1 /* aclparse.c - routines to parse and check acl's */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 1998-2010 The OpenLDAP Foundation.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted only as authorized by the OpenLDAP
12 * A copy of this license is available in the file LICENSE in the
13 * top-level directory of the distribution or, alternatively, at
14 * <http://www.OpenLDAP.org/license.html>.
16 /* Portions Copyright (c) 1995 Regents of the University of Michigan.
17 * All rights reserved.
19 * Redistribution and use in source and binary forms are permitted
20 * provided that this notice is preserved and that due credit is given
21 * to the University of Michigan at Ann Arbor. The name of the University
22 * may not be used to endorse or promote products derived from this
23 * software without specific prior written permission. This software
24 * is provided ``as is'' without express or implied warranty.
33 #include <ac/socket.h>
34 #include <ac/string.h>
35 #include <ac/unistd.h>
41 static const char style_base[] = "base";
42 const char *style_strings[] = {
60 static void split(char *line, int splitchar, char **left, char **right);
61 static void access_append(Access **l, Access *a);
62 static void access_free( Access *a );
63 static int acl_usage(void);
65 static void acl_regex_normalized_dn(const char *src, struct berval *pat);
68 static void print_acl(Backend *be, AccessControl *a);
71 static int check_scope( BackendDB *be, AccessControl *a );
84 slap_dynacl_t *da, *tmp;
87 for ( da = b->a_dynacl; da; da = da->da_next ) {
88 if ( strcasecmp( da->da_name, name ) == 0 ) {
89 Debug( LDAP_DEBUG_ANY,
90 "%s: line %d: dynacl \"%s\" already specified.\n",
91 fname, lineno, name );
96 da = slap_dynacl_get( name );
101 tmp = ch_malloc( sizeof( slap_dynacl_t ) );
104 if ( tmp->da_parse ) {
105 rc = ( *tmp->da_parse )( fname, lineno, opts, sty, right, &tmp->da_private );
112 tmp->da_next = b->a_dynacl;
117 #endif /* SLAP_DYNACL */
120 regtest(const char *fname, int lineno, char *pat) {
124 char buf[ SLAP_TEXT_BUFLEN ];
136 for (size = 0, flag = 0; (size < sizeof(buf)) && *sp; sp++) {
138 if (*sp == '$'|| (*sp >= '0' && *sp <= '9')) {
155 if ( size >= (sizeof(buf) - 1) ) {
156 Debug( LDAP_DEBUG_ANY,
157 "%s: line %d: regular expression \"%s\" too large\n",
158 fname, lineno, pat );
160 exit( EXIT_FAILURE );
163 if ((e = regcomp(&re, buf, REG_EXTENDED|REG_ICASE))) {
164 char error[ SLAP_TEXT_BUFLEN ];
166 regerror(e, &re, error, sizeof(error));
168 snprintf( buf, sizeof( buf ),
169 "regular expression \"%s\" bad because of %s",
171 Debug( LDAP_DEBUG_ANY,
173 fname, lineno, buf );
175 exit( EXIT_FAILURE );
183 * Check if the pattern of an ACL, if any, matches the scope
184 * of the backend it is defined within.
186 #define ACL_SCOPE_UNKNOWN (-2)
187 #define ACL_SCOPE_ERR (-1)
188 #define ACL_SCOPE_OK (0)
189 #define ACL_SCOPE_PARTIAL (1)
190 #define ACL_SCOPE_WARN (2)
193 check_scope( BackendDB *be, AccessControl *a )
198 dn = be->be_nsuffix[0];
200 if ( BER_BVISEMPTY( &dn ) ) {
204 if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
205 a->acl_dn_style != ACL_STYLE_REGEX )
207 slap_style_t style = a->acl_dn_style;
209 if ( style == ACL_STYLE_REGEX ) {
210 char dnbuf[SLAP_LDAPDN_MAXLEN + 2];
211 char rebuf[SLAP_LDAPDN_MAXLEN + 1];
216 /* add trailing '$' to database suffix to form
217 * a simple trial regex pattern "<suffix>$" */
218 AC_MEMCPY( dnbuf, be->be_nsuffix[0].bv_val,
219 be->be_nsuffix[0].bv_len );
220 dnbuf[be->be_nsuffix[0].bv_len] = '$';
221 dnbuf[be->be_nsuffix[0].bv_len + 1] = '\0';
223 if ( regcomp( &re, dnbuf, REG_EXTENDED|REG_ICASE ) ) {
224 return ACL_SCOPE_WARN;
227 /* remove trailing ')$', if any, from original
229 rebuflen = a->acl_dn_pat.bv_len;
230 AC_MEMCPY( rebuf, a->acl_dn_pat.bv_val, rebuflen + 1 );
231 if ( rebuf[rebuflen - 1] == '$' ) {
232 rebuf[--rebuflen] = '\0';
234 while ( rebuflen > be->be_nsuffix[0].bv_len && rebuf[rebuflen - 1] == ')' ) {
235 rebuf[--rebuflen] = '\0';
237 if ( rebuflen == be->be_nsuffix[0].bv_len ) {
242 /* not a clear indication of scoping error, though */
243 rc = regexec( &re, rebuf, 0, NULL, 0 )
244 ? ACL_SCOPE_WARN : ACL_SCOPE_OK;
251 patlen = a->acl_dn_pat.bv_len;
252 /* If backend suffix is longer than pattern,
253 * it is a potential mismatch (in the sense
254 * that a superior naming context could
256 if ( dn.bv_len > patlen ) {
257 /* base is blatantly wrong */
258 if ( style == ACL_STYLE_BASE ) return ACL_SCOPE_ERR;
260 /* a style of one can be wrong if there is
261 * more than one level between the suffix
263 if ( style == ACL_STYLE_ONE ) {
264 ber_len_t rdnlen = 0;
268 if ( !DN_SEPARATOR( dn.bv_val[dn.bv_len - patlen - 1] )) {
269 return ACL_SCOPE_ERR;
274 rdnlen = dn_rdnlen( NULL, &dn );
275 if ( rdnlen != dn.bv_len - patlen - sep )
276 return ACL_SCOPE_ERR;
279 /* if the trailing part doesn't match,
280 * then it's an error */
281 if ( strcmp( a->acl_dn_pat.bv_val,
282 &dn.bv_val[dn.bv_len - patlen] ) != 0 )
284 return ACL_SCOPE_ERR;
287 return ACL_SCOPE_PARTIAL;
293 case ACL_STYLE_CHILDREN:
294 case ACL_STYLE_SUBTREE:
302 if ( dn.bv_len < patlen &&
303 !DN_SEPARATOR( a->acl_dn_pat.bv_val[patlen - dn.bv_len - 1] ))
305 return ACL_SCOPE_ERR;
308 if ( strcmp( &a->acl_dn_pat.bv_val[patlen - dn.bv_len], dn.bv_val )
311 return ACL_SCOPE_ERR;
317 return ACL_SCOPE_UNKNOWN;
330 char *left, *right, *style;
332 AccessControl *a = NULL;
337 for ( i = 1; i < argc; i++ ) {
338 /* to clause - select which entries are protected */
339 if ( strcasecmp( argv[i], "to" ) == 0 ) {
341 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
342 "only one to clause allowed in access line\n",
346 a = (AccessControl *) ch_calloc( 1, sizeof(AccessControl) );
347 a->acl_attrval_style = ACL_STYLE_NONE;
348 for ( ++i; i < argc; i++ ) {
349 if ( strcasecmp( argv[i], "by" ) == 0 ) {
354 if ( strcasecmp( argv[i], "*" ) == 0 ) {
355 if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
356 a->acl_dn_style != ACL_STYLE_REGEX )
358 Debug( LDAP_DEBUG_ANY,
359 "%s: line %d: dn pattern"
360 " already specified in to clause.\n",
365 ber_str2bv( "*", STRLENOF( "*" ), 1, &a->acl_dn_pat );
369 split( argv[i], '=', &left, &right );
370 split( left, '.', &left, &style );
372 if ( right == NULL ) {
373 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
374 "missing \"=\" in \"%s\" in to clause\n",
375 fname, lineno, left );
379 if ( strcasecmp( left, "dn" ) == 0 ) {
380 if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
381 a->acl_dn_style != ACL_STYLE_REGEX )
383 Debug( LDAP_DEBUG_ANY,
384 "%s: line %d: dn pattern"
385 " already specified in to clause.\n",
390 if ( style == NULL || *style == '\0' ||
391 strcasecmp( style, "baseObject" ) == 0 ||
392 strcasecmp( style, "base" ) == 0 ||
393 strcasecmp( style, "exact" ) == 0 )
395 a->acl_dn_style = ACL_STYLE_BASE;
396 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
398 } else if ( strcasecmp( style, "oneLevel" ) == 0 ||
399 strcasecmp( style, "one" ) == 0 )
401 a->acl_dn_style = ACL_STYLE_ONE;
402 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
404 } else if ( strcasecmp( style, "subtree" ) == 0 ||
405 strcasecmp( style, "sub" ) == 0 )
407 if( *right == '\0' ) {
408 ber_str2bv( "*", STRLENOF( "*" ), 1, &a->acl_dn_pat );
411 a->acl_dn_style = ACL_STYLE_SUBTREE;
412 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
415 } else if ( strcasecmp( style, "children" ) == 0 ) {
416 a->acl_dn_style = ACL_STYLE_CHILDREN;
417 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
419 } else if ( strcasecmp( style, "regex" ) == 0 ) {
420 a->acl_dn_style = ACL_STYLE_REGEX;
422 if ( *right == '\0' ) {
423 /* empty regex should match empty DN */
424 a->acl_dn_style = ACL_STYLE_BASE;
425 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
427 } else if ( strcmp(right, "*") == 0
428 || strcmp(right, ".*") == 0
429 || strcmp(right, ".*$") == 0
430 || strcmp(right, "^.*") == 0
431 || strcmp(right, "^.*$") == 0
432 || strcmp(right, ".*$$") == 0
433 || strcmp(right, "^.*$$") == 0 )
435 ber_str2bv( "*", STRLENOF("*"), 1, &a->acl_dn_pat );
438 acl_regex_normalized_dn( right, &a->acl_dn_pat );
442 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
443 "unknown dn style \"%s\" in to clause\n",
444 fname, lineno, style );
451 if ( strcasecmp( left, "filter" ) == 0 ) {
452 if ( (a->acl_filter = str2filter( right )) == NULL ) {
453 Debug( LDAP_DEBUG_ANY,
454 "%s: line %d: bad filter \"%s\" in to clause\n",
455 fname, lineno, right );
459 } else if ( strcasecmp( left, "attr" ) == 0 /* TOLERATED */
460 || strcasecmp( left, "attrs" ) == 0 ) /* DOCUMENTED */
462 if ( strcasecmp( left, "attr" ) == 0 ) {
463 Debug( LDAP_DEBUG_ANY,
464 "%s: line %d: \"attr\" "
465 "is deprecated (and undocumented); "
466 "use \"attrs\" instead.\n",
470 a->acl_attrs = str2anlist( a->acl_attrs,
472 if ( a->acl_attrs == NULL ) {
473 Debug( LDAP_DEBUG_ANY,
474 "%s: line %d: unknown attr \"%s\" in to clause\n",
475 fname, lineno, right );
479 } else if ( strncasecmp( left, "val", 3 ) == 0 ) {
483 if ( !BER_BVISEMPTY( &a->acl_attrval ) ) {
484 Debug( LDAP_DEBUG_ANY,
485 "%s: line %d: attr val already specified in to clause.\n",
489 if ( a->acl_attrs == NULL || !BER_BVISEMPTY( &a->acl_attrs[1].an_name ) )
491 Debug( LDAP_DEBUG_ANY,
492 "%s: line %d: attr val requires a single attribute.\n",
497 ber_str2bv( right, 0, 0, &bv );
498 a->acl_attrval_style = ACL_STYLE_BASE;
500 mr = strchr( left, '/' );
505 a->acl_attrval_mr = mr_find( mr );
506 if ( a->acl_attrval_mr == NULL ) {
507 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
508 "invalid matching rule \"%s\".\n",
513 if( !mr_usable_with_at( a->acl_attrval_mr, a->acl_attrs[ 0 ].an_desc->ad_type ) )
515 char buf[ SLAP_TEXT_BUFLEN ];
517 snprintf( buf, sizeof( buf ),
518 "matching rule \"%s\" use "
519 "with attr \"%s\" not appropriate.",
520 mr, a->acl_attrs[ 0 ].an_name.bv_val );
523 Debug( LDAP_DEBUG_ANY, "%s: line %d: %s\n",
524 fname, lineno, buf );
529 if ( style != NULL ) {
530 if ( strcasecmp( style, "regex" ) == 0 ) {
531 int e = regcomp( &a->acl_attrval_re, bv.bv_val,
532 REG_EXTENDED | REG_ICASE );
534 char err[SLAP_TEXT_BUFLEN],
535 buf[ SLAP_TEXT_BUFLEN ];
537 regerror( e, &a->acl_attrval_re, err, sizeof( err ) );
539 snprintf( buf, sizeof( buf ),
540 "regular expression \"%s\" bad because of %s",
543 Debug( LDAP_DEBUG_ANY, "%s: line %d: %s\n",
544 fname, lineno, buf );
547 a->acl_attrval_style = ACL_STYLE_REGEX;
550 /* FIXME: if the attribute has DN syntax, we might
551 * allow one, subtree and children styles as well */
552 if ( !strcasecmp( style, "base" ) ||
553 !strcasecmp( style, "exact" ) ) {
554 a->acl_attrval_style = ACL_STYLE_BASE;
556 } else if ( a->acl_attrs[0].an_desc->ad_type->
557 sat_syntax == slap_schema.si_syn_distinguishedName )
559 if ( !strcasecmp( style, "baseObject" ) ||
560 !strcasecmp( style, "base" ) )
562 a->acl_attrval_style = ACL_STYLE_BASE;
563 } else if ( !strcasecmp( style, "onelevel" ) ||
564 !strcasecmp( style, "one" ) )
566 a->acl_attrval_style = ACL_STYLE_ONE;
567 } else if ( !strcasecmp( style, "subtree" ) ||
568 !strcasecmp( style, "sub" ) )
570 a->acl_attrval_style = ACL_STYLE_SUBTREE;
571 } else if ( !strcasecmp( style, "children" ) ) {
572 a->acl_attrval_style = ACL_STYLE_CHILDREN;
574 char buf[ SLAP_TEXT_BUFLEN ];
576 snprintf( buf, sizeof( buf ),
577 "unknown val.<style> \"%s\" for attributeType \"%s\" "
580 a->acl_attrs[0].an_desc->ad_cname.bv_val );
582 Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL,
584 fname, lineno, buf );
588 rc = dnNormalize( 0, NULL, NULL, &bv, &a->acl_attrval, NULL );
589 if ( rc != LDAP_SUCCESS ) {
590 char buf[ SLAP_TEXT_BUFLEN ];
592 snprintf( buf, sizeof( buf ),
593 "unable to normalize DN \"%s\" "
594 "for attributeType \"%s\" (%d).",
596 a->acl_attrs[0].an_desc->ad_cname.bv_val,
598 Debug( LDAP_DEBUG_ANY,
600 fname, lineno, buf );
605 char buf[ SLAP_TEXT_BUFLEN ];
607 snprintf( buf, sizeof( buf ),
608 "unknown val.<style> \"%s\" for attributeType \"%s\".",
609 style, a->acl_attrs[0].an_desc->ad_cname.bv_val );
610 Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL,
612 fname, lineno, buf );
618 /* Check for appropriate matching rule */
619 if ( a->acl_attrval_style == ACL_STYLE_REGEX ) {
620 ber_dupbv( &a->acl_attrval, &bv );
622 } else if ( BER_BVISNULL( &a->acl_attrval ) ) {
626 if ( a->acl_attrval_mr == NULL ) {
627 a->acl_attrval_mr = a->acl_attrs[ 0 ].an_desc->ad_type->sat_equality;
630 if ( a->acl_attrval_mr == NULL ) {
631 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
632 "attr \"%s\" does not have an EQUALITY matching rule.\n",
633 fname, lineno, a->acl_attrs[ 0 ].an_name.bv_val );
637 rc = asserted_value_validate_normalize(
638 a->acl_attrs[ 0 ].an_desc,
640 SLAP_MR_EQUALITY|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX,
645 if ( rc != LDAP_SUCCESS ) {
646 char buf[ SLAP_TEXT_BUFLEN ];
648 snprintf( buf, sizeof( buf ), "%s: line %d: "
649 " attr \"%s\" normalization failed (%d: %s)",
651 a->acl_attrs[ 0 ].an_name.bv_val, rc, text );
652 Debug( LDAP_DEBUG_ANY, "%s: line %d: %s.\n",
653 fname, lineno, buf );
659 Debug( LDAP_DEBUG_ANY,
660 "%s: line %d: expecting <what> got \"%s\"\n",
661 fname, lineno, left );
666 if ( !BER_BVISNULL( &a->acl_dn_pat ) &&
667 ber_bvccmp( &a->acl_dn_pat, '*' ) )
669 free( a->acl_dn_pat.bv_val );
670 BER_BVZERO( &a->acl_dn_pat );
671 a->acl_dn_style = ACL_STYLE_REGEX;
674 if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
675 a->acl_dn_style != ACL_STYLE_REGEX )
677 if ( a->acl_dn_style != ACL_STYLE_REGEX ) {
679 rc = dnNormalize( 0, NULL, NULL, &a->acl_dn_pat, &bv, NULL);
680 if ( rc != LDAP_SUCCESS ) {
681 Debug( LDAP_DEBUG_ANY,
682 "%s: line %d: bad DN \"%s\" in to DN clause\n",
683 fname, lineno, a->acl_dn_pat.bv_val );
686 free( a->acl_dn_pat.bv_val );
690 int e = regcomp( &a->acl_dn_re, a->acl_dn_pat.bv_val,
691 REG_EXTENDED | REG_ICASE );
693 char err[ SLAP_TEXT_BUFLEN ],
694 buf[ SLAP_TEXT_BUFLEN ];
696 regerror( e, &a->acl_dn_re, err, sizeof( err ) );
697 snprintf( buf, sizeof( buf ),
698 "regular expression \"%s\" bad because of %s",
700 Debug( LDAP_DEBUG_ANY, "%s: line %d: %s\n",
701 fname, lineno, buf );
707 /* by clause - select who has what access to entries */
708 } else if ( strcasecmp( argv[i], "by" ) == 0 ) {
710 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
711 "to clause required before by clause in access line\n",
717 * by clause consists of <who> and <access>
721 Debug( LDAP_DEBUG_ANY,
722 "%s: line %d: premature EOL: expecting <who>\n",
727 b = (Access *) ch_calloc( 1, sizeof(Access) );
729 ACL_INVALIDATE( b->a_access_mask );
732 for ( ; i < argc; i++ ) {
733 slap_style_t sty = ACL_STYLE_REGEX;
734 char *style_modifier = NULL;
735 char *style_level = NULL;
738 slap_dn_access *bdn = &b->a_dn;
741 split( argv[i], '=', &left, &right );
742 split( left, '.', &left, &style );
744 split( style, ',', &style, &style_modifier );
746 if ( strncasecmp( style, "level", STRLENOF( "level" ) ) == 0 ) {
747 split( style, '{', &style, &style_level );
748 if ( style_level != NULL ) {
749 char *p = strchr( style_level, '}' );
751 Debug( LDAP_DEBUG_ANY,
752 "%s: line %d: premature eol: "
753 "expecting closing '}' in \"level{n}\"\n",
756 } else if ( p == style_level ) {
757 Debug( LDAP_DEBUG_ANY,
758 "%s: line %d: empty level "
768 if ( style == NULL || *style == '\0' ||
769 strcasecmp( style, "exact" ) == 0 ||
770 strcasecmp( style, "baseObject" ) == 0 ||
771 strcasecmp( style, "base" ) == 0 )
773 sty = ACL_STYLE_BASE;
775 } else if ( strcasecmp( style, "onelevel" ) == 0 ||
776 strcasecmp( style, "one" ) == 0 )
780 } else if ( strcasecmp( style, "subtree" ) == 0 ||
781 strcasecmp( style, "sub" ) == 0 )
783 sty = ACL_STYLE_SUBTREE;
785 } else if ( strcasecmp( style, "children" ) == 0 ) {
786 sty = ACL_STYLE_CHILDREN;
788 } else if ( strcasecmp( style, "level" ) == 0 )
790 if ( lutil_atoi( &level, style_level ) != 0 ) {
791 Debug( LDAP_DEBUG_ANY,
792 "%s: line %d: unable to parse level "
798 sty = ACL_STYLE_LEVEL;
800 } else if ( strcasecmp( style, "regex" ) == 0 ) {
801 sty = ACL_STYLE_REGEX;
803 } else if ( strcasecmp( style, "expand" ) == 0 ) {
804 sty = ACL_STYLE_EXPAND;
806 } else if ( strcasecmp( style, "ip" ) == 0 ) {
809 } else if ( strcasecmp( style, "ipv6" ) == 0 ) {
810 #ifndef LDAP_PF_INET6
811 Debug( LDAP_DEBUG_ANY,
812 "%s: line %d: IPv6 not supported\n",
814 #endif /* ! LDAP_PF_INET6 */
815 sty = ACL_STYLE_IPV6;
817 } else if ( strcasecmp( style, "path" ) == 0 ) {
818 sty = ACL_STYLE_PATH;
819 #ifndef LDAP_PF_LOCAL
820 Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL,
822 "\"path\" style modifier is useless without local.\n",
825 #endif /* LDAP_PF_LOCAL */
828 Debug( LDAP_DEBUG_ANY,
829 "%s: line %d: unknown style \"%s\" in by clause\n",
830 fname, lineno, style );
834 if ( style_modifier &&
835 strcasecmp( style_modifier, "expand" ) == 0 )
838 case ACL_STYLE_REGEX:
839 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
840 "\"regex\" style implies \"expand\" modifier.\n",
845 case ACL_STYLE_EXPAND:
849 /* we'll see later if it's pertinent */
855 if ( strncasecmp( left, "real", STRLENOF( "real" ) ) == 0 ) {
858 left += STRLENOF( "real" );
861 if ( strcasecmp( left, "*" ) == 0 ) {
866 ber_str2bv( "*", STRLENOF( "*" ), 1, &bv );
867 sty = ACL_STYLE_REGEX;
869 } else if ( strcasecmp( left, "anonymous" ) == 0 ) {
870 ber_str2bv("anonymous", STRLENOF( "anonymous" ), 1, &bv);
871 sty = ACL_STYLE_ANONYMOUS;
873 } else if ( strcasecmp( left, "users" ) == 0 ) {
874 ber_str2bv("users", STRLENOF( "users" ), 1, &bv);
875 sty = ACL_STYLE_USERS;
877 } else if ( strcasecmp( left, "self" ) == 0 ) {
878 ber_str2bv("self", STRLENOF( "self" ), 1, &bv);
879 sty = ACL_STYLE_SELF;
881 } else if ( strcasecmp( left, "dn" ) == 0 ) {
882 if ( sty == ACL_STYLE_REGEX ) {
883 bdn->a_style = ACL_STYLE_REGEX;
884 if ( right == NULL ) {
889 bdn->a_style = ACL_STYLE_USERS;
891 } else if (*right == '\0' ) {
893 ber_str2bv("anonymous",
894 STRLENOF( "anonymous" ),
896 bdn->a_style = ACL_STYLE_ANONYMOUS;
898 } else if ( strcmp( right, "*" ) == 0 ) {
900 /* any or users? users for now */
904 bdn->a_style = ACL_STYLE_USERS;
906 } else if ( strcmp( right, ".+" ) == 0
907 || strcmp( right, "^.+" ) == 0
908 || strcmp( right, ".+$" ) == 0
909 || strcmp( right, "^.+$" ) == 0
910 || strcmp( right, ".+$$" ) == 0
911 || strcmp( right, "^.+$$" ) == 0 )
916 bdn->a_style = ACL_STYLE_USERS;
918 } else if ( strcmp( right, ".*" ) == 0
919 || strcmp( right, "^.*" ) == 0
920 || strcmp( right, ".*$" ) == 0
921 || strcmp( right, "^.*$" ) == 0
922 || strcmp( right, ".*$$" ) == 0
923 || strcmp( right, "^.*$$" ) == 0 )
930 acl_regex_normalized_dn( right, &bv );
931 if ( !ber_bvccmp( &bv, '*' ) ) {
932 regtest( fname, lineno, bv.bv_val );
936 } else if ( right == NULL || *right == '\0' ) {
937 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
938 "missing \"=\" in (or value after) \"%s\" "
940 fname, lineno, left );
944 ber_str2bv( right, 0, 1, &bv );
951 if ( !BER_BVISNULL( &bv ) ) {
952 if ( !BER_BVISEMPTY( &bdn->a_pat ) ) {
953 Debug( LDAP_DEBUG_ANY,
954 "%s: line %d: dn pattern already specified.\n",
959 if ( sty != ACL_STYLE_REGEX &&
960 sty != ACL_STYLE_ANONYMOUS &&
961 sty != ACL_STYLE_USERS &&
962 sty != ACL_STYLE_SELF &&
965 rc = dnNormalize(0, NULL, NULL,
966 &bv, &bdn->a_pat, NULL);
967 if ( rc != LDAP_SUCCESS ) {
968 Debug( LDAP_DEBUG_ANY,
969 "%s: line %d: bad DN \"%s\" in by DN clause\n",
970 fname, lineno, bv.bv_val );
974 if ( sty == ACL_STYLE_BASE
976 && !BER_BVISNULL( &be->be_rootndn )
977 && dn_match( &bdn->a_pat, &be->be_rootndn ) )
979 Debug( LDAP_DEBUG_ANY,
980 "%s: line %d: rootdn is always granted "
981 "unlimited privileges.\n",
993 for ( exp = strchr( bdn->a_pat.bv_val, '$' );
994 exp && (ber_len_t)(exp - bdn->a_pat.bv_val)
996 exp = strchr( exp, '$' ) )
998 if ( ( isdigit( (unsigned char) exp[ 1 ] ) ||
999 exp[ 1 ] == '{' ) ) {
1006 bdn->a_expand = expand;
1009 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1010 "\"expand\" used with no expansions in \"pattern\".\n",
1015 if ( sty == ACL_STYLE_SELF ) {
1016 bdn->a_self_level = level;
1020 Debug( LDAP_DEBUG_ANY,
1021 "%s: line %d: bad negative level \"%d\" "
1022 "in by DN clause\n",
1023 fname, lineno, level );
1025 } else if ( level == 1 ) {
1026 Debug( LDAP_DEBUG_ANY,
1027 "%s: line %d: \"onelevel\" should be used "
1028 "instead of \"level{1}\" in by DN clause\n",
1030 } else if ( level == 0 && sty == ACL_STYLE_LEVEL ) {
1031 Debug( LDAP_DEBUG_ANY,
1032 "%s: line %d: \"base\" should be used "
1033 "instead of \"level{0}\" in by DN clause\n",
1037 bdn->a_level = level;
1042 if ( strcasecmp( left, "dnattr" ) == 0 ) {
1043 if ( right == NULL || right[0] == '\0' ) {
1044 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1045 "missing \"=\" in (or value after) \"%s\" "
1047 fname, lineno, left );
1051 if( bdn->a_at != NULL ) {
1052 Debug( LDAP_DEBUG_ANY,
1053 "%s: line %d: dnattr already specified.\n",
1058 rc = slap_str2ad( right, &bdn->a_at, &text );
1060 if( rc != LDAP_SUCCESS ) {
1061 char buf[ SLAP_TEXT_BUFLEN ];
1063 snprintf( buf, sizeof( buf ),
1064 "dnattr \"%s\": %s",
1066 Debug( LDAP_DEBUG_ANY,
1067 "%s: line %d: %s\n",
1068 fname, lineno, buf );
1073 if( !is_at_syntax( bdn->a_at->ad_type,
1074 SLAPD_DN_SYNTAX ) &&
1075 !is_at_syntax( bdn->a_at->ad_type,
1076 SLAPD_NAMEUID_SYNTAX ))
1078 char buf[ SLAP_TEXT_BUFLEN ];
1080 snprintf( buf, sizeof( buf ),
1082 "inappropriate syntax: %s\n",
1084 bdn->a_at->ad_type->sat_syntax_oid );
1085 Debug( LDAP_DEBUG_ANY,
1086 "%s: line %d: %s\n",
1087 fname, lineno, buf );
1091 if( bdn->a_at->ad_type->sat_equality == NULL ) {
1092 Debug( LDAP_DEBUG_ANY,
1093 "%s: line %d: dnattr \"%s\": "
1094 "inappropriate matching (no EQUALITY)\n",
1095 fname, lineno, right );
1102 if ( strncasecmp( left, "group", STRLENOF( "group" ) ) == 0 ) {
1105 char *attr_name = SLAPD_GROUP_ATTR;
1108 case ACL_STYLE_REGEX:
1109 /* legacy, tolerated */
1110 Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL,
1112 "deprecated group style \"regex\"; "
1113 "use \"expand\" instead.\n",
1115 sty = ACL_STYLE_EXPAND;
1118 case ACL_STYLE_BASE:
1119 /* legal, traditional */
1120 case ACL_STYLE_EXPAND:
1121 /* legal, substring expansion; supersedes regex */
1126 Debug( LDAP_DEBUG_ANY,
1128 "inappropriate style \"%s\" in by clause.\n",
1129 fname, lineno, style );
1133 if ( right == NULL || right[0] == '\0' ) {
1134 Debug( LDAP_DEBUG_ANY,
1136 "missing \"=\" in (or value after) \"%s\" "
1138 fname, lineno, left );
1142 if ( !BER_BVISEMPTY( &b->a_group_pat ) ) {
1143 Debug( LDAP_DEBUG_ANY,
1144 "%s: line %d: group pattern already specified.\n",
1149 /* format of string is
1150 "group/objectClassValue/groupAttrName" */
1151 if ( ( value = strchr(left, '/') ) != NULL ) {
1153 if ( *value && ( name = strchr( value, '/' ) ) != NULL ) {
1158 b->a_group_style = sty;
1159 if ( sty == ACL_STYLE_EXPAND ) {
1160 acl_regex_normalized_dn( right, &bv );
1161 if ( !ber_bvccmp( &bv, '*' ) ) {
1162 regtest( fname, lineno, bv.bv_val );
1164 b->a_group_pat = bv;
1167 ber_str2bv( right, 0, 0, &bv );
1168 rc = dnNormalize( 0, NULL, NULL, &bv,
1169 &b->a_group_pat, NULL );
1170 if ( rc != LDAP_SUCCESS ) {
1171 Debug( LDAP_DEBUG_ANY,
1172 "%s: line %d: bad DN \"%s\".\n",
1173 fname, lineno, right );
1178 if ( value && *value ) {
1179 b->a_group_oc = oc_find( value );
1182 if ( b->a_group_oc == NULL ) {
1183 Debug( LDAP_DEBUG_ANY,
1184 "%s: line %d: group objectclass "
1185 "\"%s\" unknown.\n",
1186 fname, lineno, value );
1191 b->a_group_oc = oc_find( SLAPD_GROUP_CLASS );
1193 if( b->a_group_oc == NULL ) {
1194 Debug( LDAP_DEBUG_ANY,
1195 "%s: line %d: group default objectclass "
1196 "\"%s\" unknown.\n",
1197 fname, lineno, SLAPD_GROUP_CLASS );
1202 if ( is_object_subclass( slap_schema.si_oc_referral,
1205 Debug( LDAP_DEBUG_ANY,
1206 "%s: line %d: group objectclass \"%s\" "
1207 "is subclass of referral.\n",
1208 fname, lineno, value );
1212 if ( is_object_subclass( slap_schema.si_oc_alias,
1215 Debug( LDAP_DEBUG_ANY,
1216 "%s: line %d: group objectclass \"%s\" "
1217 "is subclass of alias.\n",
1218 fname, lineno, value );
1222 if ( name && *name ) {
1228 rc = slap_str2ad( attr_name, &b->a_group_at, &text );
1229 if ( rc != LDAP_SUCCESS ) {
1230 char buf[ SLAP_TEXT_BUFLEN ];
1232 snprintf( buf, sizeof( buf ),
1233 "group \"%s\": %s.",
1235 Debug( LDAP_DEBUG_ANY,
1236 "%s: line %d: %s\n",
1237 fname, lineno, buf );
1241 if ( !is_at_syntax( b->a_group_at->ad_type,
1242 SLAPD_DN_SYNTAX ) /* e.g. "member" */
1243 && !is_at_syntax( b->a_group_at->ad_type,
1244 SLAPD_NAMEUID_SYNTAX ) /* e.g. memberUID */
1245 && !is_at_subtype( b->a_group_at->ad_type,
1246 slap_schema.si_ad_labeledURI->ad_type ) /* e.g. memberURL */ )
1248 char buf[ SLAP_TEXT_BUFLEN ];
1250 snprintf( buf, sizeof( buf ),
1251 "group \"%s\" attr \"%s\": inappropriate syntax: %s; "
1252 "must be " SLAPD_DN_SYNTAX " (DN), "
1253 SLAPD_NAMEUID_SYNTAX " (NameUID) "
1254 "or a subtype of labeledURI.",
1257 at_syntax( b->a_group_at->ad_type ) );
1258 Debug( LDAP_DEBUG_ANY,
1259 "%s: line %d: %s\n",
1260 fname, lineno, buf );
1267 ObjectClass *ocs[2];
1269 ocs[0] = b->a_group_oc;
1272 rc = oc_check_allowed( b->a_group_at->ad_type,
1276 char buf[ SLAP_TEXT_BUFLEN ];
1278 snprintf( buf, sizeof( buf ),
1279 "group: \"%s\" not allowed by \"%s\".",
1280 b->a_group_at->ad_cname.bv_val,
1281 b->a_group_oc->soc_oid );
1282 Debug( LDAP_DEBUG_ANY, "%s: line %d: %s\n",
1283 fname, lineno, buf );
1290 if ( strcasecmp( left, "peername" ) == 0 ) {
1292 case ACL_STYLE_REGEX:
1293 case ACL_STYLE_BASE:
1294 /* legal, traditional */
1295 case ACL_STYLE_EXPAND:
1296 /* cheap replacement to regex for simple expansion */
1298 case ACL_STYLE_IPV6:
1299 case ACL_STYLE_PATH:
1300 /* legal, peername specific */
1304 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1305 "inappropriate style \"%s\" in by clause.\n",
1306 fname, lineno, style );
1310 if ( right == NULL || right[0] == '\0' ) {
1311 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1312 "missing \"=\" in (or value after) \"%s\" "
1314 fname, lineno, left );
1318 if ( !BER_BVISEMPTY( &b->a_peername_pat ) ) {
1319 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1320 "peername pattern already specified.\n",
1325 b->a_peername_style = sty;
1326 if ( sty == ACL_STYLE_REGEX ) {
1327 acl_regex_normalized_dn( right, &bv );
1328 if ( !ber_bvccmp( &bv, '*' ) ) {
1329 regtest( fname, lineno, bv.bv_val );
1331 b->a_peername_pat = bv;
1334 ber_str2bv( right, 0, 1, &b->a_peername_pat );
1336 if ( sty == ACL_STYLE_IP ) {
1341 split( right, '{', &addr, &port );
1342 split( addr, '%', &addr, &mask );
1344 b->a_peername_addr = inet_addr( addr );
1345 if ( b->a_peername_addr == (unsigned long)(-1) ) {
1346 /* illegal address */
1347 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1348 "illegal peername address \"%s\".\n",
1349 fname, lineno, addr );
1353 b->a_peername_mask = (unsigned long)(-1);
1354 if ( mask != NULL ) {
1355 b->a_peername_mask = inet_addr( mask );
1356 if ( b->a_peername_mask ==
1357 (unsigned long)(-1) )
1360 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1361 "illegal peername address mask "
1363 fname, lineno, mask );
1368 b->a_peername_port = -1;
1372 b->a_peername_port = strtol( port, &end, 10 );
1373 if ( end == port || end[0] != '}' ) {
1375 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1376 "illegal peername port specification "
1378 fname, lineno, port );
1383 #ifdef LDAP_PF_INET6
1384 } else if ( sty == ACL_STYLE_IPV6 ) {
1389 split( right, '{', &addr, &port );
1390 split( addr, '%', &addr, &mask );
1392 if ( inet_pton( AF_INET6, addr, &b->a_peername_addr6 ) != 1 ) {
1393 /* illegal address */
1394 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1395 "illegal peername address \"%s\".\n",
1396 fname, lineno, addr );
1400 if ( mask == NULL ) {
1401 mask = "FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF";
1404 if ( inet_pton( AF_INET6, mask, &b->a_peername_mask6 ) != 1 ) {
1406 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1407 "illegal peername address mask "
1409 fname, lineno, mask );
1413 b->a_peername_port = -1;
1417 b->a_peername_port = strtol( port, &end, 10 );
1418 if ( end == port || end[0] != '}' ) {
1420 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1421 "illegal peername port specification "
1423 fname, lineno, port );
1427 #endif /* LDAP_PF_INET6 */
1433 if ( strcasecmp( left, "sockname" ) == 0 ) {
1435 case ACL_STYLE_REGEX:
1436 case ACL_STYLE_BASE:
1437 /* legal, traditional */
1438 case ACL_STYLE_EXPAND:
1439 /* cheap replacement to regex for simple expansion */
1444 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1445 "inappropriate style \"%s\" in by clause\n",
1446 fname, lineno, style );
1450 if ( right == NULL || right[0] == '\0' ) {
1451 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1452 "missing \"=\" in (or value after) \"%s\" "
1454 fname, lineno, left );
1458 if ( !BER_BVISNULL( &b->a_sockname_pat ) ) {
1459 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1460 "sockname pattern already specified.\n",
1465 b->a_sockname_style = sty;
1466 if ( sty == ACL_STYLE_REGEX ) {
1467 acl_regex_normalized_dn( right, &bv );
1468 if ( !ber_bvccmp( &bv, '*' ) ) {
1469 regtest( fname, lineno, bv.bv_val );
1471 b->a_sockname_pat = bv;
1474 ber_str2bv( right, 0, 1, &b->a_sockname_pat );
1479 if ( strcasecmp( left, "domain" ) == 0 ) {
1481 case ACL_STYLE_REGEX:
1482 case ACL_STYLE_BASE:
1483 case ACL_STYLE_SUBTREE:
1484 /* legal, traditional */
1487 case ACL_STYLE_EXPAND:
1488 /* tolerated: means exact,expand */
1490 Debug( LDAP_DEBUG_ANY,
1492 "\"expand\" modifier "
1493 "with \"expand\" style.\n",
1496 sty = ACL_STYLE_BASE;
1502 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1503 "inappropriate style \"%s\" in by clause.\n",
1504 fname, lineno, style );
1508 if ( right == NULL || right[0] == '\0' ) {
1509 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1510 "missing \"=\" in (or value after) \"%s\" "
1512 fname, lineno, left );
1516 if ( !BER_BVISEMPTY( &b->a_domain_pat ) ) {
1517 Debug( LDAP_DEBUG_ANY,
1518 "%s: line %d: domain pattern already specified.\n",
1523 b->a_domain_style = sty;
1524 b->a_domain_expand = expand;
1525 if ( sty == ACL_STYLE_REGEX ) {
1526 acl_regex_normalized_dn( right, &bv );
1527 if ( !ber_bvccmp( &bv, '*' ) ) {
1528 regtest( fname, lineno, bv.bv_val );
1530 b->a_domain_pat = bv;
1533 ber_str2bv( right, 0, 1, &b->a_domain_pat );
1538 if ( strcasecmp( left, "sockurl" ) == 0 ) {
1540 case ACL_STYLE_REGEX:
1541 case ACL_STYLE_BASE:
1542 /* legal, traditional */
1543 case ACL_STYLE_EXPAND:
1544 /* cheap replacement to regex for simple expansion */
1549 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1550 "inappropriate style \"%s\" in by clause.\n",
1551 fname, lineno, style );
1555 if ( right == NULL || right[0] == '\0' ) {
1556 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1557 "missing \"=\" in (or value after) \"%s\" "
1559 fname, lineno, left );
1563 if ( !BER_BVISEMPTY( &b->a_sockurl_pat ) ) {
1564 Debug( LDAP_DEBUG_ANY,
1565 "%s: line %d: sockurl pattern already specified.\n",
1570 b->a_sockurl_style = sty;
1571 if ( sty == ACL_STYLE_REGEX ) {
1572 acl_regex_normalized_dn( right, &bv );
1573 if ( !ber_bvccmp( &bv, '*' ) ) {
1574 regtest( fname, lineno, bv.bv_val );
1576 b->a_sockurl_pat = bv;
1579 ber_str2bv( right, 0, 1, &b->a_sockurl_pat );
1584 if ( strcasecmp( left, "set" ) == 0 ) {
1587 case ACL_STYLE_REGEX:
1588 Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL,
1590 "deprecated set style "
1591 "\"regex\" in <by> clause; "
1592 "use \"expand\" instead.\n",
1594 sty = ACL_STYLE_EXPAND;
1597 case ACL_STYLE_BASE:
1598 case ACL_STYLE_EXPAND:
1602 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1603 "inappropriate style \"%s\" in by clause.\n",
1604 fname, lineno, style );
1608 if ( !BER_BVISEMPTY( &b->a_set_pat ) ) {
1609 Debug( LDAP_DEBUG_ANY,
1610 "%s: line %d: set attribute already specified.\n",
1615 if ( right == NULL || *right == '\0' ) {
1616 Debug( LDAP_DEBUG_ANY,
1617 "%s: line %d: no set is defined.\n",
1622 b->a_set_style = sty;
1623 ber_str2bv( right, 0, 1, &b->a_set_pat );
1633 #if 1 /* tolerate legacy "aci" <who> */
1634 if ( strcasecmp( left, "aci" ) == 0 ) {
1635 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1636 "undocumented deprecated \"aci\" directive "
1637 "is superseded by \"dynacl/aci\".\n",
1642 #endif /* tolerate legacy "aci" <who> */
1643 if ( strncasecmp( left, "dynacl/", STRLENOF( "dynacl/" ) ) == 0 ) {
1644 name = &left[ STRLENOF( "dynacl/" ) ];
1645 opts = strchr( name, '/' );
1653 if ( slap_dynacl_config( fname, lineno, b, name, opts, sty, right ) ) {
1654 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1655 "unable to configure dynacl \"%s\".\n",
1656 fname, lineno, name );
1663 #endif /* SLAP_DYNACL */
1665 if ( strcasecmp( left, "ssf" ) == 0 ) {
1666 if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
1667 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1668 "inappropriate style \"%s\" in by clause.\n",
1669 fname, lineno, style );
1673 if ( b->a_authz.sai_ssf ) {
1674 Debug( LDAP_DEBUG_ANY,
1675 "%s: line %d: ssf attribute already specified.\n",
1680 if ( right == NULL || *right == '\0' ) {
1681 Debug( LDAP_DEBUG_ANY,
1682 "%s: line %d: no ssf is defined.\n",
1687 if ( lutil_atou( &b->a_authz.sai_ssf, right ) != 0 ) {
1688 Debug( LDAP_DEBUG_ANY,
1689 "%s: line %d: unable to parse ssf value (%s).\n",
1690 fname, lineno, right );
1694 if ( !b->a_authz.sai_ssf ) {
1695 Debug( LDAP_DEBUG_ANY,
1696 "%s: line %d: invalid ssf value (%s).\n",
1697 fname, lineno, right );
1703 if ( strcasecmp( left, "transport_ssf" ) == 0 ) {
1704 if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
1705 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1706 "inappropriate style \"%s\" in by clause.\n",
1707 fname, lineno, style );
1711 if ( b->a_authz.sai_transport_ssf ) {
1712 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1713 "transport_ssf attribute already specified.\n",
1718 if ( right == NULL || *right == '\0' ) {
1719 Debug( LDAP_DEBUG_ANY,
1720 "%s: line %d: no transport_ssf is defined.\n",
1725 if ( lutil_atou( &b->a_authz.sai_transport_ssf, right ) != 0 ) {
1726 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1727 "unable to parse transport_ssf value (%s).\n",
1728 fname, lineno, right );
1732 if ( !b->a_authz.sai_transport_ssf ) {
1733 Debug( LDAP_DEBUG_ANY,
1734 "%s: line %d: invalid transport_ssf value (%s).\n",
1735 fname, lineno, right );
1741 if ( strcasecmp( left, "tls_ssf" ) == 0 ) {
1742 if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
1743 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1744 "inappropriate style \"%s\" in by clause.\n",
1745 fname, lineno, style );
1749 if ( b->a_authz.sai_tls_ssf ) {
1750 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1751 "tls_ssf attribute already specified.\n",
1756 if ( right == NULL || *right == '\0' ) {
1757 Debug( LDAP_DEBUG_ANY,
1758 "%s: line %d: no tls_ssf is defined\n",
1763 if ( lutil_atou( &b->a_authz.sai_tls_ssf, right ) != 0 ) {
1764 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1765 "unable to parse tls_ssf value (%s).\n",
1766 fname, lineno, right );
1770 if ( !b->a_authz.sai_tls_ssf ) {
1771 Debug( LDAP_DEBUG_ANY,
1772 "%s: line %d: invalid tls_ssf value (%s).\n",
1773 fname, lineno, right );
1779 if ( strcasecmp( left, "sasl_ssf" ) == 0 ) {
1780 if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
1781 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1782 "inappropriate style \"%s\" in by clause.\n",
1783 fname, lineno, style );
1787 if ( b->a_authz.sai_sasl_ssf ) {
1788 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1789 "sasl_ssf attribute already specified.\n",
1794 if ( right == NULL || *right == '\0' ) {
1795 Debug( LDAP_DEBUG_ANY,
1796 "%s: line %d: no sasl_ssf is defined.\n",
1801 if ( lutil_atou( &b->a_authz.sai_sasl_ssf, right ) != 0 ) {
1802 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1803 "unable to parse sasl_ssf value (%s).\n",
1804 fname, lineno, right );
1808 if ( !b->a_authz.sai_sasl_ssf ) {
1809 Debug( LDAP_DEBUG_ANY,
1810 "%s: line %d: invalid sasl_ssf value (%s).\n",
1811 fname, lineno, right );
1817 if ( right != NULL ) {
1824 if ( i == argc || ( strcasecmp( left, "stop" ) == 0 ) ) {
1825 /* out of arguments or plain stop */
1827 ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
1828 ACL_PRIV_SET( b->a_access_mask, ACL_PRIV_NONE);
1829 b->a_type = ACL_STOP;
1831 access_append( &a->acl_access, b );
1835 if ( strcasecmp( left, "continue" ) == 0 ) {
1836 /* plain continue */
1838 ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
1839 ACL_PRIV_SET( b->a_access_mask, ACL_PRIV_NONE);
1840 b->a_type = ACL_CONTINUE;
1842 access_append( &a->acl_access, b );
1846 if ( strcasecmp( left, "break" ) == 0 ) {
1847 /* plain continue */
1849 ACL_PRIV_ASSIGN(b->a_access_mask, ACL_PRIV_ADDITIVE);
1850 ACL_PRIV_SET( b->a_access_mask, ACL_PRIV_NONE);
1851 b->a_type = ACL_BREAK;
1853 access_append( &a->acl_access, b );
1857 if ( strcasecmp( left, "by" ) == 0 ) {
1858 /* we've gone too far */
1860 ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
1861 ACL_PRIV_SET( b->a_access_mask, ACL_PRIV_NONE);
1862 b->a_type = ACL_STOP;
1864 access_append( &a->acl_access, b );
1872 if ( strncasecmp( left, "self", STRLENOF( "self" ) ) == 0 ) {
1874 lleft = &left[ STRLENOF( "self" ) ];
1876 } else if ( strncasecmp( left, "realself", STRLENOF( "realself" ) ) == 0 ) {
1877 b->a_realdn_self = 1;
1878 lleft = &left[ STRLENOF( "realself" ) ];
1881 ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( lleft ) );
1884 if ( ACL_IS_INVALID( b->a_access_mask ) ) {
1885 Debug( LDAP_DEBUG_ANY,
1886 "%s: line %d: expecting <access> got \"%s\".\n",
1887 fname, lineno, left );
1891 b->a_type = ACL_STOP;
1893 if ( ++i == argc ) {
1894 /* out of arguments or plain stop */
1895 access_append( &a->acl_access, b );
1899 if ( strcasecmp( argv[i], "continue" ) == 0 ) {
1900 /* plain continue */
1901 b->a_type = ACL_CONTINUE;
1903 } else if ( strcasecmp( argv[i], "break" ) == 0 ) {
1904 /* plain continue */
1905 b->a_type = ACL_BREAK;
1907 } else if ( strcasecmp( argv[i], "stop" ) != 0 ) {
1912 access_append( &a->acl_access, b );
1916 Debug( LDAP_DEBUG_ANY,
1917 "%s: line %d: expecting \"to\" "
1918 "or \"by\" got \"%s\"\n",
1919 fname, lineno, argv[i] );
1924 /* if we have no real access clause, complain and do nothing */
1926 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1927 "warning: no access clause(s) specified in access line.\n",
1933 if ( slap_debug & LDAP_DEBUG_ACL ) {
1938 if ( a->acl_access == NULL ) {
1939 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1940 "warning: no by clause(s) specified in access line.\n",
1946 if ( be->be_nsuffix == NULL ) {
1947 Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
1948 "scope checking needs suffix before ACLs.\n",
1950 /* go ahead, since checking is not authoritative */
1951 } else if ( !BER_BVISNULL( &be->be_nsuffix[ 1 ] ) ) {
1952 Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
1953 "scope checking only applies to single-valued "
1954 "suffix databases\n",
1956 /* go ahead, since checking is not authoritative */
1958 switch ( check_scope( be, a ) ) {
1959 case ACL_SCOPE_UNKNOWN:
1960 Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
1961 "cannot assess the validity of the ACL scope within "
1962 "backend naming context\n",
1966 case ACL_SCOPE_WARN:
1967 Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
1968 "ACL could be out of scope within backend naming context\n",
1972 case ACL_SCOPE_PARTIAL:
1973 Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
1974 "ACL appears to be partially out of scope within "
1975 "backend naming context\n",
1980 Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
1981 "ACL appears to be out of scope within "
1982 "backend naming context\n",
1990 acl_append( &be->be_acl, a, pos );
1993 acl_append( &frontendDB->be_acl, a, pos );
2000 if ( b ) access_free( b );
2001 if ( a ) acl_free( a );
2006 accessmask2str( slap_mask_t mask, char *buf, int debug )
2011 assert( buf != NULL );
2013 if ( ACL_IS_INVALID( mask ) ) {
2019 if ( ACL_IS_LEVEL( mask ) ) {
2020 if ( ACL_LVL_IS_NONE(mask) ) {
2021 ptr = lutil_strcopy( ptr, "none" );
2023 } else if ( ACL_LVL_IS_DISCLOSE(mask) ) {
2024 ptr = lutil_strcopy( ptr, "disclose" );
2026 } else if ( ACL_LVL_IS_AUTH(mask) ) {
2027 ptr = lutil_strcopy( ptr, "auth" );
2029 } else if ( ACL_LVL_IS_COMPARE(mask) ) {
2030 ptr = lutil_strcopy( ptr, "compare" );
2032 } else if ( ACL_LVL_IS_SEARCH(mask) ) {
2033 ptr = lutil_strcopy( ptr, "search" );
2035 } else if ( ACL_LVL_IS_READ(mask) ) {
2036 ptr = lutil_strcopy( ptr, "read" );
2038 } else if ( ACL_LVL_IS_WRITE(mask) ) {
2039 ptr = lutil_strcopy( ptr, "write" );
2041 } else if ( ACL_LVL_IS_WADD(mask) ) {
2042 ptr = lutil_strcopy( ptr, "add" );
2044 } else if ( ACL_LVL_IS_WDEL(mask) ) {
2045 ptr = lutil_strcopy( ptr, "delete" );
2047 } else if ( ACL_LVL_IS_MANAGE(mask) ) {
2048 ptr = lutil_strcopy( ptr, "manage" );
2051 ptr = lutil_strcopy( ptr, "unknown" );
2061 if( ACL_IS_ADDITIVE( mask ) ) {
2064 } else if( ACL_IS_SUBTRACTIVE( mask ) ) {
2071 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_MANAGE) ) {
2076 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_WRITE) ) {
2080 } else if ( ACL_PRIV_ISSET(mask, ACL_PRIV_WADD) ) {
2084 } else if ( ACL_PRIV_ISSET(mask, ACL_PRIV_WDEL) ) {
2089 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_READ) ) {
2094 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_SEARCH) ) {
2099 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_COMPARE) ) {
2104 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_AUTH) ) {
2109 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_DISCLOSE) ) {
2114 if ( none && ACL_PRIV_ISSET(mask, ACL_PRIV_NONE) ) {
2123 if ( ACL_IS_LEVEL( mask ) ) {
2133 str2accessmask( const char *str )
2137 if( !ASCII_ALPHA(str[0]) ) {
2140 if ( str[0] == '=' ) {
2143 } else if( str[0] == '+' ) {
2144 ACL_PRIV_ASSIGN(mask, ACL_PRIV_ADDITIVE);
2146 } else if( str[0] == '-' ) {
2147 ACL_PRIV_ASSIGN(mask, ACL_PRIV_SUBSTRACTIVE);
2150 ACL_INVALIDATE(mask);
2154 for( i=1; str[i] != '\0'; i++ ) {
2155 if( TOLOWER((unsigned char) str[i]) == 'm' ) {
2156 ACL_PRIV_SET(mask, ACL_PRIV_MANAGE);
2158 } else if( TOLOWER((unsigned char) str[i]) == 'w' ) {
2159 ACL_PRIV_SET(mask, ACL_PRIV_WRITE);
2161 } else if( TOLOWER((unsigned char) str[i]) == 'a' ) {
2162 ACL_PRIV_SET(mask, ACL_PRIV_WADD);
2164 } else if( TOLOWER((unsigned char) str[i]) == 'z' ) {
2165 ACL_PRIV_SET(mask, ACL_PRIV_WDEL);
2167 } else if( TOLOWER((unsigned char) str[i]) == 'r' ) {
2168 ACL_PRIV_SET(mask, ACL_PRIV_READ);
2170 } else if( TOLOWER((unsigned char) str[i]) == 's' ) {
2171 ACL_PRIV_SET(mask, ACL_PRIV_SEARCH);
2173 } else if( TOLOWER((unsigned char) str[i]) == 'c' ) {
2174 ACL_PRIV_SET(mask, ACL_PRIV_COMPARE);
2176 } else if( TOLOWER((unsigned char) str[i]) == 'x' ) {
2177 ACL_PRIV_SET(mask, ACL_PRIV_AUTH);
2179 } else if( TOLOWER((unsigned char) str[i]) == 'd' ) {
2180 ACL_PRIV_SET(mask, ACL_PRIV_DISCLOSE);
2182 } else if( str[i] == '0' ) {
2183 ACL_PRIV_SET(mask, ACL_PRIV_NONE);
2186 ACL_INVALIDATE(mask);
2194 if ( strcasecmp( str, "none" ) == 0 ) {
2195 ACL_LVL_ASSIGN_NONE(mask);
2197 } else if ( strcasecmp( str, "disclose" ) == 0 ) {
2198 ACL_LVL_ASSIGN_DISCLOSE(mask);
2200 } else if ( strcasecmp( str, "auth" ) == 0 ) {
2201 ACL_LVL_ASSIGN_AUTH(mask);
2203 } else if ( strcasecmp( str, "compare" ) == 0 ) {
2204 ACL_LVL_ASSIGN_COMPARE(mask);
2206 } else if ( strcasecmp( str, "search" ) == 0 ) {
2207 ACL_LVL_ASSIGN_SEARCH(mask);
2209 } else if ( strcasecmp( str, "read" ) == 0 ) {
2210 ACL_LVL_ASSIGN_READ(mask);
2212 } else if ( strcasecmp( str, "add" ) == 0 ) {
2213 ACL_LVL_ASSIGN_WADD(mask);
2215 } else if ( strcasecmp( str, "delete" ) == 0 ) {
2216 ACL_LVL_ASSIGN_WDEL(mask);
2218 } else if ( strcasecmp( str, "write" ) == 0 ) {
2219 ACL_LVL_ASSIGN_WRITE(mask);
2221 } else if ( strcasecmp( str, "manage" ) == 0 ) {
2222 ACL_LVL_ASSIGN_MANAGE(mask);
2225 ACL_INVALIDATE( mask );
2235 "<access clause> ::= access to <what> "
2236 "[ by <who> [ <access> ] [ <control> ] ]+ \n";
2238 "<what> ::= * | dn[.<dnstyle>=<DN>] [filter=<filter>] [attrs=<attrspec>]\n"
2239 "<attrspec> ::= <attrname> [val[/<matchingRule>][.<attrstyle>]=<value>] | <attrlist>\n"
2240 "<attrlist> ::= <attr> [ , <attrlist> ]\n"
2241 "<attr> ::= <attrname> | @<objectClass> | !<objectClass> | entry | children\n";
2244 "<who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ]\n"
2245 "\t[ realanonymous | realusers | realself | realdn[.<dnstyle>]=<DN> ]\n"
2246 "\t[dnattr=<attrname>]\n"
2247 "\t[realdnattr=<attrname>]\n"
2248 "\t[group[/<objectclass>[/<attrname>]][.<style>]=<group>]\n"
2249 "\t[peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>]\n"
2250 "\t[domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>]\n"
2252 "\t[dynacl/<name>[/<options>][.<dynstyle>][=<pattern>]]\n"
2253 #endif /* SLAP_DYNACL */
2254 "\t[ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]\n"
2255 "<style> ::= exact | regex | base(Object)\n"
2256 "<dnstyle> ::= base(Object) | one(level) | sub(tree) | children | "
2258 "<attrstyle> ::= exact | regex | base(Object) | one(level) | "
2259 "sub(tree) | children\n"
2260 "<peernamestyle> ::= exact | regex | ip | ipv6 | path\n"
2261 "<domainstyle> ::= exact | regex | base(Object) | sub(tree)\n"
2262 "<access> ::= [[real]self]{<level>|<priv>}\n"
2263 "<level> ::= none|disclose|auth|compare|search|read|{write|add|delete}|manage\n"
2264 "<priv> ::= {=|+|-}{0|d|x|c|s|r|{w|a|z}|m}+\n"
2265 "<control> ::= [ stop | continue | break ]\n"
2267 #ifdef SLAPD_ACI_ENABLED
2269 "\t<name>=ACI\t<pattern>=<attrname>\n"
2270 #endif /* SLAPD_ACI_ENABLED */
2271 #endif /* ! SLAP_DYNACL */
2274 Debug( LDAP_DEBUG_ANY, "%s%s%s\n", access, what, who );
2280 * Set pattern to a "normalized" DN from src.
2281 * At present it simply eats the (optional) space after
2282 * a RDN separator (,)
2283 * Eventually will evolve in a more complete normalization
2286 acl_regex_normalized_dn(
2288 struct berval *pattern )
2293 str = ch_strdup( src );
2294 len = strlen( src );
2296 for ( p = str; p && p[0]; p++ ) {
2298 if ( p[0] == '\\' && p[1] ) {
2300 * if escaping a hex pair we should
2301 * increment p twice; however, in that
2302 * case the second hex number does
2308 if ( p[0] == ',' && p[1] == ' ' ) {
2312 * too much space should be an error if we are pedantic
2314 for ( q = &p[2]; q[0] == ' '; q++ ) {
2317 AC_MEMCPY( p+1, q, len-(q-str)+1);
2320 pattern->bv_val = str;
2321 pattern->bv_len = p - str;
2334 if ( (*right = strchr( line, splitchar )) != NULL ) {
2335 *((*right)++) = '\0';
2340 access_append( Access **l, Access *a )
2342 for ( ; *l != NULL; l = &(*l)->a_next ) {
2350 acl_append( AccessControl **l, AccessControl *a, int pos )
2354 for (i=0 ; i != pos && *l != NULL; l = &(*l)->acl_next, i++ ) {
2363 access_free( Access *a )
2365 if ( !BER_BVISNULL( &a->a_dn_pat ) ) {
2366 free( a->a_dn_pat.bv_val );
2368 if ( !BER_BVISNULL( &a->a_realdn_pat ) ) {
2369 free( a->a_realdn_pat.bv_val );
2371 if ( !BER_BVISNULL( &a->a_peername_pat ) ) {
2372 free( a->a_peername_pat.bv_val );
2374 if ( !BER_BVISNULL( &a->a_sockname_pat ) ) {
2375 free( a->a_sockname_pat.bv_val );
2377 if ( !BER_BVISNULL( &a->a_domain_pat ) ) {
2378 free( a->a_domain_pat.bv_val );
2380 if ( !BER_BVISNULL( &a->a_sockurl_pat ) ) {
2381 free( a->a_sockurl_pat.bv_val );
2383 if ( !BER_BVISNULL( &a->a_set_pat ) ) {
2384 free( a->a_set_pat.bv_val );
2386 if ( !BER_BVISNULL( &a->a_group_pat ) ) {
2387 free( a->a_group_pat.bv_val );
2390 if ( a->a_dynacl != NULL ) {
2392 for ( da = a->a_dynacl; da; ) {
2393 slap_dynacl_t *tmp = da;
2397 if ( tmp->da_destroy ) {
2398 tmp->da_destroy( tmp->da_private );
2404 #endif /* SLAP_DYNACL */
2409 acl_free( AccessControl *a )
2414 if ( a->acl_filter ) {
2415 filter_free( a->acl_filter );
2417 if ( !BER_BVISNULL( &a->acl_dn_pat ) ) {
2418 if ( a->acl_dn_style == ACL_STYLE_REGEX ) {
2419 regfree( &a->acl_dn_re );
2421 free ( a->acl_dn_pat.bv_val );
2423 if ( a->acl_attrs ) {
2424 for ( an = a->acl_attrs; !BER_BVISNULL( &an->an_name ); an++ ) {
2425 free( an->an_name.bv_val );
2427 free( a->acl_attrs );
2429 if ( a->acl_attrval_style == ACL_STYLE_REGEX ) {
2430 regfree( &a->acl_attrval_re );
2433 if ( !BER_BVISNULL( &a->acl_attrval ) ) {
2434 ber_memfree( a->acl_attrval.bv_val );
2437 for ( ; a->acl_access; a->acl_access = n ) {
2438 n = a->acl_access->a_next;
2439 access_free( a->acl_access );
2445 acl_destroy( AccessControl *a )
2449 for ( ; a; a = n ) {
2456 access2str( slap_access_t access )
2458 if ( access == ACL_NONE ) {
2461 } else if ( access == ACL_DISCLOSE ) {
2464 } else if ( access == ACL_AUTH ) {
2467 } else if ( access == ACL_COMPARE ) {
2470 } else if ( access == ACL_SEARCH ) {
2473 } else if ( access == ACL_READ ) {
2476 } else if ( access == ACL_WRITE ) {
2479 } else if ( access == ACL_WADD ) {
2482 } else if ( access == ACL_WDEL ) {
2485 } else if ( access == ACL_MANAGE ) {
2494 str2access( const char *str )
2496 if ( strcasecmp( str, "none" ) == 0 ) {
2499 } else if ( strcasecmp( str, "disclose" ) == 0 ) {
2500 return ACL_DISCLOSE;
2502 } else if ( strcasecmp( str, "auth" ) == 0 ) {
2505 } else if ( strcasecmp( str, "compare" ) == 0 ) {
2508 } else if ( strcasecmp( str, "search" ) == 0 ) {
2511 } else if ( strcasecmp( str, "read" ) == 0 ) {
2514 } else if ( strcasecmp( str, "write" ) == 0 ) {
2517 } else if ( strcasecmp( str, "add" ) == 0 ) {
2520 } else if ( strcasecmp( str, "delete" ) == 0 ) {
2523 } else if ( strcasecmp( str, "manage" ) == 0 ) {
2527 return( ACL_INVALID_ACCESS );
2530 #define ACLBUF_MAXLEN 8192
2532 static char aclbuf[ACLBUF_MAXLEN];
2535 dnaccess2text( slap_dn_access *bdn, char *ptr, int is_realdn )
2540 ptr = lutil_strcopy( ptr, "real" );
2543 if ( ber_bvccmp( &bdn->a_pat, '*' ) ||
2544 bdn->a_style == ACL_STYLE_ANONYMOUS ||
2545 bdn->a_style == ACL_STYLE_USERS ||
2546 bdn->a_style == ACL_STYLE_SELF )
2549 assert( ! ber_bvccmp( &bdn->a_pat, '*' ) );
2552 ptr = lutil_strcopy( ptr, bdn->a_pat.bv_val );
2553 if ( bdn->a_style == ACL_STYLE_SELF && bdn->a_self_level != 0 ) {
2554 int n = sprintf( ptr, ".level{%d}", bdn->a_self_level );
2561 ptr = lutil_strcopy( ptr, "dn." );
2562 if ( bdn->a_style == ACL_STYLE_BASE )
2563 ptr = lutil_strcopy( ptr, style_base );
2565 ptr = lutil_strcopy( ptr, style_strings[bdn->a_style] );
2566 if ( bdn->a_style == ACL_STYLE_LEVEL ) {
2567 int n = sprintf( ptr, "{%d}", bdn->a_level );
2572 if ( bdn->a_expand ) {
2573 ptr = lutil_strcopy( ptr, ",expand" );
2577 ptr = lutil_strcopy( ptr, bdn->a_pat.bv_val );
2584 access2text( Access *b, char *ptr )
2586 char maskbuf[ACCESSMASK_MAXLEN];
2588 ptr = lutil_strcopy( ptr, "\tby" );
2590 if ( !BER_BVISEMPTY( &b->a_dn_pat ) ) {
2591 ptr = dnaccess2text( &b->a_dn, ptr, 0 );
2594 ptr = lutil_strcopy( ptr, " dnattr=" );
2595 ptr = lutil_strcopy( ptr, b->a_dn_at->ad_cname.bv_val );
2598 if ( !BER_BVISEMPTY( &b->a_realdn_pat ) ) {
2599 ptr = dnaccess2text( &b->a_realdn, ptr, 1 );
2601 if ( b->a_realdn_at ) {
2602 ptr = lutil_strcopy( ptr, " realdnattr=" );
2603 ptr = lutil_strcopy( ptr, b->a_realdn_at->ad_cname.bv_val );
2606 if ( !BER_BVISEMPTY( &b->a_group_pat ) ) {
2607 ptr = lutil_strcopy( ptr, " group/" );
2608 ptr = lutil_strcopy( ptr, b->a_group_oc ?
2609 b->a_group_oc->soc_cname.bv_val : SLAPD_GROUP_CLASS );
2611 ptr = lutil_strcopy( ptr, b->a_group_at ?
2612 b->a_group_at->ad_cname.bv_val : SLAPD_GROUP_ATTR );
2614 ptr = lutil_strcopy( ptr, style_strings[b->a_group_style] );
2617 ptr = lutil_strcopy( ptr, b->a_group_pat.bv_val );
2621 if ( !BER_BVISEMPTY( &b->a_peername_pat ) ) {
2622 ptr = lutil_strcopy( ptr, " peername" );
2624 ptr = lutil_strcopy( ptr, style_strings[b->a_peername_style] );
2627 ptr = lutil_strcopy( ptr, b->a_peername_pat.bv_val );
2631 if ( !BER_BVISEMPTY( &b->a_sockname_pat ) ) {
2632 ptr = lutil_strcopy( ptr, " sockname" );
2634 ptr = lutil_strcopy( ptr, style_strings[b->a_sockname_style] );
2637 ptr = lutil_strcopy( ptr, b->a_sockname_pat.bv_val );
2641 if ( !BER_BVISEMPTY( &b->a_domain_pat ) ) {
2642 ptr = lutil_strcopy( ptr, " domain" );
2644 ptr = lutil_strcopy( ptr, style_strings[b->a_domain_style] );
2645 if ( b->a_domain_expand ) {
2646 ptr = lutil_strcopy( ptr, ",expand" );
2649 ptr = lutil_strcopy( ptr, b->a_domain_pat.bv_val );
2652 if ( !BER_BVISEMPTY( &b->a_sockurl_pat ) ) {
2653 ptr = lutil_strcopy( ptr, " sockurl" );
2655 ptr = lutil_strcopy( ptr, style_strings[b->a_sockurl_style] );
2658 ptr = lutil_strcopy( ptr, b->a_sockurl_pat.bv_val );
2662 if ( !BER_BVISEMPTY( &b->a_set_pat ) ) {
2663 ptr = lutil_strcopy( ptr, " set" );
2665 ptr = lutil_strcopy( ptr, style_strings[b->a_set_style] );
2668 ptr = lutil_strcopy( ptr, b->a_set_pat.bv_val );
2673 if ( b->a_dynacl ) {
2676 for ( da = b->a_dynacl; da; da = da->da_next ) {
2677 if ( da->da_unparse ) {
2678 struct berval bv = BER_BVNULL;
2679 (void)( *da->da_unparse )( da->da_private, &bv );
2680 assert( !BER_BVISNULL( &bv ) );
2681 ptr = lutil_strcopy( ptr, bv.bv_val );
2682 ch_free( bv.bv_val );
2686 #endif /* SLAP_DYNACL */
2688 /* Security Strength Factors */
2689 if ( b->a_authz.sai_ssf ) {
2690 ptr += sprintf( ptr, " ssf=%u",
2691 b->a_authz.sai_ssf );
2693 if ( b->a_authz.sai_transport_ssf ) {
2694 ptr += sprintf( ptr, " transport_ssf=%u",
2695 b->a_authz.sai_transport_ssf );
2697 if ( b->a_authz.sai_tls_ssf ) {
2698 ptr += sprintf( ptr, " tls_ssf=%u",
2699 b->a_authz.sai_tls_ssf );
2701 if ( b->a_authz.sai_sasl_ssf ) {
2702 ptr += sprintf( ptr, " sasl_ssf=%u",
2703 b->a_authz.sai_sasl_ssf );
2707 if ( b->a_dn_self ) {
2708 ptr = lutil_strcopy( ptr, "self" );
2709 } else if ( b->a_realdn_self ) {
2710 ptr = lutil_strcopy( ptr, "realself" );
2712 ptr = lutil_strcopy( ptr, accessmask2str( b->a_access_mask, maskbuf, 0 ));
2713 if ( !maskbuf[0] ) ptr--;
2715 if( b->a_type == ACL_BREAK ) {
2716 ptr = lutil_strcopy( ptr, " break" );
2718 } else if( b->a_type == ACL_CONTINUE ) {
2719 ptr = lutil_strcopy( ptr, " continue" );
2721 } else if( b->a_type != ACL_STOP ) {
2722 ptr = lutil_strcopy( ptr, " unknown-control" );
2724 if ( !maskbuf[0] ) ptr = lutil_strcopy( ptr, " stop" );
2732 acl_unparse( AccessControl *a, struct berval *bv )
2738 bv->bv_val = aclbuf;
2743 ptr = lutil_strcopy( ptr, "to" );
2744 if ( !BER_BVISNULL( &a->acl_dn_pat ) ) {
2746 ptr = lutil_strcopy( ptr, " dn." );
2747 if ( a->acl_dn_style == ACL_STYLE_BASE )
2748 ptr = lutil_strcopy( ptr, style_base );
2750 ptr = lutil_strcopy( ptr, style_strings[a->acl_dn_style] );
2753 ptr = lutil_strcopy( ptr, a->acl_dn_pat.bv_val );
2754 ptr = lutil_strcopy( ptr, "\"\n" );
2757 if ( a->acl_filter != NULL ) {
2758 struct berval bv = BER_BVNULL;
2761 filter2bv( a->acl_filter, &bv );
2762 ptr = lutil_strcopy( ptr, " filter=\"" );
2763 ptr = lutil_strcopy( ptr, bv.bv_val );
2766 ch_free( bv.bv_val );
2769 if ( a->acl_attrs != NULL ) {
2774 ptr = lutil_strcopy( ptr, " attrs=" );
2775 for ( an = a->acl_attrs; an && !BER_BVISNULL( &an->an_name ); an++ ) {
2776 if ( ! first ) *ptr++ = ',';
2778 *ptr++ = ( an->an_flags & SLAP_AN_OCEXCLUDE ) ? '!' : '@';
2779 ptr = lutil_strcopy( ptr, an->an_oc->soc_cname.bv_val );
2782 ptr = lutil_strcopy( ptr, an->an_name.bv_val );
2789 if ( !BER_BVISEMPTY( &a->acl_attrval ) ) {
2791 ptr = lutil_strcopy( ptr, " val." );
2792 if ( a->acl_attrval_style == ACL_STYLE_BASE &&
2793 a->acl_attrs[0].an_desc->ad_type->sat_syntax ==
2794 slap_schema.si_syn_distinguishedName )
2795 ptr = lutil_strcopy( ptr, style_base );
2797 ptr = lutil_strcopy( ptr, style_strings[a->acl_attrval_style] );
2800 ptr = lutil_strcopy( ptr, a->acl_attrval.bv_val );
2806 ptr = lutil_strcopy( ptr, " *\n" );
2809 for ( b = a->acl_access; b != NULL; b = b->a_next ) {
2810 ptr = access2text( b, ptr );
2813 bv->bv_len = ptr - bv->bv_val;
2818 print_acl( Backend *be, AccessControl *a )
2822 acl_unparse( a, &bv );
2823 fprintf( stderr, "%s ACL: access %s\n",
2824 be == NULL ? "Global" : "Backend", bv.bv_val );
2826 #endif /* LDAP_DEBUG */