383 " already specified in to clause.\n",
388 if ( style == NULL || *style == '\0' ||
389 strcasecmp( style, "baseObject" ) == 0 ||
390 strcasecmp( style, "base" ) == 0 ||
391 strcasecmp( style, "exact" ) == 0 )
393 a->acl_dn_style = ACL_STYLE_BASE;
394 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
396 } else if ( strcasecmp( style, "oneLevel" ) == 0 ||
397 strcasecmp( style, "one" ) == 0 )
399 a->acl_dn_style = ACL_STYLE_ONE;
400 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
402 } else if ( strcasecmp( style, "subtree" ) == 0 ||
403 strcasecmp( style, "sub" ) == 0 )
405 if( *right == '\0' ) {
406 ber_str2bv( "*", STRLENOF( "*" ), 1, &a->acl_dn_pat );
409 a->acl_dn_style = ACL_STYLE_SUBTREE;
410 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
413 } else if ( strcasecmp( style, "children" ) == 0 ) {
414 a->acl_dn_style = ACL_STYLE_CHILDREN;
415 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
417 } else if ( strcasecmp( style, "regex" ) == 0 ) {
418 a->acl_dn_style = ACL_STYLE_REGEX;
420 if ( *right == '\0' ) {
421 /* empty regex should match empty DN */
422 a->acl_dn_style = ACL_STYLE_BASE;
423 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
425 } else if ( strcmp(right, "*") == 0
426 || strcmp(right, ".*") == 0
427 || strcmp(right, ".*$") == 0
428 || strcmp(right, "^.*") == 0
429 || strcmp(right, "^.*$") == 0
430 || strcmp(right, ".*$$") == 0
431 || strcmp(right, "^.*$$") == 0 )
433 ber_str2bv( "*", STRLENOF("*"), 1, &a->acl_dn_pat );
436 acl_regex_normalized_dn( right, &a->acl_dn_pat );
440 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
441 "unknown dn style \"%s\" in to clause\n",
442 fname, lineno, style );
449 if ( strcasecmp( left, "filter" ) == 0 ) {
450 if ( (a->acl_filter = str2filter( right )) == NULL ) {
451 Debug( LDAP_DEBUG_ANY,
452 "%s: line %d: bad filter \"%s\" in to clause\n",
453 fname, lineno, right );
457 } else if ( strcasecmp( left, "attr" ) == 0 /* TOLERATED */
458 || strcasecmp( left, "attrs" ) == 0 ) /* DOCUMENTED */
460 if ( strcasecmp( left, "attr" ) == 0 ) {
461 Debug( LDAP_DEBUG_ANY,
462 "%s: line %d: \"attr\" "
463 "is deprecated (and undocumented); "
464 "use \"attrs\" instead.\n",
468 a->acl_attrs = str2anlist( a->acl_attrs,
470 if ( a->acl_attrs == NULL ) {
471 Debug( LDAP_DEBUG_ANY,
472 "%s: line %d: unknown attr \"%s\" in to clause\n",
473 fname, lineno, right );
477 } else if ( strncasecmp( left, "val", 3 ) == 0 ) {
481 if ( !BER_BVISEMPTY( &a->acl_attrval ) ) {
482 Debug( LDAP_DEBUG_ANY,
483 "%s: line %d: attr val already specified in to clause.\n",
487 if ( a->acl_attrs == NULL || !BER_BVISEMPTY( &a->acl_attrs[1].an_name ) )
489 Debug( LDAP_DEBUG_ANY,
490 "%s: line %d: attr val requires a single attribute.\n",
495 ber_str2bv( right, 0, 0, &bv );
496 a->acl_attrval_style = ACL_STYLE_BASE;
498 mr = strchr( left, '/' );
503 a->acl_attrval_mr = mr_find( mr );
504 if ( a->acl_attrval_mr == NULL ) {
505 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
506 "invalid matching rule \"%s\".\n",
511 if( !mr_usable_with_at( a->acl_attrval_mr, a->acl_attrs[ 0 ].an_desc->ad_type ) )
513 char buf[ SLAP_TEXT_BUFLEN ];
515 snprintf( buf, sizeof( buf ),
516 "matching rule \"%s\" use "
517 "with attr \"%s\" not appropriate.",
518 mr, a->acl_attrs[ 0 ].an_name.bv_val );
521 Debug( LDAP_DEBUG_ANY, "%s: line %d: %s\n",
522 fname, lineno, buf );
527 if ( style != NULL ) {
528 if ( strcasecmp( style, "regex" ) == 0 ) {
529 int e = regcomp( &a->acl_attrval_re, bv.bv_val,
530 REG_EXTENDED | REG_ICASE | REG_NOSUB );
532 char err[SLAP_TEXT_BUFLEN],
533 buf[ SLAP_TEXT_BUFLEN ];
535 regerror( e, &a->acl_attrval_re, err, sizeof( err ) );
537 snprintf( buf, sizeof( buf ),
538 "regular expression \"%s\" bad because of %s",
541 Debug( LDAP_DEBUG_ANY, "%s: line %d: %s\n",
542 fname, lineno, buf );
545 a->acl_attrval_style = ACL_STYLE_REGEX;
548 /* FIXME: if the attribute has DN syntax, we might
549 * allow one, subtree and children styles as well */
550 if ( !strcasecmp( style, "base" ) ||
551 !strcasecmp( style, "exact" ) ) {
552 a->acl_attrval_style = ACL_STYLE_BASE;
554 } else if ( a->acl_attrs[0].an_desc->ad_type->
555 sat_syntax == slap_schema.si_syn_distinguishedName )
557 if ( !strcasecmp( style, "baseObject" ) ||
558 !strcasecmp( style, "base" ) )
560 a->acl_attrval_style = ACL_STYLE_BASE;
561 } else if ( !strcasecmp( style, "onelevel" ) ||
562 !strcasecmp( style, "one" ) )
564 a->acl_attrval_style = ACL_STYLE_ONE;
565 } else if ( !strcasecmp( style, "subtree" ) ||
566 !strcasecmp( style, "sub" ) )
568 a->acl_attrval_style = ACL_STYLE_SUBTREE;
569 } else if ( !strcasecmp( style, "children" ) ) {
570 a->acl_attrval_style = ACL_STYLE_CHILDREN;
572 char buf[ SLAP_TEXT_BUFLEN ];
574 snprintf( buf, sizeof( buf ),
575 "unknown val.<style> \"%s\" for attributeType \"%s\" "
578 a->acl_attrs[0].an_desc->ad_cname.bv_val );
580 Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL,
582 fname, lineno, buf );
586 rc = dnNormalize( 0, NULL, NULL, &bv, &a->acl_attrval, NULL );
587 if ( rc != LDAP_SUCCESS ) {
588 char buf[ SLAP_TEXT_BUFLEN ];
590 snprintf( buf, sizeof( buf ),
591 "unable to normalize DN \"%s\" "
592 "for attributeType \"%s\" (%d).",
594 a->acl_attrs[0].an_desc->ad_cname.bv_val,
596 Debug( LDAP_DEBUG_ANY,
598 fname, lineno, buf );
603 char buf[ SLAP_TEXT_BUFLEN ];
605 snprintf( buf, sizeof( buf ),
606 "unknown val.<style> \"%s\" for attributeType \"%s\".",
607 style, a->acl_attrs[0].an_desc->ad_cname.bv_val );
608 Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL,
610 fname, lineno, buf );
616 /* Check for appropriate matching rule */
617 if ( a->acl_attrval_style == ACL_STYLE_REGEX ) {
618 ber_dupbv( &a->acl_attrval, &bv );
620 } else if ( BER_BVISNULL( &a->acl_attrval ) ) {
624 if ( a->acl_attrval_mr == NULL ) {
625 a->acl_attrval_mr = a->acl_attrs[ 0 ].an_desc->ad_type->sat_equality;
628 if ( a->acl_attrval_mr == NULL ) {
629 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
630 "attr \"%s\" does not have an EQUALITY matching rule.\n",
631 fname, lineno, a->acl_attrs[ 0 ].an_name.bv_val );
635 rc = asserted_value_validate_normalize(
636 a->acl_attrs[ 0 ].an_desc,
638 SLAP_MR_EQUALITY|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX,
643 if ( rc != LDAP_SUCCESS ) {
644 char buf[ SLAP_TEXT_BUFLEN ];
646 snprintf( buf, sizeof( buf ), "%s: line %d: "
647 " attr \"%s\" normalization failed (%d: %s)",
649 a->acl_attrs[ 0 ].an_name.bv_val, rc, text );
650 Debug( LDAP_DEBUG_ANY, "%s: line %d: %s.\n",
651 fname, lineno, buf );
657 Debug( LDAP_DEBUG_ANY,
658 "%s: line %d: expecting <what> got \"%s\"\n",
659 fname, lineno, left );
664 if ( !BER_BVISNULL( &a->acl_dn_pat ) &&
665 ber_bvccmp( &a->acl_dn_pat, '*' ) )
667 free( a->acl_dn_pat.bv_val );
668 BER_BVZERO( &a->acl_dn_pat );
669 a->acl_dn_style = ACL_STYLE_REGEX;
672 if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
673 a->acl_dn_style != ACL_STYLE_REGEX )
675 if ( a->acl_dn_style != ACL_STYLE_REGEX ) {
677 rc = dnNormalize( 0, NULL, NULL, &a->acl_dn_pat, &bv, NULL);
678 if ( rc != LDAP_SUCCESS ) {
679 Debug( LDAP_DEBUG_ANY,
680 "%s: line %d: bad DN \"%s\" in to DN clause\n",
681 fname, lineno, a->acl_dn_pat.bv_val );
684 free( a->acl_dn_pat.bv_val );
688 int e = regcomp( &a->acl_dn_re, a->acl_dn_pat.bv_val,
689 REG_EXTENDED | REG_ICASE );
691 char err[ SLAP_TEXT_BUFLEN ],
692 buf[ SLAP_TEXT_BUFLEN ];
694 regerror( e, &a->acl_dn_re, err, sizeof( err ) );
695 snprintf( buf, sizeof( buf ),
696 "regular expression \"%s\" bad because of %s",
698 Debug( LDAP_DEBUG_ANY, "%s: line %d: %s\n",
699 fname, lineno, buf );
705 /* by clause - select who has what access to entries */
706 } else if ( strcasecmp( argv[i], "by" ) == 0 ) {
708 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
709 "to clause required before by clause in access line\n",
715 * by clause consists of <who> and <access>
719 Debug( LDAP_DEBUG_ANY,
720 "%s: line %d: premature EOL: expecting <who>\n",
725 b = (Access *) ch_calloc( 1, sizeof(Access) );
727 ACL_INVALIDATE( b->a_access_mask );
730 for ( ; i < argc; i++ ) {
731 slap_style_t sty = ACL_STYLE_REGEX;
732 char *style_modifier = NULL;
733 char *style_level = NULL;
736 slap_dn_access *bdn = &b->a_dn;
739 split( argv[i], '=', &left, &right );
740 split( left, '.', &left, &style );
742 split( style, ',', &style, &style_modifier );
744 if ( strncasecmp( style, "level", STRLENOF( "level" ) ) == 0 ) {
745 split( style, '{', &style, &style_level );
746 if ( style_level != NULL ) {
747 char *p = strchr( style_level, '}' );
749 Debug( LDAP_DEBUG_ANY,
750 "%s: line %d: premature eol: "
751 "expecting closing '}' in \"level{n}\"\n",
754 } else if ( p == style_level ) {
755 Debug( LDAP_DEBUG_ANY,
756 "%s: line %d: empty level "
766 if ( style == NULL || *style == '\0' ||
767 strcasecmp( style, "exact" ) == 0 ||
768 strcasecmp( style, "baseObject" ) == 0 ||
769 strcasecmp( style, "base" ) == 0 )
771 sty = ACL_STYLE_BASE;
773 } else if ( strcasecmp( style, "onelevel" ) == 0 ||
774 strcasecmp( style, "one" ) == 0 )
778 } else if ( strcasecmp( style, "subtree" ) == 0 ||
779 strcasecmp( style, "sub" ) == 0 )
781 sty = ACL_STYLE_SUBTREE;
783 } else if ( strcasecmp( style, "children" ) == 0 ) {
784 sty = ACL_STYLE_CHILDREN;
786 } else if ( strcasecmp( style, "level" ) == 0 )
788 if ( lutil_atoi( &level, style_level ) != 0 ) {
789 Debug( LDAP_DEBUG_ANY,
790 "%s: line %d: unable to parse level "
796 sty = ACL_STYLE_LEVEL;
798 } else if ( strcasecmp( style, "regex" ) == 0 ) {
799 sty = ACL_STYLE_REGEX;
801 } else if ( strcasecmp( style, "expand" ) == 0 ) {
802 sty = ACL_STYLE_EXPAND;
804 } else if ( strcasecmp( style, "ip" ) == 0 ) {
807 } else if ( strcasecmp( style, "ipv6" ) == 0 ) {
808 #ifndef LDAP_PF_INET6
809 Debug( LDAP_DEBUG_ANY,
810 "%s: line %d: IPv6 not supported\n",
812 #endif /* ! LDAP_PF_INET6 */
813 sty = ACL_STYLE_IPV6;
815 } else if ( strcasecmp( style, "path" ) == 0 ) {
816 sty = ACL_STYLE_PATH;
817 #ifndef LDAP_PF_LOCAL
818 Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL,
820 "\"path\" style modifier is useless without local.\n",
823 #endif /* LDAP_PF_LOCAL */
826 Debug( LDAP_DEBUG_ANY,
827 "%s: line %d: unknown style \"%s\" in by clause\n",
828 fname, lineno, style );
832 if ( style_modifier &&
833 strcasecmp( style_modifier, "expand" ) == 0 )
836 case ACL_STYLE_REGEX:
837 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
838 "\"regex\" style implies \"expand\" modifier.\n",
843 case ACL_STYLE_EXPAND:
847 /* we'll see later if it's pertinent */
853 /* expand in <who> needs regex in <what> */
854 if ( ( sty == ACL_STYLE_EXPAND || expand )
855 && a->acl_dn_style != ACL_STYLE_REGEX )
857 Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL, "%s: line %d: \"expand\" style "
858 "or modifier used in conjunction with a non-regex <what> clause.\n",
863 if ( strncasecmp( left, "real", STRLENOF( "real" ) ) == 0 ) {
866 left += STRLENOF( "real" );
869 if ( strcasecmp( left, "*" ) == 0 ) {
874 ber_str2bv( "*", STRLENOF( "*" ), 1, &bv );
875 sty = ACL_STYLE_REGEX;
877 } else if ( strcasecmp( left, "anonymous" ) == 0 ) {
878 ber_str2bv("anonymous", STRLENOF( "anonymous" ), 1, &bv);
879 sty = ACL_STYLE_ANONYMOUS;
881 } else if ( strcasecmp( left, "users" ) == 0 ) {
882 ber_str2bv("users", STRLENOF( "users" ), 1, &bv);
883 sty = ACL_STYLE_USERS;
885 } else if ( strcasecmp( left, "self" ) == 0 ) {
886 ber_str2bv("self", STRLENOF( "self" ), 1, &bv);
887 sty = ACL_STYLE_SELF;
889 } else if ( strcasecmp( left, "dn" ) == 0 ) {
890 if ( sty == ACL_STYLE_REGEX ) {
891 bdn->a_style = ACL_STYLE_REGEX;
892 if ( right == NULL ) {
897 bdn->a_style = ACL_STYLE_USERS;
899 } else if (*right == '\0' ) {
901 ber_str2bv("anonymous",
902 STRLENOF( "anonymous" ),
904 bdn->a_style = ACL_STYLE_ANONYMOUS;
906 } else if ( strcmp( right, "*" ) == 0 ) {
908 /* any or users? users for now */
912 bdn->a_style = ACL_STYLE_USERS;
914 } else if ( strcmp( right, ".+" ) == 0
915 || strcmp( right, "^.+" ) == 0
916 || strcmp( right, ".+$" ) == 0
917 || strcmp( right, "^.+$" ) == 0
918 || strcmp( right, ".+$$" ) == 0
919 || strcmp( right, "^.+$$" ) == 0 )
924 bdn->a_style = ACL_STYLE_USERS;
926 } else if ( strcmp( right, ".*" ) == 0
927 || strcmp( right, "^.*" ) == 0
928 || strcmp( right, ".*$" ) == 0
929 || strcmp( right, "^.*$" ) == 0
930 || strcmp( right, ".*$$" ) == 0
931 || strcmp( right, "^.*$$" ) == 0 )
938 acl_regex_normalized_dn( right, &bv );
939 if ( !ber_bvccmp( &bv, '*' ) ) {
940 regtest( fname, lineno, bv.bv_val );
944 } else if ( right == NULL || *right == '\0' ) {
945 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
946 "missing \"=\" in (or value after) \"%s\" "
948 fname, lineno, left );
952 ber_str2bv( right, 0, 1, &bv );
959 if ( !BER_BVISNULL( &bv ) ) {
960 if ( !BER_BVISEMPTY( &bdn->a_pat ) ) {
961 Debug( LDAP_DEBUG_ANY,
962 "%s: line %d: dn pattern already specified.\n",
967 if ( sty != ACL_STYLE_REGEX &&
968 sty != ACL_STYLE_ANONYMOUS &&
969 sty != ACL_STYLE_USERS &&
970 sty != ACL_STYLE_SELF &&
973 rc = dnNormalize(0, NULL, NULL,
974 &bv, &bdn->a_pat, NULL);
975 if ( rc != LDAP_SUCCESS ) {
976 Debug( LDAP_DEBUG_ANY,
977 "%s: line %d: bad DN \"%s\" in by DN clause\n",
978 fname, lineno, bv.bv_val );
982 if ( sty == ACL_STYLE_BASE
984 && !BER_BVISNULL( &be->be_rootndn )
985 && dn_match( &bdn->a_pat, &be->be_rootndn ) )
987 Debug( LDAP_DEBUG_ANY,
988 "%s: line %d: rootdn is always granted "
989 "unlimited privileges.\n",
1001 for ( exp = strchr( bdn->a_pat.bv_val, '$' );
1002 exp && (ber_len_t)(exp - bdn->a_pat.bv_val)
1003 < bdn->a_pat.bv_len;
1004 exp = strchr( exp, '$' ) )
1006 if ( isdigit( (unsigned char) exp[ 1 ] ) ) {
1013 bdn->a_expand = expand;
1016 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1017 "\"expand\" used with no expansions in \"pattern\".\n",
1022 if ( sty == ACL_STYLE_SELF ) {
1023 bdn->a_self_level = level;
1027 Debug( LDAP_DEBUG_ANY,
1028 "%s: line %d: bad negative level \"%d\" "
1029 "in by DN clause\n",
1030 fname, lineno, level );
1032 } else if ( level == 1 ) {
1033 Debug( LDAP_DEBUG_ANY,
1034 "%s: line %d: \"onelevel\" should be used "
1035 "instead of \"level{1}\" in by DN clause\n",
1037 } else if ( level == 0 && sty == ACL_STYLE_LEVEL ) {
1038 Debug( LDAP_DEBUG_ANY,
1039 "%s: line %d: \"base\" should be used "
1040 "instead of \"level{0}\" in by DN clause\n",
1044 bdn->a_level = level;
1049 if ( strcasecmp( left, "dnattr" ) == 0 ) {
1050 if ( right == NULL || right[0] == '\0' ) {
1051 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1052 "missing \"=\" in (or value after) \"%s\" "
1054 fname, lineno, left );
1058 if( bdn->a_at != NULL ) {
1059 Debug( LDAP_DEBUG_ANY,
1060 "%s: line %d: dnattr already specified.\n",
1065 rc = slap_str2ad( right, &bdn->a_at, &text );
1067 if( rc != LDAP_SUCCESS ) {
1068 char buf[ SLAP_TEXT_BUFLEN ];
1070 snprintf( buf, sizeof( buf ),
1071 "dnattr \"%s\": %s",
1073 Debug( LDAP_DEBUG_ANY,
1074 "%s: line %d: %s\n",
1075 fname, lineno, buf );
1080 if( !is_at_syntax( bdn->a_at->ad_type,
1081 SLAPD_DN_SYNTAX ) &&
1082 !is_at_syntax( bdn->a_at->ad_type,
1083 SLAPD_NAMEUID_SYNTAX ))
1085 char buf[ SLAP_TEXT_BUFLEN ];
1087 snprintf( buf, sizeof( buf ),
1089 "inappropriate syntax: %s\n",
1091 bdn->a_at->ad_type->sat_syntax_oid );
1092 Debug( LDAP_DEBUG_ANY,
1093 "%s: line %d: %s\n",
1094 fname, lineno, buf );
1098 if( bdn->a_at->ad_type->sat_equality == NULL ) {
1099 Debug( LDAP_DEBUG_ANY,
1100 "%s: line %d: dnattr \"%s\": "
1101 "inappropriate matching (no EQUALITY)\n",
1102 fname, lineno, right );
1109 if ( strncasecmp( left, "group", STRLENOF( "group" ) ) == 0 ) {
1114 case ACL_STYLE_REGEX:
1115 /* legacy, tolerated */
1116 Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL,
1118 "deprecated group style \"regex\"; "
1119 "use \"expand\" instead.\n",
1121 sty = ACL_STYLE_EXPAND;
1124 case ACL_STYLE_BASE:
1125 /* legal, traditional */
1126 case ACL_STYLE_EXPAND:
1127 /* legal, substring expansion; supersedes regex */
1132 Debug( LDAP_DEBUG_ANY,
1134 "inappropriate style \"%s\" in by clause.\n",
1135 fname, lineno, style );
1139 if ( right == NULL || right[0] == '\0' ) {
1140 Debug( LDAP_DEBUG_ANY,
1142 "missing \"=\" in (or value after) \"%s\" "
1144 fname, lineno, left );
1148 if ( !BER_BVISEMPTY( &b->a_group_pat ) ) {
1149 Debug( LDAP_DEBUG_ANY,
1150 "%s: line %d: group pattern already specified.\n",
1155 /* format of string is
1156 "group/objectClassValue/groupAttrName" */
1157 if ( ( value = strchr(left, '/') ) != NULL ) {
1159 if ( *value && ( name = strchr( value, '/' ) ) != NULL ) {
1164 b->a_group_style = sty;
1165 if ( sty == ACL_STYLE_EXPAND ) {
1166 acl_regex_normalized_dn( right, &bv );
1167 if ( !ber_bvccmp( &bv, '*' ) ) {
1168 regtest( fname, lineno, bv.bv_val );
1170 b->a_group_pat = bv;
1173 ber_str2bv( right, 0, 0, &bv );
1174 rc = dnNormalize( 0, NULL, NULL, &bv,
1175 &b->a_group_pat, NULL );
1176 if ( rc != LDAP_SUCCESS ) {
1177 Debug( LDAP_DEBUG_ANY,
1178 "%s: line %d: bad DN \"%s\".\n",
1179 fname, lineno, right );
1184 if ( value && *value ) {
1185 b->a_group_oc = oc_find( value );
1188 if ( b->a_group_oc == NULL ) {
1189 Debug( LDAP_DEBUG_ANY,
1190 "%s: line %d: group objectclass "
1191 "\"%s\" unknown.\n",
1192 fname, lineno, value );
1197 b->a_group_oc = oc_find( SLAPD_GROUP_CLASS );
1199 if( b->a_group_oc == NULL ) {
1200 Debug( LDAP_DEBUG_ANY,
1201 "%s: line %d: group default objectclass "
1202 "\"%s\" unknown.\n",
1203 fname, lineno, SLAPD_GROUP_CLASS );
1208 if ( is_object_subclass( slap_schema.si_oc_referral,
1211 Debug( LDAP_DEBUG_ANY,
1212 "%s: line %d: group objectclass \"%s\" "
1213 "is subclass of referral.\n",
1214 fname, lineno, value );
1218 if ( is_object_subclass( slap_schema.si_oc_alias,
1221 Debug( LDAP_DEBUG_ANY,
1222 "%s: line %d: group objectclass \"%s\" "
1223 "is subclass of alias.\n",
1224 fname, lineno, value );
1228 if ( name && *name ) {
1229 rc = slap_str2ad( name, &b->a_group_at, &text );
1231 if( rc != LDAP_SUCCESS ) {
1232 char buf[ SLAP_TEXT_BUFLEN ];
1234 snprintf( buf, sizeof( buf ),
1235 "group \"%s\": %s.",
1237 Debug( LDAP_DEBUG_ANY,
1238 "%s: line %d: %s\n",
1239 fname, lineno, buf );
1245 rc = slap_str2ad( SLAPD_GROUP_ATTR, &b->a_group_at, &text );
1247 if ( rc != LDAP_SUCCESS ) {
1248 char buf[ SLAP_TEXT_BUFLEN ];
1250 snprintf( buf, sizeof( buf ),
1251 "group \"%s\": %s.",
1252 SLAPD_GROUP_ATTR, text );
1253 Debug( LDAP_DEBUG_ANY,
1254 "%s: line %d: %s\n",
1255 fname, lineno, buf );
1260 if ( !is_at_syntax( b->a_group_at->ad_type,
1261 SLAPD_DN_SYNTAX ) &&
1262 !is_at_syntax( b->a_group_at->ad_type,
1263 SLAPD_NAMEUID_SYNTAX ) &&
1264 !is_at_subtype( b->a_group_at->ad_type, slap_schema.si_ad_labeledURI->ad_type ) )
1266 char buf[ SLAP_TEXT_BUFLEN ];
1268 snprintf( buf, sizeof( buf ),
1269 "group \"%s\": inappropriate syntax: %s.",
1271 b->a_group_at->ad_type->sat_syntax_oid );
1272 Debug( LDAP_DEBUG_ANY,
1273 "%s: line %d: %s\n",
1274 fname, lineno, buf );
1281 ObjectClass *ocs[2];
1283 ocs[0] = b->a_group_oc;
1286 rc = oc_check_allowed( b->a_group_at->ad_type,
1290 char buf[ SLAP_TEXT_BUFLEN ];
1292 snprintf( buf, sizeof( buf ),
1293 "group: \"%s\" not allowed by \"%s\".",
1294 b->a_group_at->ad_cname.bv_val,
1295 b->a_group_oc->soc_oid );
1296 Debug( LDAP_DEBUG_ANY, "%s: line %d: %s\n",
1297 fname, lineno, buf );
1304 if ( strcasecmp( left, "peername" ) == 0 ) {
1306 case ACL_STYLE_REGEX:
1307 case ACL_STYLE_BASE:
1308 /* legal, traditional */
1309 case ACL_STYLE_EXPAND:
1310 /* cheap replacement to regex for simple expansion */
1312 case ACL_STYLE_IPV6:
1313 case ACL_STYLE_PATH:
1314 /* legal, peername specific */
1318 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1319 "inappropriate style \"%s\" in by clause.\n",
1320 fname, lineno, style );
1324 if ( right == NULL || right[0] == '\0' ) {
1325 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1326 "missing \"=\" in (or value after) \"%s\" "
1328 fname, lineno, left );
1332 if ( !BER_BVISEMPTY( &b->a_peername_pat ) ) {
1333 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1334 "peername pattern already specified.\n",
1339 b->a_peername_style = sty;
1340 if ( sty == ACL_STYLE_REGEX ) {
1341 acl_regex_normalized_dn( right, &bv );
1342 if ( !ber_bvccmp( &bv, '*' ) ) {
1343 regtest( fname, lineno, bv.bv_val );
1345 b->a_peername_pat = bv;
1348 ber_str2bv( right, 0, 1, &b->a_peername_pat );
1350 if ( sty == ACL_STYLE_IP ) {
1355 split( right, '{', &addr, &port );
1356 split( addr, '%', &addr, &mask );
1358 b->a_peername_addr = inet_addr( addr );
1359 if ( b->a_peername_addr == (unsigned long)(-1) ) {
1360 /* illegal address */
1361 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1362 "illegal peername address \"%s\".\n",
1363 fname, lineno, addr );
1367 b->a_peername_mask = (unsigned long)(-1);
1368 if ( mask != NULL ) {
1369 b->a_peername_mask = inet_addr( mask );
1370 if ( b->a_peername_mask ==
1371 (unsigned long)(-1) )
1374 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1375 "illegal peername address mask "
1377 fname, lineno, mask );
1382 b->a_peername_port = -1;
1386 b->a_peername_port = strtol( port, &end, 10 );
1387 if ( end == port || end[0] != '}' ) {
1389 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1390 "illegal peername port specification "
1392 fname, lineno, port );
1397 #ifdef LDAP_PF_INET6
1398 } else if ( sty == ACL_STYLE_IPV6 ) {
1403 split( right, '{', &addr, &port );
1404 split( addr, '%', &addr, &mask );
1406 if ( inet_pton( AF_INET6, addr, &b->a_peername_addr6 ) != 1 ) {
1407 /* illegal address */
1408 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1409 "illegal peername address \"%s\".\n",
1410 fname, lineno, addr );
1414 if ( mask == NULL ) {
1415 mask = "FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF";
1418 if ( inet_pton( AF_INET6, mask, &b->a_peername_mask6 ) != 1 ) {
1420 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1421 "illegal peername address mask "
1423 fname, lineno, mask );
1427 b->a_peername_port = -1;
1431 b->a_peername_port = strtol( port, &end, 10 );
1432 if ( end == port || end[0] != '}' ) {
1434 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1435 "illegal peername port specification "
1437 fname, lineno, port );
1441 #endif /* LDAP_PF_INET6 */
1447 if ( strcasecmp( left, "sockname" ) == 0 ) {
1449 case ACL_STYLE_REGEX:
1450 case ACL_STYLE_BASE:
1451 /* legal, traditional */
1452 case ACL_STYLE_EXPAND:
1453 /* cheap replacement to regex for simple expansion */
1458 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1459 "inappropriate style \"%s\" in by clause\n",
1460 fname, lineno, style );
1464 if ( right == NULL || right[0] == '\0' ) {
1465 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1466 "missing \"=\" in (or value after) \"%s\" "
1468 fname, lineno, left );
1472 if ( !BER_BVISNULL( &b->a_sockname_pat ) ) {
1473 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1474 "sockname pattern already specified.\n",
1479 b->a_sockname_style = sty;
1480 if ( sty == ACL_STYLE_REGEX ) {
1481 acl_regex_normalized_dn( right, &bv );
1482 if ( !ber_bvccmp( &bv, '*' ) ) {
1483 regtest( fname, lineno, bv.bv_val );
1485 b->a_sockname_pat = bv;
1488 ber_str2bv( right, 0, 1, &b->a_sockname_pat );
1493 if ( strcasecmp( left, "domain" ) == 0 ) {
1495 case ACL_STYLE_REGEX:
1496 case ACL_STYLE_BASE:
1497 case ACL_STYLE_SUBTREE:
1498 /* legal, traditional */
1501 case ACL_STYLE_EXPAND:
1502 /* tolerated: means exact,expand */
1504 Debug( LDAP_DEBUG_ANY,
1506 "\"expand\" modifier "
1507 "with \"expand\" style.\n",
1510 sty = ACL_STYLE_BASE;
1516 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1517 "inappropriate style \"%s\" in by clause.\n",
1518 fname, lineno, style );
1522 if ( right == NULL || right[0] == '\0' ) {
1523 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1524 "missing \"=\" in (or value after) \"%s\" "
1526 fname, lineno, left );
1530 if ( !BER_BVISEMPTY( &b->a_domain_pat ) ) {
1531 Debug( LDAP_DEBUG_ANY,
1532 "%s: line %d: domain pattern already specified.\n",
1537 b->a_domain_style = sty;
1538 b->a_domain_expand = expand;
1539 if ( sty == ACL_STYLE_REGEX ) {
1540 acl_regex_normalized_dn( right, &bv );
1541 if ( !ber_bvccmp( &bv, '*' ) ) {
1542 regtest( fname, lineno, bv.bv_val );
1544 b->a_domain_pat = bv;
1547 ber_str2bv( right, 0, 1, &b->a_domain_pat );
1552 if ( strcasecmp( left, "sockurl" ) == 0 ) {
1554 case ACL_STYLE_REGEX:
1555 case ACL_STYLE_BASE:
1556 /* legal, traditional */
1557 case ACL_STYLE_EXPAND:
1558 /* cheap replacement to regex for simple expansion */
1563 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1564 "inappropriate style \"%s\" in by clause.\n",
1565 fname, lineno, style );
1569 if ( right == NULL || right[0] == '\0' ) {
1570 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1571 "missing \"=\" in (or value after) \"%s\" "
1573 fname, lineno, left );
1577 if ( !BER_BVISEMPTY( &b->a_sockurl_pat ) ) {
1578 Debug( LDAP_DEBUG_ANY,
1579 "%s: line %d: sockurl pattern already specified.\n",
1584 b->a_sockurl_style = sty;
1585 if ( sty == ACL_STYLE_REGEX ) {
1586 acl_regex_normalized_dn( right, &bv );
1587 if ( !ber_bvccmp( &bv, '*' ) ) {
1588 regtest( fname, lineno, bv.bv_val );
1590 b->a_sockurl_pat = bv;
1593 ber_str2bv( right, 0, 1, &b->a_sockurl_pat );
1598 if ( strcasecmp( left, "set" ) == 0 ) {
1601 case ACL_STYLE_REGEX:
1602 Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL,
1604 "deprecated set style "
1605 "\"regex\" in <by> clause; "
1606 "use \"expand\" instead.\n",
1608 sty = ACL_STYLE_EXPAND;
1611 case ACL_STYLE_BASE:
1612 case ACL_STYLE_EXPAND:
1616 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1617 "inappropriate style \"%s\" in by clause.\n",
1618 fname, lineno, style );
1622 if ( !BER_BVISEMPTY( &b->a_set_pat ) ) {
1623 Debug( LDAP_DEBUG_ANY,
1624 "%s: line %d: set attribute already specified.\n",
1629 if ( right == NULL || *right == '\0' ) {
1630 Debug( LDAP_DEBUG_ANY,
1631 "%s: line %d: no set is defined.\n",
1636 b->a_set_style = sty;
1637 ber_str2bv( right, 0, 1, &b->a_set_pat );
1647 #if 1 /* tolerate legacy "aci" <who> */
1648 if ( strcasecmp( left, "aci" ) == 0 ) {
1649 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1650 "undocumented deprecated \"aci\" directive "
1651 "is superseded by \"dynacl/aci\".\n",
1656 #endif /* tolerate legacy "aci" <who> */
1657 if ( strncasecmp( left, "dynacl/", STRLENOF( "dynacl/" ) ) == 0 ) {
1658 name = &left[ STRLENOF( "dynacl/" ) ];
1659 opts = strchr( name, '/' );
1667 if ( slap_dynacl_config( fname, lineno, b, name, opts, sty, right ) ) {
1668 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1669 "unable to configure dynacl \"%s\".\n",
1670 fname, lineno, name );
1677 #endif /* SLAP_DYNACL */
1679 if ( strcasecmp( left, "ssf" ) == 0 ) {
1680 if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
1681 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1682 "inappropriate style \"%s\" in by clause.\n",
1683 fname, lineno, style );
1687 if ( b->a_authz.sai_ssf ) {
1688 Debug( LDAP_DEBUG_ANY,
1689 "%s: line %d: ssf attribute already specified.\n",
1694 if ( right == NULL || *right == '\0' ) {
1695 Debug( LDAP_DEBUG_ANY,
1696 "%s: line %d: no ssf is defined.\n",
1701 if ( lutil_atou( &b->a_authz.sai_ssf, right ) != 0 ) {
1702 Debug( LDAP_DEBUG_ANY,
1703 "%s: line %d: unable to parse ssf value (%s).\n",
1704 fname, lineno, right );
1708 if ( !b->a_authz.sai_ssf ) {
1709 Debug( LDAP_DEBUG_ANY,
1710 "%s: line %d: invalid ssf value (%s).\n",
1711 fname, lineno, right );
1717 if ( strcasecmp( left, "transport_ssf" ) == 0 ) {
1718 if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
1719 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1720 "inappropriate style \"%s\" in by clause.\n",
1721 fname, lineno, style );
1725 if ( b->a_authz.sai_transport_ssf ) {
1726 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1727 "transport_ssf attribute already specified.\n",
1732 if ( right == NULL || *right == '\0' ) {
1733 Debug( LDAP_DEBUG_ANY,
1734 "%s: line %d: no transport_ssf is defined.\n",
1739 if ( lutil_atou( &b->a_authz.sai_transport_ssf, right ) != 0 ) {
1740 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1741 "unable to parse transport_ssf value (%s).\n",
1742 fname, lineno, right );
1746 if ( !b->a_authz.sai_transport_ssf ) {
1747 Debug( LDAP_DEBUG_ANY,
1748 "%s: line %d: invalid transport_ssf value (%s).\n",
1749 fname, lineno, right );
1755 if ( strcasecmp( left, "tls_ssf" ) == 0 ) {
1756 if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
1757 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1758 "inappropriate style \"%s\" in by clause.\n",
1759 fname, lineno, style );
1763 if ( b->a_authz.sai_tls_ssf ) {
1764 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1765 "tls_ssf attribute already specified.\n",
1770 if ( right == NULL || *right == '\0' ) {
1771 Debug( LDAP_DEBUG_ANY,
1772 "%s: line %d: no tls_ssf is defined\n",
1777 if ( lutil_atou( &b->a_authz.sai_tls_ssf, right ) != 0 ) {
1778 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1779 "unable to parse tls_ssf value (%s).\n",
1780 fname, lineno, right );
1784 if ( !b->a_authz.sai_tls_ssf ) {
1785 Debug( LDAP_DEBUG_ANY,
1786 "%s: line %d: invalid tls_ssf value (%s).\n",
1787 fname, lineno, right );
1793 if ( strcasecmp( left, "sasl_ssf" ) == 0 ) {
1794 if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
1795 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1796 "inappropriate style \"%s\" in by clause.\n",
1797 fname, lineno, style );
1801 if ( b->a_authz.sai_sasl_ssf ) {
1802 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1803 "sasl_ssf attribute already specified.\n",
1808 if ( right == NULL || *right == '\0' ) {
1809 Debug( LDAP_DEBUG_ANY,
1810 "%s: line %d: no sasl_ssf is defined.\n",
1815 if ( lutil_atou( &b->a_authz.sai_sasl_ssf, right ) != 0 ) {
1816 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1817 "unable to parse sasl_ssf value (%s).\n",
1818 fname, lineno, right );
1822 if ( !b->a_authz.sai_sasl_ssf ) {
1823 Debug( LDAP_DEBUG_ANY,
1824 "%s: line %d: invalid sasl_ssf value (%s).\n",
1825 fname, lineno, right );
1831 if ( right != NULL ) {
1838 if ( i == argc || ( strcasecmp( left, "stop" ) == 0 ) ) {
1839 /* out of arguments or plain stop */
1841 ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
1842 ACL_PRIV_SET( b->a_access_mask, ACL_PRIV_NONE);
1843 b->a_type = ACL_STOP;
1845 access_append( &a->acl_access, b );
1849 if ( strcasecmp( left, "continue" ) == 0 ) {
1850 /* plain continue */
1852 ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
1853 ACL_PRIV_SET( b->a_access_mask, ACL_PRIV_NONE);
1854 b->a_type = ACL_CONTINUE;
1856 access_append( &a->acl_access, b );
1860 if ( strcasecmp( left, "break" ) == 0 ) {
1861 /* plain continue */
1863 ACL_PRIV_ASSIGN(b->a_access_mask, ACL_PRIV_ADDITIVE);
1864 ACL_PRIV_SET( b->a_access_mask, ACL_PRIV_NONE);
1865 b->a_type = ACL_BREAK;
1867 access_append( &a->acl_access, b );
1871 if ( strcasecmp( left, "by" ) == 0 ) {
1872 /* we've gone too far */
1874 ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
1875 ACL_PRIV_SET( b->a_access_mask, ACL_PRIV_NONE);
1876 b->a_type = ACL_STOP;
1878 access_append( &a->acl_access, b );
1886 if ( strncasecmp( left, "self", STRLENOF( "self" ) ) == 0 ) {
1888 lleft = &left[ STRLENOF( "self" ) ];
1890 } else if ( strncasecmp( left, "realself", STRLENOF( "realself" ) ) == 0 ) {
1891 b->a_realdn_self = 1;
1892 lleft = &left[ STRLENOF( "realself" ) ];
1895 ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( lleft ) );
1898 if ( ACL_IS_INVALID( b->a_access_mask ) ) {
1899 Debug( LDAP_DEBUG_ANY,
1900 "%s: line %d: expecting <access> got \"%s\".\n",
1901 fname, lineno, left );
1905 b->a_type = ACL_STOP;
1907 if ( ++i == argc ) {
1908 /* out of arguments or plain stop */
1909 access_append( &a->acl_access, b );
1913 if ( strcasecmp( argv[i], "continue" ) == 0 ) {
1914 /* plain continue */
1915 b->a_type = ACL_CONTINUE;
1917 } else if ( strcasecmp( argv[i], "break" ) == 0 ) {
1918 /* plain continue */
1919 b->a_type = ACL_BREAK;
1921 } else if ( strcasecmp( argv[i], "stop" ) != 0 ) {
1926 access_append( &a->acl_access, b );
1930 Debug( LDAP_DEBUG_ANY,
1931 "%s: line %d: expecting \"to\" "
1932 "or \"by\" got \"%s\"\n",
1933 fname, lineno, argv[i] );
1938 /* if we have no real access clause, complain and do nothing */
1940 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1941 "warning: no access clause(s) specified in access line.\n",
1947 if ( slap_debug & LDAP_DEBUG_ACL ) {
1952 if ( a->acl_access == NULL ) {
1953 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1954 "warning: no by clause(s) specified in access line.\n",
1960 if ( be->be_nsuffix == NULL ) {
1961 Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
1962 "scope checking needs suffix before ACLs.\n",
1964 /* go ahead, since checking is not authoritative */
1965 } else if ( !BER_BVISNULL( &be->be_nsuffix[ 1 ] ) ) {
1966 Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
1967 "scope checking only applies to single-valued "
1968 "suffix databases\n",
1970 /* go ahead, since checking is not authoritative */
1972 switch ( check_scope( be, a ) ) {
1973 case ACL_SCOPE_UNKNOWN:
1974 Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
1975 "cannot assess the validity of the ACL scope within "
1976 "backend naming context\n",
1980 case ACL_SCOPE_WARN:
1981 Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
1982 "ACL could be out of scope within backend naming context\n",
1986 case ACL_SCOPE_PARTIAL:
1987 Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
1988 "ACL appears to be partially out of scope within "
1989 "backend naming context\n",
1994 Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
1995 "ACL appears to be out of scope within "
1996 "backend naming context\n",
2004 acl_append( &be->be_acl, a, pos );
2007 acl_append( &frontendDB->be_acl, a, pos );
2014 if ( b ) access_free( b );
2015 if ( a ) acl_free( a );
2020 accessmask2str( slap_mask_t mask, char *buf, int debug )
2025 assert( buf != NULL );
2027 if ( ACL_IS_INVALID( mask ) ) {
2033 if ( ACL_IS_LEVEL( mask ) ) {
2034 if ( ACL_LVL_IS_NONE(mask) ) {
2035 ptr = lutil_strcopy( ptr, "none" );
2037 } else if ( ACL_LVL_IS_DISCLOSE(mask) ) {
2038 ptr = lutil_strcopy( ptr, "disclose" );
2040 } else if ( ACL_LVL_IS_AUTH(mask) ) {
2041 ptr = lutil_strcopy( ptr, "auth" );
2043 } else if ( ACL_LVL_IS_COMPARE(mask) ) {
2044 ptr = lutil_strcopy( ptr, "compare" );
2046 } else if ( ACL_LVL_IS_SEARCH(mask) ) {
2047 ptr = lutil_strcopy( ptr, "search" );
2049 } else if ( ACL_LVL_IS_READ(mask) ) {
2050 ptr = lutil_strcopy( ptr, "read" );
2052 } else if ( ACL_LVL_IS_WRITE(mask) ) {
2053 ptr = lutil_strcopy( ptr, "write" );
2055 } else if ( ACL_LVL_IS_WADD(mask) ) {
2056 ptr = lutil_strcopy( ptr, "add" );
2058 } else if ( ACL_LVL_IS_WDEL(mask) ) {
2059 ptr = lutil_strcopy( ptr, "delete" );
2061 } else if ( ACL_LVL_IS_MANAGE(mask) ) {
2062 ptr = lutil_strcopy( ptr, "manage" );
2065 ptr = lutil_strcopy( ptr, "unknown" );
2075 if( ACL_IS_ADDITIVE( mask ) ) {
2078 } else if( ACL_IS_SUBTRACTIVE( mask ) ) {
2085 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_MANAGE) ) {
2090 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_WRITE) ) {
2094 } else if ( ACL_PRIV_ISSET(mask, ACL_PRIV_WADD) ) {
2098 } else if ( ACL_PRIV_ISSET(mask, ACL_PRIV_WDEL) ) {
2103 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_READ) ) {
2108 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_SEARCH) ) {
2113 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_COMPARE) ) {
2118 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_AUTH) ) {
2123 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_DISCLOSE) ) {
2128 if ( none && ACL_PRIV_ISSET(mask, ACL_PRIV_NONE) ) {
2137 if ( ACL_IS_LEVEL( mask ) ) {
2147 str2accessmask( const char *str )
2151 if( !ASCII_ALPHA(str[0]) ) {
2154 if ( str[0] == '=' ) {
2157 } else if( str[0] == '+' ) {
2158 ACL_PRIV_ASSIGN(mask, ACL_PRIV_ADDITIVE);
2160 } else if( str[0] == '-' ) {
2161 ACL_PRIV_ASSIGN(mask, ACL_PRIV_SUBSTRACTIVE);
2164 ACL_INVALIDATE(mask);
2168 for( i=1; str[i] != '\0'; i++ ) {
2169 if( TOLOWER((unsigned char) str[i]) == 'm' ) {
2170 ACL_PRIV_SET(mask, ACL_PRIV_MANAGE);
2172 } else if( TOLOWER((unsigned char) str[i]) == 'w' ) {
2173 ACL_PRIV_SET(mask, ACL_PRIV_WRITE);
2175 } else if( TOLOWER((unsigned char) str[i]) == 'a' ) {
2176 ACL_PRIV_SET(mask, ACL_PRIV_WADD);
2178 } else if( TOLOWER((unsigned char) str[i]) == 'z' ) {
2179 ACL_PRIV_SET(mask, ACL_PRIV_WDEL);
2181 } else if( TOLOWER((unsigned char) str[i]) == 'r' ) {
2182 ACL_PRIV_SET(mask, ACL_PRIV_READ);
2184 } else if( TOLOWER((unsigned char) str[i]) == 's' ) {
2185 ACL_PRIV_SET(mask, ACL_PRIV_SEARCH);
2187 } else if( TOLOWER((unsigned char) str[i]) == 'c' ) {
2188 ACL_PRIV_SET(mask, ACL_PRIV_COMPARE);
2190 } else if( TOLOWER((unsigned char) str[i]) == 'x' ) {
2191 ACL_PRIV_SET(mask, ACL_PRIV_AUTH);
2193 } else if( TOLOWER((unsigned char) str[i]) == 'd' ) {
2194 ACL_PRIV_SET(mask, ACL_PRIV_DISCLOSE);
2196 } else if( str[i] == '0' ) {
2197 ACL_PRIV_SET(mask, ACL_PRIV_NONE);
2200 ACL_INVALIDATE(mask);
2208 if ( strcasecmp( str, "none" ) == 0 ) {
2209 ACL_LVL_ASSIGN_NONE(mask);
2211 } else if ( strcasecmp( str, "disclose" ) == 0 ) {
2212 ACL_LVL_ASSIGN_DISCLOSE(mask);
2214 } else if ( strcasecmp( str, "auth" ) == 0 ) {
2215 ACL_LVL_ASSIGN_AUTH(mask);
2217 } else if ( strcasecmp( str, "compare" ) == 0 ) {
2218 ACL_LVL_ASSIGN_COMPARE(mask);
2220 } else if ( strcasecmp( str, "search" ) == 0 ) {
2221 ACL_LVL_ASSIGN_SEARCH(mask);
2223 } else if ( strcasecmp( str, "read" ) == 0 ) {
2224 ACL_LVL_ASSIGN_READ(mask);
2226 } else if ( strcasecmp( str, "add" ) == 0 ) {
2227 ACL_LVL_ASSIGN_WADD(mask);
2229 } else if ( strcasecmp( str, "delete" ) == 0 ) {
2230 ACL_LVL_ASSIGN_WDEL(mask);
2232 } else if ( strcasecmp( str, "write" ) == 0 ) {
2233 ACL_LVL_ASSIGN_WRITE(mask);
2235 } else if ( strcasecmp( str, "manage" ) == 0 ) {
2236 ACL_LVL_ASSIGN_MANAGE(mask);
2239 ACL_INVALIDATE( mask );
2249 "<access clause> ::= access to <what> "
2250 "[ by <who> [ <access> ] [ <control> ] ]+ \n";
2252 "<what> ::= * | dn[.<dnstyle>=<DN>] [filter=<filter>] [attrs=<attrspec>]\n"
2253 "<attrspec> ::= <attrname> [val[/<matchingRule>][.<attrstyle>]=<value>] | <attrlist>\n"
2254 "<attrlist> ::= <attr> [ , <attrlist> ]\n"
2255 "<attr> ::= <attrname> | @<objectClass> | !<objectClass> | entry | children\n";
2258 "<who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ]\n"
2259 "\t[ realanonymous | realusers | realself | realdn[.<dnstyle>]=<DN> ]\n"
2260 "\t[dnattr=<attrname>]\n"
2261 "\t[realdnattr=<attrname>]\n"
2262 "\t[group[/<objectclass>[/<attrname>]][.<style>]=<group>]\n"
2263 "\t[peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>]\n"
2264 "\t[domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>]\n"
2266 "\t[dynacl/<name>[/<options>][.<dynstyle>][=<pattern>]]\n"
2267 #endif /* SLAP_DYNACL */
2268 "\t[ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]\n"
2269 "<style> ::= exact | regex | base(Object)\n"
2270 "<dnstyle> ::= base(Object) | one(level) | sub(tree) | children | "
2272 "<attrstyle> ::= exact | regex | base(Object) | one(level) | "
2273 "sub(tree) | children\n"
2274 "<peernamestyle> ::= exact | regex | ip | path\n"
2275 "<domainstyle> ::= exact | regex | base(Object) | sub(tree)\n"
2276 "<access> ::= [[real]self]{<level>|<priv>}\n"
2277 "<level> ::= none|disclose|auth|compare|search|read|{write|add|delete}|manage\n"
2278 "<priv> ::= {=|+|-}{0|d|x|c|s|r|{w|a|z}|m}+\n"
2279 "<control> ::= [ stop | continue | break ]\n"
2281 #ifdef SLAPD_ACI_ENABLED
2283 "\t<name>=ACI\t<pattern>=<attrname>\n"
2284 #endif /* SLAPD_ACI_ENABLED */
2285 #endif /* ! SLAP_DYNACL */
2288 Debug( LDAP_DEBUG_ANY, "%s%s%s\n", access, what, who );
2294 * Set pattern to a "normalized" DN from src.
2295 * At present it simply eats the (optional) space after
2296 * a RDN separator (,)
2297 * Eventually will evolve in a more complete normalization
2300 acl_regex_normalized_dn(
2302 struct berval *pattern )
2307 str = ch_strdup( src );
2308 len = strlen( src );
2310 for ( p = str; p && p[0]; p++ ) {
2312 if ( p[0] == '\\' && p[1] ) {
2314 * if escaping a hex pair we should
2315 * increment p twice; however, in that
2316 * case the second hex number does
2322 if ( p[0] == ',' && p[1] == ' ' ) {
2326 * too much space should be an error if we are pedantic
2328 for ( q = &p[2]; q[0] == ' '; q++ ) {
2331 AC_MEMCPY( p+1, q, len-(q-str)+1);
2334 pattern->bv_val = str;
2335 pattern->bv_len = p - str;
2348 if ( (*right = strchr( line, splitchar )) != NULL ) {
2349 *((*right)++) = '\0';
2354 access_append( Access **l, Access *a )
2356 for ( ; *l != NULL; l = &(*l)->a_next ) {
2364 acl_append( AccessControl **l, AccessControl *a, int pos )
2368 for (i=0 ; i != pos && *l != NULL; l = &(*l)->acl_next, i++ ) {
2377 access_free( Access *a )
2379 if ( !BER_BVISNULL( &a->a_dn_pat ) ) {
2380 free( a->a_dn_pat.bv_val );
2382 if ( !BER_BVISNULL( &a->a_realdn_pat ) ) {
2383 free( a->a_realdn_pat.bv_val );
2385 if ( !BER_BVISNULL( &a->a_peername_pat ) ) {
2386 free( a->a_peername_pat.bv_val );
2388 if ( !BER_BVISNULL( &a->a_sockname_pat ) ) {
2389 free( a->a_sockname_pat.bv_val );
2391 if ( !BER_BVISNULL( &a->a_domain_pat ) ) {
2392 free( a->a_domain_pat.bv_val );
2394 if ( !BER_BVISNULL( &a->a_sockurl_pat ) ) {
2395 free( a->a_sockurl_pat.bv_val );
2397 if ( !BER_BVISNULL( &a->a_set_pat ) ) {
2398 free( a->a_set_pat.bv_val );
2400 if ( !BER_BVISNULL( &a->a_group_pat ) ) {
2401 free( a->a_group_pat.bv_val );
2404 if ( a->a_dynacl != NULL ) {
2406 for ( da = a->a_dynacl; da; ) {
2407 slap_dynacl_t *tmp = da;
2411 if ( tmp->da_destroy ) {
2412 tmp->da_destroy( tmp->da_private );
2418 #endif /* SLAP_DYNACL */
2423 acl_free( AccessControl *a )
2428 if ( a->acl_filter ) {
2429 filter_free( a->acl_filter );
2431 if ( !BER_BVISNULL( &a->acl_dn_pat ) ) {
2432 if ( a->acl_dn_style == ACL_STYLE_REGEX ) {
2433 regfree( &a->acl_dn_re );
2435 free ( a->acl_dn_pat.bv_val );
2437 if ( a->acl_attrs ) {
2438 for ( an = a->acl_attrs; !BER_BVISNULL( &an->an_name ); an++ ) {
2439 free( an->an_name.bv_val );
2441 free( a->acl_attrs );
2443 if ( a->acl_attrval_style == ACL_STYLE_REGEX ) {
2444 regfree( &a->acl_attrval_re );
2447 if ( !BER_BVISNULL( &a->acl_attrval ) ) {
2448 ber_memfree( a->acl_attrval.bv_val );
2451 for ( ; a->acl_access; a->acl_access = n ) {
2452 n = a->acl_access->a_next;
2453 access_free( a->acl_access );
2458 /* Because backend_startup uses acl_append to tack on the global_acl to
2459 * the end of each backend's acl, we cannot just take one argument and
2460 * merrily free our way to the end of the list. backend_destroy calls us
2461 * with the be_acl in arg1, and global_acl in arg2 to give us a stopping
2462 * point. config_destroy calls us with global_acl in arg1 and NULL in
2463 * arg2, so we then proceed to polish off the global_acl.
2466 acl_destroy( AccessControl *a, AccessControl *end )
2470 for ( ; a && a != end; a = n ) {
2477 access2str( slap_access_t access )
2479 if ( access == ACL_NONE ) {
2482 } else if ( access == ACL_DISCLOSE ) {
2485 } else if ( access == ACL_AUTH ) {
2488 } else if ( access == ACL_COMPARE ) {
2491 } else if ( access == ACL_SEARCH ) {
2494 } else if ( access == ACL_READ ) {
2497 } else if ( access == ACL_WRITE ) {
2500 } else if ( access == ACL_WADD ) {
2503 } else if ( access == ACL_WDEL ) {
2506 } else if ( access == ACL_MANAGE ) {
2515 str2access( const char *str )
2517 if ( strcasecmp( str, "none" ) == 0 ) {
2520 } else if ( strcasecmp( str, "disclose" ) == 0 ) {
2521 return ACL_DISCLOSE;
2523 } else if ( strcasecmp( str, "auth" ) == 0 ) {
2526 } else if ( strcasecmp( str, "compare" ) == 0 ) {
2529 } else if ( strcasecmp( str, "search" ) == 0 ) {
2532 } else if ( strcasecmp( str, "read" ) == 0 ) {
2535 } else if ( strcasecmp( str, "write" ) == 0 ) {
2538 } else if ( strcasecmp( str, "add" ) == 0 ) {
2541 } else if ( strcasecmp( str, "delete" ) == 0 ) {
2544 } else if ( strcasecmp( str, "manage" ) == 0 ) {
2548 return( ACL_INVALID_ACCESS );
2551 #define ACLBUF_MAXLEN 8192
2553 static char aclbuf[ACLBUF_MAXLEN];
2556 dnaccess2text( slap_dn_access *bdn, char *ptr, int is_realdn )
2561 ptr = lutil_strcopy( ptr, "real" );
2564 if ( ber_bvccmp( &bdn->a_pat, '*' ) ||
2565 bdn->a_style == ACL_STYLE_ANONYMOUS ||
2566 bdn->a_style == ACL_STYLE_USERS ||
2567 bdn->a_style == ACL_STYLE_SELF )
2570 assert( ! ber_bvccmp( &bdn->a_pat, '*' ) );
2573 ptr = lutil_strcopy( ptr, bdn->a_pat.bv_val );
2574 if ( bdn->a_style == ACL_STYLE_SELF && bdn->a_self_level != 0 ) {
2575 int n = sprintf( ptr, ".level{%d}", bdn->a_self_level );
2582 ptr = lutil_strcopy( ptr, "dn." );
2583 if ( bdn->a_style == ACL_STYLE_BASE )
2584 ptr = lutil_strcopy( ptr, style_base );
2586 ptr = lutil_strcopy( ptr, style_strings[bdn->a_style] );
2587 if ( bdn->a_style == ACL_STYLE_LEVEL ) {
2588 int n = sprintf( ptr, "{%d}", bdn->a_level );
2593 if ( bdn->a_expand ) {
2594 ptr = lutil_strcopy( ptr, ",expand" );
2598 ptr = lutil_strcopy( ptr, bdn->a_pat.bv_val );
2605 access2text( Access *b, char *ptr )
2607 char maskbuf[ACCESSMASK_MAXLEN];
2609 ptr = lutil_strcopy( ptr, "\tby" );
2611 if ( !BER_BVISEMPTY( &b->a_dn_pat ) ) {
2612 ptr = dnaccess2text( &b->a_dn, ptr, 0 );
2615 ptr = lutil_strcopy( ptr, " dnattr=" );
2616 ptr = lutil_strcopy( ptr, b->a_dn_at->ad_cname.bv_val );
2619 if ( !BER_BVISEMPTY( &b->a_realdn_pat ) ) {
2620 ptr = dnaccess2text( &b->a_realdn, ptr, 1 );
2622 if ( b->a_realdn_at ) {
2623 ptr = lutil_strcopy( ptr, " realdnattr=" );
2624 ptr = lutil_strcopy( ptr, b->a_realdn_at->ad_cname.bv_val );
2627 if ( !BER_BVISEMPTY( &b->a_group_pat ) ) {
2628 ptr = lutil_strcopy( ptr, " group/" );
2629 ptr = lutil_strcopy( ptr, b->a_group_oc ?
2630 b->a_group_oc->soc_cname.bv_val : SLAPD_GROUP_CLASS );
2632 ptr = lutil_strcopy( ptr, b->a_group_at ?
2633 b->a_group_at->ad_cname.bv_val : SLAPD_GROUP_ATTR );
2635 ptr = lutil_strcopy( ptr, style_strings[b->a_group_style] );
2638 ptr = lutil_strcopy( ptr, b->a_group_pat.bv_val );
2642 if ( !BER_BVISEMPTY( &b->a_peername_pat ) ) {
2643 ptr = lutil_strcopy( ptr, " peername" );
2645 ptr = lutil_strcopy( ptr, style_strings[b->a_peername_style] );
2648 ptr = lutil_strcopy( ptr, b->a_peername_pat.bv_val );
2652 if ( !BER_BVISEMPTY( &b->a_sockname_pat ) ) {
2653 ptr = lutil_strcopy( ptr, " sockname" );
2655 ptr = lutil_strcopy( ptr, style_strings[b->a_sockname_style] );
2658 ptr = lutil_strcopy( ptr, b->a_sockname_pat.bv_val );
2662 if ( !BER_BVISEMPTY( &b->a_domain_pat ) ) {
2663 ptr = lutil_strcopy( ptr, " domain" );
2665 ptr = lutil_strcopy( ptr, style_strings[b->a_domain_style] );
2666 if ( b->a_domain_expand ) {
2667 ptr = lutil_strcopy( ptr, ",expand" );
2670 ptr = lutil_strcopy( ptr, b->a_domain_pat.bv_val );
2673 if ( !BER_BVISEMPTY( &b->a_sockurl_pat ) ) {
2674 ptr = lutil_strcopy( ptr, " sockurl" );
2676 ptr = lutil_strcopy( ptr, style_strings[b->a_sockurl_style] );
2679 ptr = lutil_strcopy( ptr, b->a_sockurl_pat.bv_val );
2683 if ( !BER_BVISEMPTY( &b->a_set_pat ) ) {
2684 ptr = lutil_strcopy( ptr, " set" );
2686 ptr = lutil_strcopy( ptr, style_strings[b->a_set_style] );
2689 ptr = lutil_strcopy( ptr, b->a_set_pat.bv_val );
2694 if ( b->a_dynacl ) {
2697 for ( da = b->a_dynacl; da; da = da->da_next ) {
2698 if ( da->da_unparse ) {
2699 struct berval bv = BER_BVNULL;
2700 (void)( *da->da_unparse )( da->da_private, &bv );
2701 assert( !BER_BVISNULL( &bv ) );
2702 ptr = lutil_strcopy( ptr, bv.bv_val );
2703 ch_free( bv.bv_val );
2707 #endif /* SLAP_DYNACL */
2709 /* Security Strength Factors */
2710 if ( b->a_authz.sai_ssf ) {
2711 ptr += sprintf( ptr, " ssf=%u",
2712 b->a_authz.sai_ssf );
2714 if ( b->a_authz.sai_transport_ssf ) {
2715 ptr += sprintf( ptr, " transport_ssf=%u",
2716 b->a_authz.sai_transport_ssf );
2718 if ( b->a_authz.sai_tls_ssf ) {
2719 ptr += sprintf( ptr, " tls_ssf=%u",
2720 b->a_authz.sai_tls_ssf );
2722 if ( b->a_authz.sai_sasl_ssf ) {
2723 ptr += sprintf( ptr, " sasl_ssf=%u",
2724 b->a_authz.sai_sasl_ssf );
2728 if ( b->a_dn_self ) {
2729 ptr = lutil_strcopy( ptr, "self" );
2730 } else if ( b->a_realdn_self ) {
2731 ptr = lutil_strcopy( ptr, "realself" );
2733 ptr = lutil_strcopy( ptr, accessmask2str( b->a_access_mask, maskbuf, 0 ));
2734 if ( !maskbuf[0] ) ptr--;
2736 if( b->a_type == ACL_BREAK ) {
2737 ptr = lutil_strcopy( ptr, " break" );
2739 } else if( b->a_type == ACL_CONTINUE ) {
2740 ptr = lutil_strcopy( ptr, " continue" );
2742 } else if( b->a_type != ACL_STOP ) {
2743 ptr = lutil_strcopy( ptr, " unknown-control" );
2745 if ( !maskbuf[0] ) ptr = lutil_strcopy( ptr, " stop" );
2753 acl_unparse( AccessControl *a, struct berval *bv )
2759 bv->bv_val = aclbuf;
2764 ptr = lutil_strcopy( ptr, "to" );
2765 if ( !BER_BVISNULL( &a->acl_dn_pat ) ) {
2767 ptr = lutil_strcopy( ptr, " dn." );
2768 if ( a->acl_dn_style == ACL_STYLE_BASE )
2769 ptr = lutil_strcopy( ptr, style_base );
2771 ptr = lutil_strcopy( ptr, style_strings[a->acl_dn_style] );
2774 ptr = lutil_strcopy( ptr, a->acl_dn_pat.bv_val );
2775 ptr = lutil_strcopy( ptr, "\"\n" );
2778 if ( a->acl_filter != NULL ) {
2779 struct berval bv = BER_BVNULL;
2782 filter2bv( a->acl_filter, &bv );
2783 ptr = lutil_strcopy( ptr, " filter=\"" );
2784 ptr = lutil_strcopy( ptr, bv.bv_val );
2787 ch_free( bv.bv_val );
2790 if ( a->acl_attrs != NULL ) {
2795 ptr = lutil_strcopy( ptr, " attrs=" );
2796 for ( an = a->acl_attrs; an && !BER_BVISNULL( &an->an_name ); an++ ) {
2797 if ( ! first ) *ptr++ = ',';
2799 *ptr++ = an->an_oc_exclude ? '!' : '@';
2800 ptr = lutil_strcopy( ptr, an->an_oc->soc_cname.bv_val );
2803 ptr = lutil_strcopy( ptr, an->an_name.bv_val );
2810 if ( !BER_BVISEMPTY( &a->acl_attrval ) ) {
2812 ptr = lutil_strcopy( ptr, " val." );
2813 if ( a->acl_attrval_style == ACL_STYLE_BASE &&
2814 a->acl_attrs[0].an_desc->ad_type->sat_syntax ==
2815 slap_schema.si_syn_distinguishedName )
2816 ptr = lutil_strcopy( ptr, style_base );
2818 ptr = lutil_strcopy( ptr, style_strings[a->acl_attrval_style] );
2821 ptr = lutil_strcopy( ptr, a->acl_attrval.bv_val );
2827 ptr = lutil_strcopy( ptr, " *\n" );
2830 for ( b = a->acl_access; b != NULL; b = b->a_next ) {
2831 ptr = access2text( b, ptr );
2834 bv->bv_len = ptr - bv->bv_val;
2839 print_acl( Backend *be, AccessControl *a )
2843 acl_unparse( a, &bv );
2844 fprintf( stderr, "%s ACL: access %s\n",
2845 be == NULL ? "Global" : "Backend", bv.bv_val );
2847 #endif /* LDAP_DEBUG */