1 /* aclparse.c - routines to parse and check acl's */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 1998-2005 The OpenLDAP Foundation.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted only as authorized by the OpenLDAP
12 * A copy of this license is available in the file LICENSE in the
13 * top-level directory of the distribution or, alternatively, at
14 * <http://www.OpenLDAP.org/license.html>.
16 /* Portions Copyright (c) 1995 Regents of the University of Michigan.
17 * All rights reserved.
19 * Redistribution and use in source and binary forms are permitted
20 * provided that this notice is preserved and that due credit is given
21 * to the University of Michigan at Ann Arbor. The name of the University
22 * may not be used to endorse or promote products derived from this
23 * software without specific prior written permission. This software
24 * is provided ``as is'' without express or implied warranty.
33 #include <ac/socket.h>
34 #include <ac/string.h>
35 #include <ac/unistd.h>
41 static const char style_base[] = "base";
42 char *style_strings[] = {
59 static void split(char *line, int splitchar, char **left, char **right);
60 static void access_append(Access **l, Access *a);
61 static void acl_usage(void) LDAP_GCCATTR((noreturn));
63 static void acl_regex_normalized_dn(const char *src, struct berval *pat);
66 static void print_acl(Backend *be, AccessControl *a);
69 static int check_scope( BackendDB *be, AccessControl *a );
82 slap_dynacl_t *da, *tmp;
85 for ( da = b->a_dynacl; da; da = da->da_next ) {
86 if ( strcasecmp( da->da_name, name ) == 0 ) {
87 Debug( LDAP_DEBUG_ANY,
88 "%s: line %d: dynacl \"%s\" already specified.\n",
89 fname, lineno, name );
94 da = slap_dynacl_get( name );
99 tmp = ch_malloc( sizeof( slap_dynacl_t ) );
102 if ( tmp->da_parse ) {
103 rc = ( *tmp->da_parse )( fname, lineno, opts, sty, right, &tmp->da_private );
110 tmp->da_next = b->a_dynacl;
115 #endif /* SLAP_DYNACL */
118 regtest(const char *fname, int lineno, char *pat) {
122 char buf[ SLAP_TEXT_BUFLEN ];
134 for (size = 0, flag = 0; (size < sizeof(buf)) && *sp; sp++) {
136 if (*sp == '$'|| (*sp >= '0' && *sp <= '9')) {
153 if ( size >= (sizeof(buf) - 1) ) {
154 Debug( LDAP_DEBUG_ANY,
155 "%s: line %d: regular expression \"%s\" too large\n",
156 fname, lineno, pat );
160 if ((e = regcomp(&re, buf, REG_EXTENDED|REG_ICASE))) {
161 char error[ SLAP_TEXT_BUFLEN ];
163 regerror(e, &re, error, sizeof(error));
165 snprintf( buf, sizeof( buf ),
166 "regular expression \"%s\" bad because of %s",
168 Debug( LDAP_DEBUG_ANY,
170 fname, lineno, buf );
179 * Check if the pattern of an ACL, if any, matches the scope
180 * of the backend it is defined within.
182 #define ACL_SCOPE_UNKNOWN (-2)
183 #define ACL_SCOPE_ERR (-1)
184 #define ACL_SCOPE_OK (0)
185 #define ACL_SCOPE_PARTIAL (1)
186 #define ACL_SCOPE_WARN (2)
189 check_scope( BackendDB *be, AccessControl *a )
194 dn = be->be_nsuffix[0];
196 if ( BER_BVISEMPTY( &dn ) ) {
200 if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
201 a->acl_dn_style != ACL_STYLE_REGEX )
203 slap_style_t style = a->acl_dn_style;
205 if ( style == ACL_STYLE_REGEX ) {
206 char dnbuf[SLAP_LDAPDN_MAXLEN + 2];
207 char rebuf[SLAP_LDAPDN_MAXLEN + 1];
212 /* add trailing '$' to database suffix to form
213 * a simple trial regex pattern "<suffix>$" */
214 AC_MEMCPY( dnbuf, be->be_nsuffix[0].bv_val,
215 be->be_nsuffix[0].bv_len );
216 dnbuf[be->be_nsuffix[0].bv_len] = '$';
217 dnbuf[be->be_nsuffix[0].bv_len + 1] = '\0';
219 if ( regcomp( &re, dnbuf, REG_EXTENDED|REG_ICASE ) ) {
220 return ACL_SCOPE_WARN;
223 /* remove trailing ')$', if any, from original
225 rebuflen = a->acl_dn_pat.bv_len;
226 AC_MEMCPY( rebuf, a->acl_dn_pat.bv_val, rebuflen + 1 );
227 if ( rebuf[rebuflen - 1] == '$' ) {
228 rebuf[--rebuflen] = '\0';
230 while ( rebuflen > be->be_nsuffix[0].bv_len && rebuf[rebuflen - 1] == ')' ) {
231 rebuf[--rebuflen] = '\0';
233 if ( rebuflen == be->be_nsuffix[0].bv_len ) {
238 /* not a clear indication of scoping error, though */
239 rc = regexec( &re, rebuf, 0, NULL, 0 )
240 ? ACL_SCOPE_WARN : ACL_SCOPE_OK;
247 patlen = a->acl_dn_pat.bv_len;
248 /* If backend suffix is longer than pattern,
249 * it is a potential mismatch (in the sense
250 * that a superior naming context could
252 if ( dn.bv_len > patlen ) {
253 /* base is blatantly wrong */
254 if ( style == ACL_STYLE_BASE ) return ACL_SCOPE_ERR;
256 /* a style of one can be wrong if there is
257 * more than one level between the suffix
259 if ( style == ACL_STYLE_ONE ) {
260 ber_len_t rdnlen = 0;
264 if ( !DN_SEPARATOR( dn.bv_val[dn.bv_len - patlen - 1] )) {
265 return ACL_SCOPE_ERR;
270 rdnlen = dn_rdnlen( NULL, &dn );
271 if ( rdnlen != dn.bv_len - patlen - sep )
272 return ACL_SCOPE_ERR;
275 /* if the trailing part doesn't match,
276 * then it's an error */
277 if ( strcmp( a->acl_dn_pat.bv_val,
278 &dn.bv_val[dn.bv_len - patlen] ) != 0 )
280 return ACL_SCOPE_ERR;
283 return ACL_SCOPE_PARTIAL;
289 case ACL_STYLE_CHILDREN:
290 case ACL_STYLE_SUBTREE:
298 if ( dn.bv_len < patlen &&
299 !DN_SEPARATOR( a->acl_dn_pat.bv_val[patlen - dn.bv_len - 1] ))
301 return ACL_SCOPE_ERR;
304 if ( strcmp( &a->acl_dn_pat.bv_val[patlen - dn.bv_len], dn.bv_val )
307 return ACL_SCOPE_ERR;
313 return ACL_SCOPE_UNKNOWN;
326 char *left, *right, *style, *next;
334 for ( i = 1; i < argc; i++ ) {
335 /* to clause - select which entries are protected */
336 if ( strcasecmp( argv[i], "to" ) == 0 ) {
338 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
339 "only one to clause allowed in access line\n",
343 a = (AccessControl *) ch_calloc( 1, sizeof(AccessControl) );
344 for ( ++i; i < argc; i++ ) {
345 if ( strcasecmp( argv[i], "by" ) == 0 ) {
350 if ( strcasecmp( argv[i], "*" ) == 0 ) {
351 if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
352 a->acl_dn_style != ACL_STYLE_REGEX )
354 Debug( LDAP_DEBUG_ANY,
355 "%s: line %d: dn pattern"
356 " already specified in to clause.\n",
361 ber_str2bv( "*", STRLENOF( "*" ), 1, &a->acl_dn_pat );
365 split( argv[i], '=', &left, &right );
366 split( left, '.', &left, &style );
368 if ( right == NULL ) {
369 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
370 "missing \"=\" in \"%s\" in to clause\n",
371 fname, lineno, left );
375 if ( strcasecmp( left, "dn" ) == 0 ) {
376 if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
377 a->acl_dn_style != ACL_STYLE_REGEX )
379 Debug( LDAP_DEBUG_ANY,
380 "%s: line %d: dn pattern"
381 " already specified in to clause.\n",
386 if ( style == NULL || *style == '\0' ||
387 strcasecmp( style, "baseObject" ) == 0 ||
388 strcasecmp( style, "base" ) == 0 ||
389 strcasecmp( style, "exact" ) == 0 )
391 a->acl_dn_style = ACL_STYLE_BASE;
392 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
394 } else if ( strcasecmp( style, "oneLevel" ) == 0 ||
395 strcasecmp( style, "one" ) == 0 )
397 a->acl_dn_style = ACL_STYLE_ONE;
398 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
400 } else if ( strcasecmp( style, "subtree" ) == 0 ||
401 strcasecmp( style, "sub" ) == 0 )
403 if( *right == '\0' ) {
404 ber_str2bv( "*", STRLENOF( "*" ), 1, &a->acl_dn_pat );
407 a->acl_dn_style = ACL_STYLE_SUBTREE;
408 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
411 } else if ( strcasecmp( style, "children" ) == 0 ) {
412 a->acl_dn_style = ACL_STYLE_CHILDREN;
413 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
415 } else if ( strcasecmp( style, "regex" ) == 0 ) {
416 a->acl_dn_style = ACL_STYLE_REGEX;
418 if ( *right == '\0' ) {
419 /* empty regex should match empty DN */
420 a->acl_dn_style = ACL_STYLE_BASE;
421 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
423 } else if ( strcmp(right, "*") == 0
424 || strcmp(right, ".*") == 0
425 || strcmp(right, ".*$") == 0
426 || strcmp(right, "^.*") == 0
427 || strcmp(right, "^.*$") == 0
428 || strcmp(right, ".*$$") == 0
429 || strcmp(right, "^.*$$") == 0 )
431 ber_str2bv( "*", STRLENOF("*"), 1, &a->acl_dn_pat );
434 acl_regex_normalized_dn( right, &a->acl_dn_pat );
438 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
439 "unknown dn style \"%s\" in to clause\n",
440 fname, lineno, style );
447 if ( strcasecmp( left, "filter" ) == 0 ) {
448 if ( (a->acl_filter = str2filter( right )) == NULL ) {
449 Debug( LDAP_DEBUG_ANY,
450 "%s: line %d: bad filter \"%s\" in to clause\n",
451 fname, lineno, right );
455 } else if ( strcasecmp( left, "attr" ) == 0 /* TOLERATED */
456 || strcasecmp( left, "attrs" ) == 0 ) /* DOCUMENTED */
458 a->acl_attrs = str2anlist( a->acl_attrs,
460 if ( a->acl_attrs == NULL ) {
461 Debug( LDAP_DEBUG_ANY,
462 "%s: line %d: unknown attr \"%s\" in to clause\n",
463 fname, lineno, right );
467 } else if ( strncasecmp( left, "val", 3 ) == 0 ) {
470 if ( !BER_BVISEMPTY( &a->acl_attrval ) ) {
471 Debug( LDAP_DEBUG_ANY,
472 "%s: line %d: attr val already specified in to clause.\n",
476 if ( a->acl_attrs == NULL || !BER_BVISEMPTY( &a->acl_attrs[1].an_name ) )
478 Debug( LDAP_DEBUG_ANY,
479 "%s: line %d: attr val requires a single attribute.\n",
484 ber_str2bv( right, 0, 1, &a->acl_attrval );
485 a->acl_attrval_style = ACL_STYLE_BASE;
487 mr = strchr( left, '/' );
492 a->acl_attrval_mr = mr_find( mr );
493 if ( a->acl_attrval_mr == NULL ) {
494 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
495 "invalid matching rule \"%s\".\n",
500 if( !mr_usable_with_at( a->acl_attrval_mr, a->acl_attrs[ 0 ].an_desc->ad_type ) )
502 char buf[ SLAP_TEXT_BUFLEN ];
504 snprintf( buf, sizeof( buf ),
505 "matching rule \"%s\" use "
506 "with attr \"%s\" not appropriate.",
507 mr, a->acl_attrs[ 0 ].an_name.bv_val );
510 Debug( LDAP_DEBUG_ANY, "%s: line %d: %s\n",
511 fname, lineno, buf );
516 if ( style != NULL ) {
517 if ( strcasecmp( style, "regex" ) == 0 ) {
518 int e = regcomp( &a->acl_attrval_re, a->acl_attrval.bv_val,
519 REG_EXTENDED | REG_ICASE | REG_NOSUB );
521 char err[SLAP_TEXT_BUFLEN],
522 buf[ SLAP_TEXT_BUFLEN ];
524 regerror( e, &a->acl_attrval_re, err, sizeof( err ) );
526 snprintf( buf, sizeof( buf ),
527 "regular expression \"%s\" bad because of %s",
530 Debug( LDAP_DEBUG_ANY, "%s: line %d: %s\n",
531 fname, lineno, buf );
534 a->acl_attrval_style = ACL_STYLE_REGEX;
537 /* FIXME: if the attribute has DN syntax, we might
538 * allow one, subtree and children styles as well */
539 if ( !strcasecmp( style, "base" ) ||
540 !strcasecmp( style, "exact" ) ) {
541 a->acl_attrval_style = ACL_STYLE_BASE;
543 } else if ( a->acl_attrs[0].an_desc->ad_type->
544 sat_syntax == slap_schema.si_syn_distinguishedName )
548 if ( !strcasecmp( style, "baseObject" ) ||
549 !strcasecmp( style, "base" ) )
551 a->acl_attrval_style = ACL_STYLE_BASE;
552 } else if ( !strcasecmp( style, "onelevel" ) ||
553 !strcasecmp( style, "one" ) )
555 a->acl_attrval_style = ACL_STYLE_ONE;
556 } else if ( !strcasecmp( style, "subtree" ) ||
557 !strcasecmp( style, "sub" ) )
559 a->acl_attrval_style = ACL_STYLE_SUBTREE;
560 } else if ( !strcasecmp( style, "children" ) ) {
561 a->acl_attrval_style = ACL_STYLE_CHILDREN;
563 char buf[ SLAP_TEXT_BUFLEN ];
565 /* FIXME: should be an error */
567 snprintf( buf, sizeof( buf ),
568 "unknown val.<style> \"%s\" "
569 "for attributeType \"%s\" with DN syntax; "
571 SLAPD_CONF_UNKNOWN_IGNORED ".",
573 a->acl_attrs[0].an_desc->ad_cname.bv_val );
575 Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL,
577 fname, lineno, buf );
578 #ifdef SLAPD_CONF_UNKNOWN_BAILOUT
580 #endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
581 a->acl_attrval_style = ACL_STYLE_BASE;
585 rc = dnNormalize( 0, NULL, NULL, &bv, &a->acl_attrval, NULL );
586 if ( rc != LDAP_SUCCESS ) {
587 char buf[ SLAP_TEXT_BUFLEN ];
589 snprintf( buf, sizeof( buf ),
590 "unable to normalize DN \"%s\" "
591 "for attributeType \"%s\" (%d).",
593 a->acl_attrs[0].an_desc->ad_cname.bv_val,
595 Debug( LDAP_DEBUG_ANY,
597 fname, lineno, buf );
600 ber_memfree( bv.bv_val );
603 char buf[ SLAP_TEXT_BUFLEN ];
605 /* FIXME: should be an error */
607 snprintf( buf, sizeof( buf ),
608 "unknown val.<style> \"%s\" "
609 "for attributeType \"%s\"; using \"exact\""
610 SLAPD_CONF_UNKNOWN_IGNORED ".",
611 style, a->acl_attrs[0].an_desc->ad_cname.bv_val );
612 Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL,
614 fname, lineno, buf );
615 #ifdef SLAPD_CONF_UNKNOWN_BAILOUT
617 #endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
618 a->acl_attrval_style = ACL_STYLE_BASE;
623 /* Check for appropriate matching rule */
624 if ( a->acl_attrval_style != ACL_STYLE_REGEX ) {
625 if ( a->acl_attrval_mr == NULL ) {
626 a->acl_attrval_mr = a->acl_attrs[ 0 ].an_desc->ad_type->sat_equality;
629 if ( a->acl_attrval_mr == NULL ) {
630 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
631 "attr \"%s\" must have an EQUALITY matching rule.\n",
632 fname, lineno, a->acl_attrs[ 0 ].an_name.bv_val );
638 Debug( LDAP_DEBUG_ANY,
639 "%s: line %d: expecting <what> got \"%s\"\n",
640 fname, lineno, left );
645 if ( !BER_BVISNULL( &a->acl_dn_pat ) &&
646 ber_bvccmp( &a->acl_dn_pat, '*' ) )
648 free( a->acl_dn_pat.bv_val );
649 BER_BVZERO( &a->acl_dn_pat );
650 a->acl_dn_style = ACL_STYLE_REGEX;
653 if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
654 a->acl_dn_style != ACL_STYLE_REGEX )
656 if ( a->acl_dn_style != ACL_STYLE_REGEX ) {
658 rc = dnNormalize( 0, NULL, NULL, &a->acl_dn_pat, &bv, NULL);
659 if ( rc != LDAP_SUCCESS ) {
660 Debug( LDAP_DEBUG_ANY,
661 "%s: line %d: bad DN \"%s\" in to DN clause\n",
662 fname, lineno, a->acl_dn_pat.bv_val );
665 free( a->acl_dn_pat.bv_val );
669 int e = regcomp( &a->acl_dn_re, a->acl_dn_pat.bv_val,
670 REG_EXTENDED | REG_ICASE );
672 char err[ SLAP_TEXT_BUFLEN ],
673 buf[ SLAP_TEXT_BUFLEN ];
675 regerror( e, &a->acl_dn_re, err, sizeof( err ) );
676 snprintf( buf, sizeof( buf ),
677 "regular expression \"%s\" bad because of %s",
679 Debug( LDAP_DEBUG_ANY, "%s: line %d: %s\n",
680 fname, lineno, buf );
686 /* by clause - select who has what access to entries */
687 } else if ( strcasecmp( argv[i], "by" ) == 0 ) {
689 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
690 "to clause required before by clause in access line\n",
696 * by clause consists of <who> and <access>
699 b = (Access *) ch_calloc( 1, sizeof(Access) );
701 ACL_INVALIDATE( b->a_access_mask );
704 Debug( LDAP_DEBUG_ANY,
705 "%s: line %d: premature EOL: expecting <who>\n",
711 for ( ; i < argc; i++ ) {
712 slap_style_t sty = ACL_STYLE_REGEX;
713 char *style_modifier = NULL;
714 char *style_level = NULL;
717 slap_dn_access *bdn = &b->a_dn;
720 split( argv[i], '=', &left, &right );
721 split( left, '.', &left, &style );
723 split( style, ',', &style, &style_modifier );
725 if ( strncasecmp( style, "level", STRLENOF( "level" ) ) == 0 ) {
726 split( style, '{', &style, &style_level );
727 if ( style_level != NULL ) {
728 char *p = strchr( style_level, '}' );
730 Debug( LDAP_DEBUG_ANY,
731 "%s: line %d: premature eol: "
732 "expecting closing '}' in \"level{n}\"\n",
735 } else if ( p == style_level ) {
736 Debug( LDAP_DEBUG_ANY,
737 "%s: line %d: empty level "
747 if ( style == NULL || *style == '\0' ||
748 strcasecmp( style, "exact" ) == 0 ||
749 strcasecmp( style, "baseObject" ) == 0 ||
750 strcasecmp( style, "base" ) == 0 )
752 sty = ACL_STYLE_BASE;
754 } else if ( strcasecmp( style, "onelevel" ) == 0 ||
755 strcasecmp( style, "one" ) == 0 )
759 } else if ( strcasecmp( style, "subtree" ) == 0 ||
760 strcasecmp( style, "sub" ) == 0 )
762 sty = ACL_STYLE_SUBTREE;
764 } else if ( strcasecmp( style, "children" ) == 0 ) {
765 sty = ACL_STYLE_CHILDREN;
767 } else if ( strcasecmp( style, "level" ) == 0 )
771 level = strtol( style_level, &next, 10 );
772 if ( next[0] != '\0' ) {
773 Debug( LDAP_DEBUG_ANY,
774 "%s: line %d: unable to parse level "
780 sty = ACL_STYLE_LEVEL;
782 } else if ( strcasecmp( style, "regex" ) == 0 ) {
783 sty = ACL_STYLE_REGEX;
785 } else if ( strcasecmp( style, "expand" ) == 0 ) {
786 sty = ACL_STYLE_EXPAND;
788 } else if ( strcasecmp( style, "ip" ) == 0 ) {
791 } else if ( strcasecmp( style, "path" ) == 0 ) {
792 sty = ACL_STYLE_PATH;
793 #ifndef LDAP_PF_LOCAL
794 Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL,
796 "\"path\" style modifier is useless without local"
797 SLAPD_CONF_UNKNOWN_IGNORED ".\n",
799 #ifdef SLAPD_CONF_UNKNOWN_BAILOUT
801 #endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
802 #endif /* LDAP_PF_LOCAL */
805 Debug( LDAP_DEBUG_ANY,
806 "%s: line %d: unknown style \"%s\" in by clause\n",
807 fname, lineno, style );
811 if ( style_modifier &&
812 strcasecmp( style_modifier, "expand" ) == 0 )
815 case ACL_STYLE_REGEX:
816 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
817 "\"regex\" style implies "
818 "\"expand\" modifier"
819 SLAPD_CONF_UNKNOWN_IGNORED ".\n",
821 #ifdef SLAPD_CONF_UNKNOWN_BAILOUT
823 #endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
826 case ACL_STYLE_EXPAND:
830 /* we'll see later if it's pertinent */
836 /* expand in <who> needs regex in <what> */
837 if ( ( sty == ACL_STYLE_EXPAND || expand )
838 && a->acl_dn_style != ACL_STYLE_REGEX )
840 Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL, "%s: line %d: "
841 "\"expand\" style or modifier used "
842 "in conjunction with "
843 "a non-regex <what> clause"
844 SLAPD_CONF_UNKNOWN_IGNORED ".\n",
846 #ifdef SLAPD_CONF_UNKNOWN_BAILOUT
848 #endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
851 if ( strncasecmp( left, "real", STRLENOF( "real" ) ) == 0 ) {
854 left += STRLENOF( "real" );
857 if ( strcasecmp( left, "*" ) == 0 ) {
862 ber_str2bv( "*", STRLENOF( "*" ), 1, &bv );
863 sty = ACL_STYLE_REGEX;
865 } else if ( strcasecmp( left, "anonymous" ) == 0 ) {
866 ber_str2bv("anonymous", STRLENOF( "anonymous" ), 1, &bv);
867 sty = ACL_STYLE_ANONYMOUS;
869 } else if ( strcasecmp( left, "users" ) == 0 ) {
870 ber_str2bv("users", STRLENOF( "users" ), 1, &bv);
871 sty = ACL_STYLE_USERS;
873 } else if ( strcasecmp( left, "self" ) == 0 ) {
874 ber_str2bv("self", STRLENOF( "self" ), 1, &bv);
875 sty = ACL_STYLE_SELF;
877 } else if ( strcasecmp( left, "dn" ) == 0 ) {
878 if ( sty == ACL_STYLE_REGEX ) {
879 bdn->a_style = ACL_STYLE_REGEX;
880 if ( right == NULL ) {
885 bdn->a_style = ACL_STYLE_USERS;
887 } else if (*right == '\0' ) {
889 ber_str2bv("anonymous",
890 STRLENOF( "anonymous" ),
892 bdn->a_style = ACL_STYLE_ANONYMOUS;
894 } else if ( strcmp( right, "*" ) == 0 ) {
896 /* any or users? users for now */
900 bdn->a_style = ACL_STYLE_USERS;
902 } else if ( strcmp( right, ".+" ) == 0
903 || strcmp( right, "^.+" ) == 0
904 || strcmp( right, ".+$" ) == 0
905 || strcmp( right, "^.+$" ) == 0
906 || strcmp( right, ".+$$" ) == 0
907 || strcmp( right, "^.+$$" ) == 0 )
912 bdn->a_style = ACL_STYLE_USERS;
914 } else if ( strcmp( right, ".*" ) == 0
915 || strcmp( right, "^.*" ) == 0
916 || strcmp( right, ".*$" ) == 0
917 || strcmp( right, "^.*$" ) == 0
918 || strcmp( right, ".*$$" ) == 0
919 || strcmp( right, "^.*$$" ) == 0 )
926 acl_regex_normalized_dn( right, &bv );
927 if ( !ber_bvccmp( &bv, '*' ) ) {
928 regtest( fname, lineno, bv.bv_val );
932 } else if ( right == NULL || *right == '\0' ) {
933 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
934 "missing \"=\" in (or value after) \"%s\" "
936 fname, lineno, left );
940 ber_str2bv( right, 0, 1, &bv );
947 if ( !BER_BVISNULL( &bv ) ) {
948 if ( !BER_BVISEMPTY( &bdn->a_pat ) ) {
949 Debug( LDAP_DEBUG_ANY,
950 "%s: line %d: dn pattern already specified.\n",
955 if ( sty != ACL_STYLE_REGEX &&
956 sty != ACL_STYLE_ANONYMOUS &&
957 sty != ACL_STYLE_USERS &&
958 sty != ACL_STYLE_SELF &&
961 rc = dnNormalize(0, NULL, NULL,
962 &bv, &bdn->a_pat, NULL);
963 if ( rc != LDAP_SUCCESS ) {
964 Debug( LDAP_DEBUG_ANY,
965 "%s: line %d: bad DN \"%s\" in by DN clause\n",
966 fname, lineno, bv.bv_val );
979 for ( exp = strchr( bdn->a_pat.bv_val, '$' );
980 exp && (ber_len_t)(exp - bdn->a_pat.bv_val)
982 exp = strchr( exp, '$' ) )
984 if ( isdigit( exp[ 1 ] ) ) {
991 bdn->a_expand = expand;
994 Debug( LDAP_DEBUG_ANY,
995 "%s: line %d: \"expand\" used "
996 "with no expansions in \"pattern\""
997 SLAPD_CONF_UNKNOWN_IGNORED ".\n",
999 #ifdef SLAPD_CONF_UNKNOWN_BAILOUT
1001 #endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
1004 if ( sty == ACL_STYLE_SELF ) {
1005 bdn->a_self_level = level;
1009 Debug( LDAP_DEBUG_ANY,
1010 "%s: line %d: bad negative level \"%d\" "
1011 "in by DN clause\n",
1012 fname, lineno, level );
1014 } else if ( level == 1 ) {
1015 Debug( LDAP_DEBUG_ANY,
1016 "%s: line %d: \"onelevel\" should be used "
1017 "instead of \"level{1}\" in by DN clause\n",
1019 } else if ( level == 0 && sty == ACL_STYLE_LEVEL ) {
1020 Debug( LDAP_DEBUG_ANY,
1021 "%s: line %d: \"base\" should be used "
1022 "instead of \"level{0}\" in by DN clause\n",
1026 bdn->a_level = level;
1031 if ( strcasecmp( left, "dnattr" ) == 0 ) {
1032 if ( right == NULL || right[0] == '\0' ) {
1033 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1034 "missing \"=\" in (or value after) \"%s\" "
1036 fname, lineno, left );
1040 if( bdn->a_at != NULL ) {
1041 Debug( LDAP_DEBUG_ANY,
1042 "%s: line %d: dnattr already specified.\n",
1047 rc = slap_str2ad( right, &bdn->a_at, &text );
1049 if( rc != LDAP_SUCCESS ) {
1050 char buf[ SLAP_TEXT_BUFLEN ];
1052 snprintf( buf, sizeof( buf ),
1053 "dnattr \"%s\": %s",
1055 Debug( LDAP_DEBUG_ANY,
1056 "%s: line %d: %s\n",
1057 fname, lineno, buf );
1062 if( !is_at_syntax( bdn->a_at->ad_type,
1063 SLAPD_DN_SYNTAX ) &&
1064 !is_at_syntax( bdn->a_at->ad_type,
1065 SLAPD_NAMEUID_SYNTAX ))
1067 char buf[ SLAP_TEXT_BUFLEN ];
1069 snprintf( buf, sizeof( buf ),
1071 "inappropriate syntax: %s\n",
1073 bdn->a_at->ad_type->sat_syntax_oid );
1074 Debug( LDAP_DEBUG_ANY,
1075 "%s: line %d: %s\n",
1076 fname, lineno, buf );
1080 if( bdn->a_at->ad_type->sat_equality == NULL ) {
1081 Debug( LDAP_DEBUG_ANY,
1082 "%s: line %d: dnattr \"%s\": "
1083 "inappropriate matching (no EQUALITY)\n",
1084 fname, lineno, right );
1091 if ( strncasecmp( left, "group", STRLENOF( "group" ) ) == 0 ) {
1096 case ACL_STYLE_REGEX:
1097 /* legacy, tolerated */
1098 Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL,
1100 "deprecated group style \"regex\"; "
1101 "use \"expand\" instead.\n",
1103 sty = ACL_STYLE_EXPAND;
1106 case ACL_STYLE_BASE:
1107 /* legal, traditional */
1108 case ACL_STYLE_EXPAND:
1109 /* legal, substring expansion; supersedes regex */
1114 Debug( LDAP_DEBUG_ANY,
1116 "inappropriate style \"%s\" in by clause.\n",
1117 fname, lineno, style );
1121 if ( right == NULL || right[0] == '\0' ) {
1122 Debug( LDAP_DEBUG_ANY,
1124 "missing \"=\" in (or value after) \"%s\" "
1126 fname, lineno, left );
1130 if ( !BER_BVISEMPTY( &b->a_group_pat ) ) {
1131 Debug( LDAP_DEBUG_ANY,
1132 "%s: line %d: group pattern already specified.\n",
1137 /* format of string is
1138 "group/objectClassValue/groupAttrName" */
1139 if ( ( value = strchr(left, '/') ) != NULL ) {
1141 if ( *value && ( name = strchr( value, '/' ) ) != NULL ) {
1146 b->a_group_style = sty;
1147 if ( sty == ACL_STYLE_EXPAND ) {
1148 acl_regex_normalized_dn( right, &bv );
1149 if ( !ber_bvccmp( &bv, '*' ) ) {
1150 regtest( fname, lineno, bv.bv_val );
1152 b->a_group_pat = bv;
1155 ber_str2bv( right, 0, 0, &bv );
1156 rc = dnNormalize( 0, NULL, NULL, &bv,
1157 &b->a_group_pat, NULL );
1158 if ( rc != LDAP_SUCCESS ) {
1159 Debug( LDAP_DEBUG_ANY,
1160 "%s: line %d: bad DN \"%s\".\n",
1161 fname, lineno, right );
1166 if ( value && *value ) {
1167 b->a_group_oc = oc_find( value );
1170 if ( b->a_group_oc == NULL ) {
1171 Debug( LDAP_DEBUG_ANY,
1172 "%s: line %d: group objectclass "
1173 "\"%s\" unknown.\n",
1174 fname, lineno, value );
1179 b->a_group_oc = oc_find( SLAPD_GROUP_CLASS );
1181 if( b->a_group_oc == NULL ) {
1182 Debug( LDAP_DEBUG_ANY,
1183 "%s: line %d: group default objectclass "
1184 "\"%s\" unknown.\n",
1185 fname, lineno, SLAPD_GROUP_CLASS );
1190 if ( is_object_subclass( slap_schema.si_oc_referral,
1193 Debug( LDAP_DEBUG_ANY,
1194 "%s: line %d: group objectclass \"%s\" "
1195 "is subclass of referral.\n",
1196 fname, lineno, value );
1200 if ( is_object_subclass( slap_schema.si_oc_alias,
1203 Debug( LDAP_DEBUG_ANY,
1204 "%s: line %d: group objectclass \"%s\" "
1205 "is subclass of alias.\n",
1206 fname, lineno, value );
1210 if ( name && *name ) {
1211 rc = slap_str2ad( name, &b->a_group_at, &text );
1213 if( rc != LDAP_SUCCESS ) {
1214 char buf[ SLAP_TEXT_BUFLEN ];
1216 snprintf( buf, sizeof( buf ),
1217 "group \"%s\": %s.",
1219 Debug( LDAP_DEBUG_ANY,
1220 "%s: line %d: %s\n",
1221 fname, lineno, buf );
1227 rc = slap_str2ad( SLAPD_GROUP_ATTR, &b->a_group_at, &text );
1229 if ( rc != LDAP_SUCCESS ) {
1230 char buf[ SLAP_TEXT_BUFLEN ];
1232 snprintf( buf, sizeof( buf ),
1233 "group \"%s\": %s.",
1234 SLAPD_GROUP_ATTR, text );
1235 Debug( LDAP_DEBUG_ANY,
1236 "%s: line %d: %s\n",
1237 fname, lineno, buf );
1242 if ( !is_at_syntax( b->a_group_at->ad_type,
1243 SLAPD_DN_SYNTAX ) &&
1244 !is_at_syntax( b->a_group_at->ad_type,
1245 SLAPD_NAMEUID_SYNTAX ) &&
1246 !is_at_subtype( b->a_group_at->ad_type, slap_schema.si_ad_labeledURI->ad_type ) )
1248 char buf[ SLAP_TEXT_BUFLEN ];
1250 snprintf( buf, sizeof( buf ),
1251 "group \"%s\": inappropriate syntax: %s.",
1253 b->a_group_at->ad_type->sat_syntax_oid );
1254 Debug( LDAP_DEBUG_ANY,
1255 "%s: line %d: %s\n",
1256 fname, lineno, buf );
1263 struct berval vals[2];
1265 ber_str2bv( b->a_group_oc->soc_oid, 0, 0, &vals[0] );
1266 BER_BVZERO( &vals[1] );
1268 rc = oc_check_allowed( b->a_group_at->ad_type,
1272 char buf[ SLAP_TEXT_BUFLEN ];
1274 snprintf( buf, sizeof( buf ),
1275 "group: \"%s\" not allowed by \"%s\".",
1276 b->a_group_at->ad_cname.bv_val,
1277 b->a_group_oc->soc_oid );
1278 Debug( LDAP_DEBUG_ANY, "%s: line %d: %s\n",
1279 fname, lineno, buf );
1286 if ( strcasecmp( left, "peername" ) == 0 ) {
1288 case ACL_STYLE_REGEX:
1289 case ACL_STYLE_BASE:
1290 /* legal, traditional */
1291 case ACL_STYLE_EXPAND:
1292 /* cheap replacement to regex for simple expansion */
1294 case ACL_STYLE_PATH:
1295 /* legal, peername specific */
1299 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1300 "inappropriate style \"%s\" in by clause.\n",
1301 fname, lineno, style );
1305 if ( right == NULL || right[0] == '\0' ) {
1306 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1307 "missing \"=\" in (or value after) \"%s\" "
1309 fname, lineno, left );
1313 if ( !BER_BVISEMPTY( &b->a_peername_pat ) ) {
1314 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1315 "peername pattern already specified.\n",
1320 b->a_peername_style = sty;
1321 if ( sty == ACL_STYLE_REGEX ) {
1322 acl_regex_normalized_dn( right, &bv );
1323 if ( !ber_bvccmp( &bv, '*' ) ) {
1324 regtest( fname, lineno, bv.bv_val );
1326 b->a_peername_pat = bv;
1329 ber_str2bv( right, 0, 1, &b->a_peername_pat );
1331 if ( sty == ACL_STYLE_IP ) {
1336 split( right, '{', &addr, &port );
1337 split( addr, '%', &addr, &mask );
1339 b->a_peername_addr = inet_addr( addr );
1340 if ( b->a_peername_addr == (unsigned long)(-1) ) {
1341 /* illegal address */
1342 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1343 "illegal peername address \"%s\".\n",
1344 fname, lineno, addr );
1348 b->a_peername_mask = (unsigned long)(-1);
1349 if ( mask != NULL ) {
1350 b->a_peername_mask = inet_addr( mask );
1351 if ( b->a_peername_mask ==
1352 (unsigned long)(-1) )
1355 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1356 "illegal peername address mask "
1358 fname, lineno, mask );
1363 b->a_peername_port = -1;
1367 b->a_peername_port = strtol( port, &end, 10 );
1368 if ( end[0] != '}' ) {
1370 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1371 "illegal peername port specification "
1373 fname, lineno, port );
1382 if ( strcasecmp( left, "sockname" ) == 0 ) {
1384 case ACL_STYLE_REGEX:
1385 case ACL_STYLE_BASE:
1386 /* legal, traditional */
1387 case ACL_STYLE_EXPAND:
1388 /* cheap replacement to regex for simple expansion */
1393 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1394 "inappropriate style \"%s\" in by clause\n",
1395 fname, lineno, style );
1399 if ( right == NULL || right[0] == '\0' ) {
1400 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1401 "missing \"=\" in (or value after) \"%s\" "
1403 fname, lineno, left );
1407 if ( !BER_BVISNULL( &b->a_sockname_pat ) ) {
1408 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1409 "sockname pattern already specified.\n",
1414 b->a_sockname_style = sty;
1415 if ( sty == ACL_STYLE_REGEX ) {
1416 acl_regex_normalized_dn( right, &bv );
1417 if ( !ber_bvccmp( &bv, '*' ) ) {
1418 regtest( fname, lineno, bv.bv_val );
1420 b->a_sockname_pat = bv;
1423 ber_str2bv( right, 0, 1, &b->a_sockname_pat );
1428 if ( strcasecmp( left, "domain" ) == 0 ) {
1430 case ACL_STYLE_REGEX:
1431 case ACL_STYLE_BASE:
1432 case ACL_STYLE_SUBTREE:
1433 /* legal, traditional */
1436 case ACL_STYLE_EXPAND:
1437 /* tolerated: means exact,expand */
1439 Debug( LDAP_DEBUG_ANY,
1441 "\"expand\" modifier "
1442 "with \"expand\" style.\n",
1445 sty = ACL_STYLE_BASE;
1451 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1452 "inappropriate style \"%s\" in by clause.\n",
1453 fname, lineno, style );
1457 if ( right == NULL || right[0] == '\0' ) {
1458 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1459 "missing \"=\" in (or value after) \"%s\" "
1461 fname, lineno, left );
1465 if ( !BER_BVISEMPTY( &b->a_domain_pat ) ) {
1466 Debug( LDAP_DEBUG_ANY,
1467 "%s: line %d: domain pattern already specified.\n",
1472 b->a_domain_style = sty;
1473 b->a_domain_expand = expand;
1474 if ( sty == ACL_STYLE_REGEX ) {
1475 acl_regex_normalized_dn( right, &bv );
1476 if ( !ber_bvccmp( &bv, '*' ) ) {
1477 regtest( fname, lineno, bv.bv_val );
1479 b->a_domain_pat = bv;
1482 ber_str2bv( right, 0, 1, &b->a_domain_pat );
1487 if ( strcasecmp( left, "sockurl" ) == 0 ) {
1489 case ACL_STYLE_REGEX:
1490 case ACL_STYLE_BASE:
1491 /* legal, traditional */
1492 case ACL_STYLE_EXPAND:
1493 /* cheap replacement to regex for simple expansion */
1498 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1499 "inappropriate style \"%s\" in by clause.\n",
1500 fname, lineno, style );
1504 if ( right == NULL || right[0] == '\0' ) {
1505 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1506 "missing \"=\" in (or value after) \"%s\" "
1508 fname, lineno, left );
1512 if ( !BER_BVISEMPTY( &b->a_sockurl_pat ) ) {
1513 Debug( LDAP_DEBUG_ANY,
1514 "%s: line %d: sockurl pattern already specified.\n",
1519 b->a_sockurl_style = sty;
1520 if ( sty == ACL_STYLE_REGEX ) {
1521 acl_regex_normalized_dn( right, &bv );
1522 if ( !ber_bvccmp( &bv, '*' ) ) {
1523 regtest( fname, lineno, bv.bv_val );
1525 b->a_sockurl_pat = bv;
1528 ber_str2bv( right, 0, 1, &b->a_sockurl_pat );
1533 if ( strcasecmp( left, "set" ) == 0 ) {
1536 case ACL_STYLE_REGEX:
1537 Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL,
1539 "deprecated set style "
1540 "\"regex\" in <by> clause; "
1541 "use \"expand\" instead.\n",
1543 sty = ACL_STYLE_EXPAND;
1546 case ACL_STYLE_BASE:
1547 case ACL_STYLE_EXPAND:
1551 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1552 "inappropriate style \"%s\" in by clause.\n",
1553 fname, lineno, style );
1557 if ( !BER_BVISEMPTY( &b->a_set_pat ) ) {
1558 Debug( LDAP_DEBUG_ANY,
1559 "%s: line %d: set attribute already specified.\n",
1564 if ( right == NULL || *right == '\0' ) {
1565 Debug( LDAP_DEBUG_ANY,
1566 "%s: line %d: no set is defined.\n",
1571 b->a_set_style = sty;
1572 ber_str2bv( right, 0, 1, &b->a_set_pat );
1582 if ( strcasecmp( left, "aci" ) == 0 ) {
1585 } else if ( strncasecmp( left, "dynacl/", STRLENOF( "dynacl/" ) ) == 0 ) {
1586 name = &left[ STRLENOF( "dynacl/" ) ];
1587 opts = strchr( name, '/' );
1595 if ( slap_dynacl_config( fname, lineno, b, name, opts, sty, right ) ) {
1596 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1597 "unable to configure dynacl \"%s\".\n",
1598 fname, lineno, name );
1605 #else /* ! SLAP_DYNACL */
1607 #ifdef SLAPD_ACI_ENABLED
1608 if ( strcasecmp( left, "aci" ) == 0 ) {
1609 if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
1610 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1611 "inappropriate style \"%s\" in by clause.\n",
1612 fname, lineno, style );
1616 if( b->a_aci_at != NULL ) {
1617 Debug( LDAP_DEBUG_ANY,
1618 "%s: line %d: ACI attribute already specified.\n",
1623 if ( right != NULL && *right != '\0' ) {
1624 rc = slap_str2ad( right, &b->a_aci_at, &text );
1626 if( rc != LDAP_SUCCESS ) {
1627 char buf[ SLAP_TEXT_BUFLEN ];
1629 snprintf( buf, sizeof( buf ),
1632 Debug( LDAP_DEBUG_ANY,
1633 "%s: line %d: %s\n",
1634 fname, lineno, buf );
1639 b->a_aci_at = slap_ad_aci;
1642 if( !is_at_syntax( b->a_aci_at->ad_type,
1645 char buf[ SLAP_TEXT_BUFLEN ];
1647 snprintf( buf, sizeof( buf ),
1648 "ACI \"%s\": inappropriate syntax: %s.",
1650 b->a_aci_at->ad_type->sat_syntax_oid );
1651 Debug( LDAP_DEBUG_ANY, "%s: line %d: %s\n",
1652 fname, lineno, buf );
1658 #endif /* SLAPD_ACI_ENABLED */
1659 #endif /* ! SLAP_DYNACL */
1661 if ( strcasecmp( left, "ssf" ) == 0 ) {
1662 if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
1663 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1664 "inappropriate style \"%s\" in by clause.\n",
1665 fname, lineno, style );
1669 if ( b->a_authz.sai_ssf ) {
1670 Debug( LDAP_DEBUG_ANY,
1671 "%s: line %d: ssf attribute already specified.\n",
1676 if ( right == NULL || *right == '\0' ) {
1677 Debug( LDAP_DEBUG_ANY,
1678 "%s: line %d: no ssf is defined.\n",
1683 b->a_authz.sai_ssf = strtol( right, &next, 10 );
1684 if ( next == NULL || next[0] != '\0' ) {
1685 Debug( LDAP_DEBUG_ANY,
1686 "%s: line %d: unable to parse ssf value (%s).\n",
1687 fname, lineno, right );
1691 if ( !b->a_authz.sai_ssf ) {
1692 Debug( LDAP_DEBUG_ANY,
1693 "%s: line %d: invalid ssf value (%s).\n",
1694 fname, lineno, right );
1700 if ( strcasecmp( left, "transport_ssf" ) == 0 ) {
1701 if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
1702 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1703 "inappropriate style \"%s\" in by clause.\n",
1704 fname, lineno, style );
1708 if ( b->a_authz.sai_transport_ssf ) {
1709 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1710 "transport_ssf attribute already specified.\n",
1715 if ( right == NULL || *right == '\0' ) {
1716 Debug( LDAP_DEBUG_ANY,
1717 "%s: line %d: no transport_ssf is defined.\n",
1722 b->a_authz.sai_transport_ssf = strtol( right, &next, 10 );
1723 if ( next == NULL || next[0] != '\0' ) {
1724 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1725 "unable to parse transport_ssf value (%s).\n",
1726 fname, lineno, right );
1730 if ( !b->a_authz.sai_transport_ssf ) {
1731 Debug( LDAP_DEBUG_ANY,
1732 "%s: line %d: invalid transport_ssf value (%s).\n",
1733 fname, lineno, right );
1739 if ( strcasecmp( left, "tls_ssf" ) == 0 ) {
1740 if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
1741 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1742 "inappropriate style \"%s\" in by clause.\n",
1743 fname, lineno, style );
1747 if ( b->a_authz.sai_tls_ssf ) {
1748 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1749 "tls_ssf attribute already specified.\n",
1754 if ( right == NULL || *right == '\0' ) {
1755 Debug( LDAP_DEBUG_ANY,
1756 "%s: line %d: no tls_ssf is defined\n",
1761 b->a_authz.sai_tls_ssf = strtol( right, &next, 10 );
1762 if ( next == NULL || next[0] != '\0' ) {
1763 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1764 "unable to parse tls_ssf value (%s).\n",
1765 fname, lineno, right );
1769 if ( !b->a_authz.sai_tls_ssf ) {
1770 Debug( LDAP_DEBUG_ANY,
1771 "%s: line %d: invalid tls_ssf value (%s).\n",
1772 fname, lineno, right );
1778 if ( strcasecmp( left, "sasl_ssf" ) == 0 ) {
1779 if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
1780 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1781 "inappropriate style \"%s\" in by clause.\n",
1782 fname, lineno, style );
1786 if ( b->a_authz.sai_sasl_ssf ) {
1787 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1788 "sasl_ssf attribute already specified.\n",
1793 if ( right == NULL || *right == '\0' ) {
1794 Debug( LDAP_DEBUG_ANY,
1795 "%s: line %d: no sasl_ssf is defined.\n",
1800 b->a_authz.sai_sasl_ssf = strtol( right, &next, 10 );
1801 if ( next == NULL || next[0] != '\0' ) {
1802 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1803 "unable to parse sasl_ssf value (%s).\n",
1804 fname, lineno, right );
1808 if ( !b->a_authz.sai_sasl_ssf ) {
1809 Debug( LDAP_DEBUG_ANY,
1810 "%s: line %d: invalid sasl_ssf value (%s).\n",
1811 fname, lineno, right );
1817 if ( right != NULL ) {
1824 if ( i == argc || ( strcasecmp( left, "stop" ) == 0 ) ) {
1825 /* out of arguments or plain stop */
1827 ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
1828 b->a_type = ACL_STOP;
1830 access_append( &a->acl_access, b );
1834 if ( strcasecmp( left, "continue" ) == 0 ) {
1835 /* plain continue */
1837 ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
1838 b->a_type = ACL_CONTINUE;
1840 access_append( &a->acl_access, b );
1844 if ( strcasecmp( left, "break" ) == 0 ) {
1845 /* plain continue */
1847 ACL_PRIV_ASSIGN(b->a_access_mask, ACL_PRIV_ADDITIVE);
1848 b->a_type = ACL_BREAK;
1850 access_append( &a->acl_access, b );
1854 if ( strcasecmp( left, "by" ) == 0 ) {
1855 /* we've gone too far */
1857 ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
1858 b->a_type = ACL_STOP;
1860 access_append( &a->acl_access, b );
1865 if ( strncasecmp( left, "self", STRLENOF( "self" ) ) == 0 ) {
1867 ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( &left[ STRLENOF( "self" ) ] ) );
1869 } else if ( strncasecmp( left, "realself", STRLENOF( "realself" ) ) == 0 ) {
1870 b->a_realdn_self = 1;
1871 ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( &left[ STRLENOF( "realself" ) ] ) );
1874 ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( left ) );
1877 if ( ACL_IS_INVALID( b->a_access_mask ) ) {
1878 Debug( LDAP_DEBUG_ANY,
1879 "%s: line %d: expecting <access> got \"%s\".\n",
1880 fname, lineno, left );
1884 b->a_type = ACL_STOP;
1886 if ( ++i == argc ) {
1887 /* out of arguments or plain stop */
1888 access_append( &a->acl_access, b );
1892 if ( strcasecmp( argv[i], "continue" ) == 0 ) {
1893 /* plain continue */
1894 b->a_type = ACL_CONTINUE;
1896 } else if ( strcasecmp( argv[i], "break" ) == 0 ) {
1897 /* plain continue */
1898 b->a_type = ACL_BREAK;
1900 } else if ( strcasecmp( argv[i], "stop" ) != 0 ) {
1905 access_append( &a->acl_access, b );
1908 Debug( LDAP_DEBUG_ANY,
1909 "%s: line %d: expecting \"to\" "
1910 "or \"by\" got \"%s\"\n",
1911 fname, lineno, argv[i] );
1916 /* if we have no real access clause, complain and do nothing */
1918 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1919 "warning: no access clause(s) "
1920 "specified in access line"
1921 SLAPD_CONF_UNKNOWN_IGNORED ".\n",
1923 #ifdef SLAPD_CONF_UNKNOWN_BAILOUT
1925 #endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
1929 if ( ldap_debug & LDAP_DEBUG_ACL ) {
1934 if ( a->acl_access == NULL ) {
1935 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
1936 "warning: no by clause(s) "
1937 "specified in access line"
1938 SLAPD_CONF_UNKNOWN_IGNORED ".\n",
1940 #ifdef SLAPD_CONF_UNKNOWN_BAILOUT
1942 #endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
1946 if ( !BER_BVISNULL( &be->be_nsuffix[ 1 ] ) ) {
1947 Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
1948 "scope checking only applies to single-valued "
1949 "suffix databases\n",
1951 /* go ahead, since checking is not authoritative */
1954 switch ( check_scope( be, a ) ) {
1955 case ACL_SCOPE_UNKNOWN:
1956 Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
1957 "cannot assess the validity of the ACL scope within "
1958 "backend naming context\n",
1962 case ACL_SCOPE_WARN:
1963 Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
1964 "ACL could be out of scope within backend naming context\n",
1968 case ACL_SCOPE_PARTIAL:
1969 Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
1970 "ACL appears to be partially out of scope within "
1971 "backend naming context\n",
1976 Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
1977 "ACL appears to be out of scope within "
1978 "backend naming context\n",
1985 acl_append( &be->be_acl, a, pos );
1988 acl_append( &frontendDB->be_acl, a, pos );
1994 accessmask2str( slap_mask_t mask, char *buf, int debug )
1999 assert( buf != NULL );
2001 if ( ACL_IS_INVALID( mask ) ) {
2007 if ( ACL_IS_LEVEL( mask ) ) {
2008 if ( ACL_LVL_IS_NONE(mask) ) {
2009 ptr = lutil_strcopy( ptr, "none" );
2011 } else if ( ACL_LVL_IS_DISCLOSE(mask) ) {
2012 ptr = lutil_strcopy( ptr, "disclose" );
2014 } else if ( ACL_LVL_IS_AUTH(mask) ) {
2015 ptr = lutil_strcopy( ptr, "auth" );
2017 } else if ( ACL_LVL_IS_COMPARE(mask) ) {
2018 ptr = lutil_strcopy( ptr, "compare" );
2020 } else if ( ACL_LVL_IS_SEARCH(mask) ) {
2021 ptr = lutil_strcopy( ptr, "search" );
2023 } else if ( ACL_LVL_IS_READ(mask) ) {
2024 ptr = lutil_strcopy( ptr, "read" );
2026 } else if ( ACL_LVL_IS_WRITE(mask) ) {
2027 ptr = lutil_strcopy( ptr, "write" );
2029 } else if ( ACL_LVL_IS_WADD(mask) ) {
2030 ptr = lutil_strcopy( ptr, "add" );
2032 } else if ( ACL_LVL_IS_WDEL(mask) ) {
2033 ptr = lutil_strcopy( ptr, "delete" );
2035 } else if ( ACL_LVL_IS_MANAGE(mask) ) {
2036 ptr = lutil_strcopy( ptr, "manage" );
2039 ptr = lutil_strcopy( ptr, "unknown" );
2049 if( ACL_IS_ADDITIVE( mask ) ) {
2052 } else if( ACL_IS_SUBTRACTIVE( mask ) ) {
2059 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_MANAGE) ) {
2064 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_WRITE) ) {
2068 } else if ( ACL_PRIV_ISSET(mask, ACL_PRIV_WADD) ) {
2072 } else if ( ACL_PRIV_ISSET(mask, ACL_PRIV_WDEL) ) {
2077 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_READ) ) {
2082 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_SEARCH) ) {
2087 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_COMPARE) ) {
2092 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_AUTH) ) {
2097 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_DISCLOSE) ) {
2102 if ( none && ACL_PRIV_ISSET(mask, ACL_PRIV_NONE) ) {
2111 if ( ACL_IS_LEVEL( mask ) ) {
2121 str2accessmask( const char *str )
2125 if( !ASCII_ALPHA(str[0]) ) {
2128 if ( str[0] == '=' ) {
2131 } else if( str[0] == '+' ) {
2132 ACL_PRIV_ASSIGN(mask, ACL_PRIV_ADDITIVE);
2134 } else if( str[0] == '-' ) {
2135 ACL_PRIV_ASSIGN(mask, ACL_PRIV_SUBSTRACTIVE);
2138 ACL_INVALIDATE(mask);
2142 for( i=1; str[i] != '\0'; i++ ) {
2143 if( TOLOWER((unsigned char) str[i]) == 'm' ) {
2144 ACL_PRIV_SET(mask, ACL_PRIV_MANAGE);
2146 } else if( TOLOWER((unsigned char) str[i]) == 'w' ) {
2147 ACL_PRIV_SET(mask, ACL_PRIV_WRITE);
2149 } else if( TOLOWER((unsigned char) str[i]) == 'a' ) {
2150 ACL_PRIV_SET(mask, ACL_PRIV_WADD);
2152 } else if( TOLOWER((unsigned char) str[i]) == 'z' ) {
2153 ACL_PRIV_SET(mask, ACL_PRIV_WDEL);
2155 } else if( TOLOWER((unsigned char) str[i]) == 'r' ) {
2156 ACL_PRIV_SET(mask, ACL_PRIV_READ);
2158 } else if( TOLOWER((unsigned char) str[i]) == 's' ) {
2159 ACL_PRIV_SET(mask, ACL_PRIV_SEARCH);
2161 } else if( TOLOWER((unsigned char) str[i]) == 'c' ) {
2162 ACL_PRIV_SET(mask, ACL_PRIV_COMPARE);
2164 } else if( TOLOWER((unsigned char) str[i]) == 'x' ) {
2165 ACL_PRIV_SET(mask, ACL_PRIV_AUTH);
2167 } else if( TOLOWER((unsigned char) str[i]) == 'd' ) {
2168 ACL_PRIV_SET(mask, ACL_PRIV_DISCLOSE);
2170 } else if( str[i] != '0' ) {
2171 ACL_INVALIDATE(mask);
2179 if ( strcasecmp( str, "none" ) == 0 ) {
2180 ACL_LVL_ASSIGN_NONE(mask);
2182 } else if ( strcasecmp( str, "disclose" ) == 0 ) {
2183 ACL_LVL_ASSIGN_DISCLOSE(mask);
2185 } else if ( strcasecmp( str, "auth" ) == 0 ) {
2186 ACL_LVL_ASSIGN_AUTH(mask);
2188 } else if ( strcasecmp( str, "compare" ) == 0 ) {
2189 ACL_LVL_ASSIGN_COMPARE(mask);
2191 } else if ( strcasecmp( str, "search" ) == 0 ) {
2192 ACL_LVL_ASSIGN_SEARCH(mask);
2194 } else if ( strcasecmp( str, "read" ) == 0 ) {
2195 ACL_LVL_ASSIGN_READ(mask);
2197 } else if ( strcasecmp( str, "add" ) == 0 ) {
2198 ACL_LVL_ASSIGN_WADD(mask);
2200 } else if ( strcasecmp( str, "delete" ) == 0 ) {
2201 ACL_LVL_ASSIGN_WDEL(mask);
2203 } else if ( strcasecmp( str, "write" ) == 0 ) {
2204 ACL_LVL_ASSIGN_WRITE(mask);
2206 } else if ( strcasecmp( str, "manage" ) == 0 ) {
2207 ACL_LVL_ASSIGN_MANAGE(mask);
2210 ACL_INVALIDATE( mask );
2219 Debug( LDAP_DEBUG_ANY, "%s%s%s\n",
2220 "<access clause> ::= access to <what> "
2221 "[ by <who> <access> [ <control> ] ]+ \n"
2222 "<what> ::= * | [dn[.<dnstyle>]=<DN>] [filter=<filter>] [attrs=<attrlist>]\n"
2223 "<attrlist> ::= <attr> [val[/matchingRule][.<attrstyle>]=<value>] | <attr> , <attrlist>\n"
2224 "<attr> ::= <attrname> | entry | children\n",
2225 "<who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ]\n"
2226 "\t[ realanonymous | realusers | realself | realdn[.<dnstyle>]=<DN> ]\n"
2227 "\t[dnattr=<attrname>]\n"
2228 "\t[realdnattr=<attrname>]\n"
2229 "\t[group[/<objectclass>[/<attrname>]][.<style>]=<group>]\n"
2230 "\t[peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>]\n"
2231 "\t[domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>]\n"
2233 "\t[dynacl/<name>[/<options>][.<dynstyle>][=<pattern>]]\n"
2234 #else /* ! SLAP_DYNACL */
2235 #ifdef SLAPD_ACI_ENABLED
2236 "\t[aci[=<attrname>]]\n"
2237 #endif /* SLAPD_ACI_ENABLED */
2238 #endif /* ! SLAP_DYNACL */
2239 "\t[ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]\n",
2240 "<style> ::= exact | regex | base(Object)\n"
2241 "<dnstyle> ::= base(Object) | one(level) | sub(tree) | children | "
2243 "<attrstyle> ::= exact | regex | base(Object) | one(level) | "
2244 "sub(tree) | children\n"
2245 "<peernamestyle> ::= exact | regex | ip | path\n"
2246 "<domainstyle> ::= exact | regex | base(Object) | sub(tree)\n"
2247 "<access> ::= [[real]self]{<level>|<priv>}\n"
2248 "<level> ::= none|disclose|auth|compare|search|read|{write|add|delete}|manage\n"
2249 "<priv> ::= {=|+|-}{0|d|x|c|s|r|{w|a|z}|m}+\n"
2250 "<control> ::= [ stop | continue | break ]\n"
2252 #ifdef SLAPD_ACI_ENABLED
2254 "\t<name>=ACI\t<pattern>=<attrname>\n"
2255 #endif /* SLAPD_ACI_ENABLED */
2256 #endif /* ! SLAP_DYNACL */
2258 exit( EXIT_FAILURE );
2262 * Set pattern to a "normalized" DN from src.
2263 * At present it simply eats the (optional) space after
2264 * a RDN separator (,)
2265 * Eventually will evolve in a more complete normalization
2268 acl_regex_normalized_dn(
2270 struct berval *pattern )
2275 str = ch_strdup( src );
2276 len = strlen( src );
2278 for ( p = str; p && p[0]; p++ ) {
2280 if ( p[0] == '\\' && p[1] ) {
2282 * if escaping a hex pair we should
2283 * increment p twice; however, in that
2284 * case the second hex number does
2290 if ( p[0] == ',' && p[1] == ' ' ) {
2294 * too much space should be an error if we are pedantic
2296 for ( q = &p[2]; q[0] == ' '; q++ ) {
2299 AC_MEMCPY( p+1, q, len-(q-str)+1);
2302 pattern->bv_val = str;
2303 pattern->bv_len = p - str;
2316 if ( (*right = strchr( line, splitchar )) != NULL ) {
2317 *((*right)++) = '\0';
2322 access_append( Access **l, Access *a )
2324 for ( ; *l != NULL; l = &(*l)->a_next ) {
2332 acl_append( AccessControl **l, AccessControl *a, int pos )
2336 for (i=0 ; i != pos && *l != NULL; l = &(*l)->acl_next, i++ ) {
2345 access_free( Access *a )
2347 if ( !BER_BVISNULL( &a->a_dn_pat ) ) {
2348 free( a->a_dn_pat.bv_val );
2350 if ( !BER_BVISNULL( &a->a_realdn_pat ) ) {
2351 free( a->a_realdn_pat.bv_val );
2353 if ( !BER_BVISNULL( &a->a_peername_pat ) ) {
2354 free( a->a_peername_pat.bv_val );
2356 if ( !BER_BVISNULL( &a->a_sockname_pat ) ) {
2357 free( a->a_sockname_pat.bv_val );
2359 if ( !BER_BVISNULL( &a->a_domain_pat ) ) {
2360 free( a->a_domain_pat.bv_val );
2362 if ( !BER_BVISNULL( &a->a_sockurl_pat ) ) {
2363 free( a->a_sockurl_pat.bv_val );
2365 if ( !BER_BVISNULL( &a->a_set_pat ) ) {
2366 free( a->a_set_pat.bv_val );
2368 if ( !BER_BVISNULL( &a->a_group_pat ) ) {
2369 free( a->a_group_pat.bv_val );
2372 if ( a->a_dynacl != NULL ) {
2374 for ( da = a->a_dynacl; da; ) {
2375 slap_dynacl_t *tmp = da;
2379 if ( tmp->da_destroy ) {
2380 tmp->da_destroy( tmp->da_private );
2386 #endif /* SLAP_DYNACL */
2391 acl_free( AccessControl *a )
2396 if ( a->acl_filter ) {
2397 filter_free( a->acl_filter );
2399 if ( !BER_BVISNULL( &a->acl_dn_pat ) ) {
2400 if ( a->acl_dn_style == ACL_STYLE_REGEX ) {
2401 regfree( &a->acl_dn_re );
2403 free ( a->acl_dn_pat.bv_val );
2405 if ( a->acl_attrs ) {
2406 for ( an = a->acl_attrs; !BER_BVISNULL( &an->an_name ); an++ ) {
2407 free( an->an_name.bv_val );
2409 free( a->acl_attrs );
2411 for ( ; a->acl_access; a->acl_access = n ) {
2412 n = a->acl_access->a_next;
2413 access_free( a->acl_access );
2418 /* Because backend_startup uses acl_append to tack on the global_acl to
2419 * the end of each backend's acl, we cannot just take one argument and
2420 * merrily free our way to the end of the list. backend_destroy calls us
2421 * with the be_acl in arg1, and global_acl in arg2 to give us a stopping
2422 * point. config_destroy calls us with global_acl in arg1 and NULL in
2423 * arg2, so we then proceed to polish off the global_acl.
2426 acl_destroy( AccessControl *a, AccessControl *end )
2430 for ( ; a && a != end; a = n ) {
2437 access2str( slap_access_t access )
2439 if ( access == ACL_NONE ) {
2442 } else if ( access == ACL_DISCLOSE ) {
2445 } else if ( access == ACL_AUTH ) {
2448 } else if ( access == ACL_COMPARE ) {
2451 } else if ( access == ACL_SEARCH ) {
2454 } else if ( access == ACL_READ ) {
2457 } else if ( access == ACL_WRITE ) {
2460 } else if ( access == ACL_WADD ) {
2463 } else if ( access == ACL_WDEL ) {
2466 } else if ( access == ACL_MANAGE ) {
2475 str2access( const char *str )
2477 if ( strcasecmp( str, "none" ) == 0 ) {
2480 } else if ( strcasecmp( str, "disclose" ) == 0 ) {
2481 #ifndef SLAP_ACL_HONOR_DISCLOSE
2482 Debug( LDAP_DEBUG_ACL, "str2access: warning, "
2483 "\"disclose\" privilege disabled.\n",
2485 #endif /* SLAP_ACL_HONOR_DISCLOSE */
2486 return ACL_DISCLOSE;
2488 } else if ( strcasecmp( str, "auth" ) == 0 ) {
2491 } else if ( strcasecmp( str, "compare" ) == 0 ) {
2494 } else if ( strcasecmp( str, "search" ) == 0 ) {
2497 } else if ( strcasecmp( str, "read" ) == 0 ) {
2500 } else if ( strcasecmp( str, "write" ) == 0 ) {
2503 } else if ( strcasecmp( str, "add" ) == 0 ) {
2506 } else if ( strcasecmp( str, "delete" ) == 0 ) {
2509 } else if ( strcasecmp( str, "manage" ) == 0 ) {
2513 return( ACL_INVALID_ACCESS );
2516 #define ACLBUF_MAXLEN 8192
2518 static char aclbuf[ACLBUF_MAXLEN];
2521 dnaccess2text( slap_dn_access *bdn, char *ptr, int is_realdn )
2526 ptr = lutil_strcopy( ptr, "real" );
2529 if ( ber_bvccmp( &bdn->a_pat, '*' ) ||
2530 bdn->a_style == ACL_STYLE_ANONYMOUS ||
2531 bdn->a_style == ACL_STYLE_USERS ||
2532 bdn->a_style == ACL_STYLE_SELF )
2535 assert( ! ber_bvccmp( &bdn->a_pat, '*' ) );
2538 ptr = lutil_strcopy( ptr, bdn->a_pat.bv_val );
2539 if ( bdn->a_style == ACL_STYLE_SELF && bdn->a_self_level != 0 ) {
2540 int n = sprintf( ptr, ".level{%d}", bdn->a_self_level );
2547 ptr = lutil_strcopy( ptr, "dn." );
2548 if ( bdn->a_style == ACL_STYLE_BASE )
2549 ptr = lutil_strcopy( ptr, style_base );
2551 ptr = lutil_strcopy( ptr, style_strings[bdn->a_style] );
2552 if ( bdn->a_style == ACL_STYLE_LEVEL ) {
2553 int n = sprintf( ptr, "{%d}", bdn->a_level );
2558 if ( bdn->a_expand ) {
2559 ptr = lutil_strcopy( ptr, ",expand" );
2563 ptr = lutil_strcopy( ptr, bdn->a_pat.bv_val );
2570 access2text( Access *b, char *ptr )
2572 char maskbuf[ACCESSMASK_MAXLEN];
2574 ptr = lutil_strcopy( ptr, "\tby" );
2576 if ( !BER_BVISEMPTY( &b->a_dn_pat ) ) {
2577 ptr = dnaccess2text( &b->a_dn, ptr, 0 );
2580 ptr = lutil_strcopy( ptr, " dnattr=" );
2581 ptr = lutil_strcopy( ptr, b->a_dn_at->ad_cname.bv_val );
2584 if ( !BER_BVISEMPTY( &b->a_realdn_pat ) ) {
2585 ptr = dnaccess2text( &b->a_realdn, ptr, 1 );
2587 if ( b->a_realdn_at ) {
2588 ptr = lutil_strcopy( ptr, " realdnattr=" );
2589 ptr = lutil_strcopy( ptr, b->a_realdn_at->ad_cname.bv_val );
2592 if ( !BER_BVISEMPTY( &b->a_group_pat ) ) {
2593 ptr = lutil_strcopy( ptr, " group/" );
2594 ptr = lutil_strcopy( ptr, b->a_group_oc ?
2595 b->a_group_oc->soc_cname.bv_val : SLAPD_GROUP_CLASS );
2597 ptr = lutil_strcopy( ptr, b->a_group_at ?
2598 b->a_group_at->ad_cname.bv_val : SLAPD_GROUP_ATTR );
2600 ptr = lutil_strcopy( ptr, style_strings[b->a_group_style] );
2603 ptr = lutil_strcopy( ptr, b->a_group_pat.bv_val );
2607 if ( !BER_BVISEMPTY( &b->a_peername_pat ) ) {
2608 ptr = lutil_strcopy( ptr, " peername" );
2610 ptr = lutil_strcopy( ptr, style_strings[b->a_peername_style] );
2613 ptr = lutil_strcopy( ptr, b->a_peername_pat.bv_val );
2617 if ( !BER_BVISEMPTY( &b->a_sockname_pat ) ) {
2618 ptr = lutil_strcopy( ptr, " sockname" );
2620 ptr = lutil_strcopy( ptr, style_strings[b->a_sockname_style] );
2623 ptr = lutil_strcopy( ptr, b->a_sockname_pat.bv_val );
2627 if ( !BER_BVISEMPTY( &b->a_domain_pat ) ) {
2628 ptr = lutil_strcopy( ptr, " domain" );
2630 ptr = lutil_strcopy( ptr, style_strings[b->a_domain_style] );
2631 if ( b->a_domain_expand ) {
2632 ptr = lutil_strcopy( ptr, ",expand" );
2635 ptr = lutil_strcopy( ptr, b->a_domain_pat.bv_val );
2638 if ( !BER_BVISEMPTY( &b->a_sockurl_pat ) ) {
2639 ptr = lutil_strcopy( ptr, " sockurl" );
2641 ptr = lutil_strcopy( ptr, style_strings[b->a_sockurl_style] );
2644 ptr = lutil_strcopy( ptr, b->a_sockurl_pat.bv_val );
2648 if ( !BER_BVISEMPTY( &b->a_set_pat ) ) {
2649 ptr = lutil_strcopy( ptr, " set" );
2651 ptr = lutil_strcopy( ptr, style_strings[b->a_set_style] );
2654 ptr = lutil_strcopy( ptr, b->a_set_pat.bv_val );
2659 if ( b->a_dynacl ) {
2662 for ( da = b->a_dynacl; da; da = da->da_next ) {
2663 if ( da->da_unparse ) {
2664 struct berval bv = BER_BVNULL;
2665 (void)( *da->da_unparse )( da->da_private, &bv );
2666 assert( !BER_BVISNULL( &bv ) );
2667 ptr = lutil_strcopy( ptr, bv.bv_val );
2668 ch_free( bv.bv_val );
2672 #else /* ! SLAP_DYNACL */
2673 #ifdef SLAPD_ACI_ENABLED
2674 if ( b->a_aci_at != NULL ) {
2675 ptr = lutil_strcopy( ptr, " aci=" );
2676 ptr = lutil_strcopy( ptr, b->a_aci_at->ad_cname.bv_val );
2679 #endif /* SLAP_DYNACL */
2681 /* Security Strength Factors */
2682 if ( b->a_authz.sai_ssf ) {
2683 ptr += sprintf( ptr, " ssf=%u",
2684 b->a_authz.sai_ssf );
2686 if ( b->a_authz.sai_transport_ssf ) {
2687 ptr += sprintf( ptr, " transport_ssf=%u",
2688 b->a_authz.sai_transport_ssf );
2690 if ( b->a_authz.sai_tls_ssf ) {
2691 ptr += sprintf( ptr, " tls_ssf=%u",
2692 b->a_authz.sai_tls_ssf );
2694 if ( b->a_authz.sai_sasl_ssf ) {
2695 ptr += sprintf( ptr, " sasl_ssf=%u",
2696 b->a_authz.sai_sasl_ssf );
2700 if ( b->a_dn_self ) {
2701 ptr = lutil_strcopy( ptr, "self" );
2702 } else if ( b->a_realdn_self ) {
2703 ptr = lutil_strcopy( ptr, "realself" );
2705 ptr = lutil_strcopy( ptr, accessmask2str( b->a_access_mask, maskbuf, 0 ));
2706 if ( !maskbuf[0] ) ptr--;
2708 if( b->a_type == ACL_BREAK ) {
2709 ptr = lutil_strcopy( ptr, " break" );
2711 } else if( b->a_type == ACL_CONTINUE ) {
2712 ptr = lutil_strcopy( ptr, " continue" );
2714 } else if( b->a_type != ACL_STOP ) {
2715 ptr = lutil_strcopy( ptr, " unknown-control" );
2717 if ( !maskbuf[0] ) ptr = lutil_strcopy( ptr, " stop" );
2725 acl_unparse( AccessControl *a, struct berval *bv )
2731 bv->bv_val = aclbuf;
2736 ptr = lutil_strcopy( ptr, "to" );
2737 if ( !BER_BVISNULL( &a->acl_dn_pat ) ) {
2739 ptr = lutil_strcopy( ptr, " dn." );
2740 if ( a->acl_dn_style == ACL_STYLE_BASE )
2741 ptr = lutil_strcopy( ptr, style_base );
2743 ptr = lutil_strcopy( ptr, style_strings[a->acl_dn_style] );
2746 ptr = lutil_strcopy( ptr, a->acl_dn_pat.bv_val );
2747 ptr = lutil_strcopy( ptr, "\"\n" );
2750 if ( a->acl_filter != NULL ) {
2751 struct berval bv = BER_BVNULL;
2754 filter2bv( a->acl_filter, &bv );
2755 ptr = lutil_strcopy( ptr, " filter=\"" );
2756 ptr = lutil_strcopy( ptr, bv.bv_val );
2759 ch_free( bv.bv_val );
2762 if ( a->acl_attrs != NULL ) {
2767 ptr = lutil_strcopy( ptr, " attrs=" );
2768 for ( an = a->acl_attrs; an && !BER_BVISNULL( &an->an_name ); an++ ) {
2769 if ( ! first ) *ptr++ = ',';
2771 *ptr++ = an->an_oc_exclude ? '!' : '@';
2772 ptr = lutil_strcopy( ptr, an->an_oc->soc_cname.bv_val );
2775 ptr = lutil_strcopy( ptr, an->an_name.bv_val );
2782 if ( !BER_BVISEMPTY( &a->acl_attrval ) ) {
2784 ptr = lutil_strcopy( ptr, " val." );
2785 if ( a->acl_attrval_style == ACL_STYLE_BASE &&
2786 a->acl_attrs[0].an_desc->ad_type->sat_syntax ==
2787 slap_schema.si_syn_distinguishedName )
2788 ptr = lutil_strcopy( ptr, style_base );
2790 ptr = lutil_strcopy( ptr, style_strings[a->acl_attrval_style] );
2793 ptr = lutil_strcopy( ptr, a->acl_attrval.bv_val );
2799 ptr = lutil_strcopy( ptr, " *\n" );
2802 for ( b = a->acl_access; b != NULL; b = b->a_next ) {
2803 ptr = access2text( b, ptr );
2806 bv->bv_len = ptr - bv->bv_val;
2811 print_acl( Backend *be, AccessControl *a )
2815 acl_unparse( a, &bv );
2816 fprintf( stderr, "%s ACL: access %s\n",
2817 be == NULL ? "Global" : "Backend", bv.bv_val );
2819 #endif /* LDAP_DEBUG */