1 /* aclparse.c - routines to parse and check acl's */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 1998-2005 The OpenLDAP Foundation.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted only as authorized by the OpenLDAP
12 * A copy of this license is available in the file LICENSE in the
13 * top-level directory of the distribution or, alternatively, at
14 * <http://www.OpenLDAP.org/license.html>.
16 /* Portions Copyright (c) 1995 Regents of the University of Michigan.
17 * All rights reserved.
19 * Redistribution and use in source and binary forms are permitted
20 * provided that this notice is preserved and that due credit is given
21 * to the University of Michigan at Ann Arbor. The name of the University
22 * may not be used to endorse or promote products derived from this
23 * software without specific prior written permission. This software
24 * is provided ``as is'' without express or implied warranty.
33 #include <ac/socket.h>
34 #include <ac/string.h>
35 #include <ac/unistd.h>
41 static char *style_strings[] = {
58 static void split(char *line, int splitchar, char **left, char **right);
59 static void access_append(Access **l, Access *a);
60 static void acl_usage(void) LDAP_GCCATTR((noreturn));
62 static void acl_regex_normalized_dn(const char *src, struct berval *pat);
65 static void print_acl(Backend *be, AccessControl *a);
66 static void print_access(Access *b);
69 static int check_scope( BackendDB *be, AccessControl *a );
73 slap_dynacl_config( const char *fname, int lineno, Access *b, const char *name, slap_style_t sty, const char *right )
75 slap_dynacl_t *da, *tmp;
78 for ( da = b->a_dynacl; da; da = da->da_next ) {
79 if ( strcasecmp( da->da_name, name ) == 0 ) {
81 "%s: line %d: dynacl \"%s\" already specified.\n",
82 fname, lineno, name );
87 da = slap_dynacl_get( name );
92 tmp = ch_malloc( sizeof( slap_dynacl_t ) );
95 if ( tmp->da_parse ) {
96 rc = ( *tmp->da_parse )( fname, lineno, sty, right, &tmp->da_private );
103 tmp->da_next = b->a_dynacl;
108 #endif /* SLAP_DYNACL */
111 regtest(const char *fname, int lineno, char *pat) {
127 for (size = 0, flag = 0; (size < sizeof(buf)) && *sp; sp++) {
129 if (*sp == '$'|| (*sp >= '0' && *sp <= '9')) {
146 if ( size >= (sizeof(buf) - 1) ) {
148 "%s: line %d: regular expression \"%s\" too large\n",
149 fname, lineno, pat );
153 if ((e = regcomp(&re, buf, REG_EXTENDED|REG_ICASE))) {
155 regerror(e, &re, error, sizeof(error));
157 "%s: line %d: regular expression \"%s\" bad because of %s\n",
158 fname, lineno, pat, error );
167 * Check if the pattern of an ACL, if any, matches the scope
168 * of the backend it is defined within.
170 #define ACL_SCOPE_UNKNOWN (-2)
171 #define ACL_SCOPE_ERR (-1)
172 #define ACL_SCOPE_OK (0)
173 #define ACL_SCOPE_PARTIAL (1)
174 #define ACL_SCOPE_WARN (2)
177 check_scope( BackendDB *be, AccessControl *a )
182 dn = be->be_nsuffix[0];
184 if ( BER_BVISEMPTY( &dn ) ) {
188 if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
189 a->acl_dn_style != ACL_STYLE_REGEX )
191 slap_style_t style = a->acl_dn_style;
193 if ( style == ACL_STYLE_REGEX ) {
194 char dnbuf[SLAP_LDAPDN_MAXLEN + 2];
195 char rebuf[SLAP_LDAPDN_MAXLEN + 1];
200 /* add trailing '$' to database suffix to form
201 * a simple trial regex pattern "<suffix>$" */
202 AC_MEMCPY( dnbuf, be->be_nsuffix[0].bv_val,
203 be->be_nsuffix[0].bv_len );
204 dnbuf[be->be_nsuffix[0].bv_len] = '$';
205 dnbuf[be->be_nsuffix[0].bv_len + 1] = '\0';
207 if ( regcomp( &re, dnbuf, REG_EXTENDED|REG_ICASE ) ) {
208 return ACL_SCOPE_WARN;
211 /* remove trailing ')$', if any, from original
213 rebuflen = a->acl_dn_pat.bv_len;
214 AC_MEMCPY( rebuf, a->acl_dn_pat.bv_val, rebuflen + 1 );
215 if ( rebuf[rebuflen - 1] == '$' ) {
216 rebuf[--rebuflen] = '\0';
218 while ( rebuflen > be->be_nsuffix[0].bv_len && rebuf[rebuflen - 1] == ')' ) {
219 rebuf[--rebuflen] = '\0';
221 if ( rebuflen == be->be_nsuffix[0].bv_len ) {
226 /* not a clear indication of scoping error, though */
227 rc = regexec( &re, rebuf, 0, NULL, 0 )
228 ? ACL_SCOPE_WARN : ACL_SCOPE_OK;
235 patlen = a->acl_dn_pat.bv_len;
236 /* If backend suffix is longer than pattern,
237 * it is a potential mismatch (in the sense
238 * that a superior naming context could
240 if ( dn.bv_len > patlen ) {
241 /* base is blatantly wrong */
242 if ( style == ACL_STYLE_BASE ) return ACL_SCOPE_ERR;
244 /* a style of one can be wrong if there is
245 * more than one level between the suffix
247 if ( style == ACL_STYLE_ONE ) {
248 int rdnlen = -1, sep = 0;
251 if ( !DN_SEPARATOR( dn.bv_val[dn.bv_len - patlen - 1] )) {
252 return ACL_SCOPE_ERR;
257 rdnlen = dn_rdnlen( NULL, &dn );
258 if ( rdnlen != dn.bv_len - patlen - sep )
259 return ACL_SCOPE_ERR;
262 /* if the trailing part doesn't match,
263 * then it's an error */
264 if ( strcmp( a->acl_dn_pat.bv_val,
265 &dn.bv_val[dn.bv_len - patlen] ) != 0 )
267 return ACL_SCOPE_ERR;
270 return ACL_SCOPE_PARTIAL;
276 case ACL_STYLE_CHILDREN:
277 case ACL_STYLE_SUBTREE:
285 if ( dn.bv_len < patlen &&
286 !DN_SEPARATOR( a->acl_dn_pat.bv_val[patlen - dn.bv_len - 1] ))
288 return ACL_SCOPE_ERR;
291 if ( strcmp( &a->acl_dn_pat.bv_val[patlen - dn.bv_len], dn.bv_val )
294 return ACL_SCOPE_ERR;
300 return ACL_SCOPE_UNKNOWN;
312 char *left, *right, *style, *next;
320 for ( i = 1; i < argc; i++ ) {
321 /* to clause - select which entries are protected */
322 if ( strcasecmp( argv[i], "to" ) == 0 ) {
324 fprintf( stderr, "%s: line %d: "
325 "only one to clause allowed in access line\n",
329 a = (AccessControl *) ch_calloc( 1, sizeof(AccessControl) );
330 for ( ++i; i < argc; i++ ) {
331 if ( strcasecmp( argv[i], "by" ) == 0 ) {
336 if ( strcasecmp( argv[i], "*" ) == 0 ) {
337 if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
338 a->acl_dn_style != ACL_STYLE_REGEX )
341 "%s: line %d: dn pattern"
342 " already specified in to clause.\n",
347 ber_str2bv( "*", STRLENOF( "*" ), 1, &a->acl_dn_pat );
351 split( argv[i], '=', &left, &right );
352 split( left, '.', &left, &style );
354 if ( right == NULL ) {
355 fprintf( stderr, "%s: line %d: "
356 "missing \"=\" in \"%s\" in to clause\n",
357 fname, lineno, left );
361 if ( strcasecmp( left, "dn" ) == 0 ) {
362 if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
363 a->acl_dn_style != ACL_STYLE_REGEX )
366 "%s: line %d: dn pattern"
367 " already specified in to clause.\n",
372 if ( style == NULL || *style == '\0' ||
373 strcasecmp( style, "baseObject" ) == 0 ||
374 strcasecmp( style, "base" ) == 0 ||
375 strcasecmp( style, "exact" ) == 0 )
377 a->acl_dn_style = ACL_STYLE_BASE;
378 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
380 } else if ( strcasecmp( style, "oneLevel" ) == 0 ||
381 strcasecmp( style, "one" ) == 0 )
383 a->acl_dn_style = ACL_STYLE_ONE;
384 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
386 } else if ( strcasecmp( style, "subtree" ) == 0 ||
387 strcasecmp( style, "sub" ) == 0 )
389 if( *right == '\0' ) {
390 ber_str2bv( "*", STRLENOF( "*" ), 1, &a->acl_dn_pat );
393 a->acl_dn_style = ACL_STYLE_SUBTREE;
394 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
397 } else if ( strcasecmp( style, "children" ) == 0 ) {
398 a->acl_dn_style = ACL_STYLE_CHILDREN;
399 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
401 } else if ( strcasecmp( style, "regex" ) == 0 ) {
402 a->acl_dn_style = ACL_STYLE_REGEX;
404 if ( *right == '\0' ) {
405 /* empty regex should match empty DN */
406 a->acl_dn_style = ACL_STYLE_BASE;
407 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
409 } else if ( strcmp(right, "*") == 0
410 || strcmp(right, ".*") == 0
411 || strcmp(right, ".*$") == 0
412 || strcmp(right, "^.*") == 0
413 || strcmp(right, "^.*$") == 0
414 || strcmp(right, ".*$$") == 0
415 || strcmp(right, "^.*$$") == 0 )
417 ber_str2bv( "*", STRLENOF("*"), 1, &a->acl_dn_pat );
420 acl_regex_normalized_dn( right, &a->acl_dn_pat );
424 fprintf( stderr, "%s: line %d: "
425 "unknown dn style \"%s\" in to clause\n",
426 fname, lineno, style );
433 if ( strcasecmp( left, "filter" ) == 0 ) {
434 if ( (a->acl_filter = str2filter( right )) == NULL ) {
436 "%s: line %d: bad filter \"%s\" in to clause\n",
437 fname, lineno, right );
441 } else if ( strcasecmp( left, "attr" ) == 0
442 || strcasecmp( left, "attrs" ) == 0 ) {
443 a->acl_attrs = str2anlist( a->acl_attrs,
445 if ( a->acl_attrs == NULL ) {
447 "%s: line %d: unknown attr \"%s\" in to clause\n",
448 fname, lineno, right );
452 } else if ( strncasecmp( left, "val", 3 ) == 0 ) {
453 if ( !BER_BVISEMPTY( &a->acl_attrval ) ) {
455 "%s: line %d: attr val already specified in to clause.\n",
459 if ( a->acl_attrs == NULL || !BER_BVISEMPTY( &a->acl_attrs[1].an_name ) )
462 "%s: line %d: attr val requires a single attribute.\n",
466 ber_str2bv( right, 0, 1, &a->acl_attrval );
467 if ( style && strcasecmp( style, "regex" ) == 0 ) {
468 int e = regcomp( &a->acl_attrval_re, a->acl_attrval.bv_val,
469 REG_EXTENDED | REG_ICASE | REG_NOSUB );
472 regerror( e, &a->acl_attrval_re, buf, sizeof(buf) );
473 fprintf( stderr, "%s: line %d: "
474 "regular expression \"%s\" bad because of %s\n",
475 fname, lineno, right, buf );
478 a->acl_attrval_style = ACL_STYLE_REGEX;
480 /* FIXME: if the attribute has DN syntax, we might
481 * allow one, subtree and children styles as well */
482 if ( !strcasecmp( style, "exact" ) ) {
483 a->acl_attrval_style = ACL_STYLE_BASE;
485 } else if ( a->acl_attrs[0].an_desc->ad_type->
486 sat_syntax == slap_schema.si_syn_distinguishedName )
488 if ( !strcasecmp( style, "baseObject" ) ||
489 !strcasecmp( style, "base" ) )
491 a->acl_attrval_style = ACL_STYLE_BASE;
492 } else if ( !strcasecmp( style, "onelevel" ) ||
493 !strcasecmp( style, "one" ) )
495 a->acl_attrval_style = ACL_STYLE_ONE;
496 } else if ( !strcasecmp( style, "subtree" ) ||
497 !strcasecmp( style, "sub" ) )
499 a->acl_attrval_style = ACL_STYLE_SUBTREE;
500 } else if ( !strcasecmp( style, "children" ) ) {
501 a->acl_attrval_style = ACL_STYLE_CHILDREN;
504 "%s: line %d: unknown val.<style> \"%s\" "
505 "for attributeType \"%s\" with DN syntax; "
507 fname, lineno, style,
508 a->acl_attrs[0].an_desc->ad_cname.bv_val );
509 a->acl_attrval_style = ACL_STYLE_BASE;
514 "%s: line %d: unknown val.<style> \"%s\" "
515 "for attributeType \"%s\"; using \"exact\"\n",
516 fname, lineno, style,
517 a->acl_attrs[0].an_desc->ad_cname.bv_val );
518 a->acl_attrval_style = ACL_STYLE_BASE;
524 "%s: line %d: expecting <what> got \"%s\"\n",
525 fname, lineno, left );
530 if ( !BER_BVISNULL( &a->acl_dn_pat ) &&
531 ber_bvccmp( &a->acl_dn_pat, '*' ) )
533 free( a->acl_dn_pat.bv_val );
534 BER_BVZERO( &a->acl_dn_pat );
537 if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
538 a->acl_dn_style != ACL_STYLE_REGEX )
540 if ( a->acl_dn_style != ACL_STYLE_REGEX ) {
542 rc = dnNormalize( 0, NULL, NULL, &a->acl_dn_pat, &bv, NULL);
543 if ( rc != LDAP_SUCCESS ) {
545 "%s: line %d: bad DN \"%s\" in to DN clause\n",
546 fname, lineno, a->acl_dn_pat.bv_val );
549 free( a->acl_dn_pat.bv_val );
553 int e = regcomp( &a->acl_dn_re, a->acl_dn_pat.bv_val,
554 REG_EXTENDED | REG_ICASE );
557 regerror( e, &a->acl_dn_re, buf, sizeof(buf) );
558 fprintf( stderr, "%s: line %d: "
559 "regular expression \"%s\" bad because of %s\n",
560 fname, lineno, right, buf );
566 /* by clause - select who has what access to entries */
567 } else if ( strcasecmp( argv[i], "by" ) == 0 ) {
569 fprintf( stderr, "%s: line %d: "
570 "to clause required before by clause in access line\n",
576 * by clause consists of <who> and <access>
579 b = (Access *) ch_calloc( 1, sizeof(Access) );
581 ACL_INVALIDATE( b->a_access_mask );
585 "%s: line %d: premature eol: expecting <who>\n",
591 for ( ; i < argc; i++ ) {
592 slap_style_t sty = ACL_STYLE_REGEX;
593 char *style_modifier = NULL;
594 char *style_level = NULL;
597 slap_dn_access *bdn = &b->a_dn;
600 split( argv[i], '=', &left, &right );
601 split( left, '.', &left, &style );
603 split( style, ',', &style, &style_modifier );
605 if ( strncasecmp( style, "level", STRLENOF( "level" ) ) == 0 ) {
606 split( style, '{', &style, &style_level );
607 if ( style_level != NULL ) {
608 char *p = strchr( style_level, '}' );
611 "%s: line %d: premature eol: "
612 "expecting closing '}' in \"level{n}\"\n",
615 } else if ( p == style_level ) {
617 "%s: line %d: empty level "
627 if ( style == NULL || *style == '\0' ||
628 strcasecmp( style, "exact" ) == 0 ||
629 strcasecmp( style, "baseObject" ) == 0 ||
630 strcasecmp( style, "base" ) == 0 )
632 sty = ACL_STYLE_BASE;
634 } else if ( strcasecmp( style, "onelevel" ) == 0 ||
635 strcasecmp( style, "one" ) == 0 )
639 } else if ( strcasecmp( style, "subtree" ) == 0 ||
640 strcasecmp( style, "sub" ) == 0 )
642 sty = ACL_STYLE_SUBTREE;
644 } else if ( strcasecmp( style, "children" ) == 0 ) {
645 sty = ACL_STYLE_CHILDREN;
647 } else if ( strcasecmp( style, "level" ) == 0 )
651 level = strtol( style_level, &next, 10 );
652 if ( next[0] != '\0' ) {
654 "%s: line %d: unable to parse level "
660 sty = ACL_STYLE_LEVEL;
662 } else if ( strcasecmp( style, "regex" ) == 0 ) {
663 sty = ACL_STYLE_REGEX;
665 } else if ( strcasecmp( style, "expand" ) == 0 ) {
666 sty = ACL_STYLE_EXPAND;
668 } else if ( strcasecmp( style, "ip" ) == 0 ) {
671 } else if ( strcasecmp( style, "path" ) == 0 ) {
672 sty = ACL_STYLE_PATH;
673 #ifndef LDAP_PF_LOCAL
674 fprintf( stderr, "%s: line %d: "
675 "path style modifier is useless without local\n",
677 #endif /* LDAP_PF_LOCAL */
681 "%s: line %d: unknown style \"%s\" in by clause\n",
682 fname, lineno, style );
686 if ( style_modifier &&
687 strcasecmp( style_modifier, "expand" ) == 0 )
690 case ACL_STYLE_REGEX:
691 fprintf( stderr, "%s: line %d: "
692 "\"regex\" style implies "
693 "\"expand\" modifier (ignored)\n",
697 case ACL_STYLE_EXPAND:
699 /* FIXME: now it's legal... */
700 fprintf( stderr, "%s: line %d: "
701 "\"expand\" style used "
702 "in conjunction with "
703 "\"expand\" modifier (ignored)\n",
709 /* we'll see later if it's pertinent */
715 /* expand in <who> needs regex in <what> */
716 if ( ( sty == ACL_STYLE_EXPAND || expand )
717 && a->acl_dn_style != ACL_STYLE_REGEX )
719 fprintf( stderr, "%s: line %d: "
720 "\"expand\" style or modifier used "
721 "in conjunction with "
722 "a non-regex <what> clause\n",
726 if ( strncasecmp( left, "real", STRLENOF( "real" ) ) == 0 ) {
729 left += STRLENOF( "real" );
732 if ( strcasecmp( left, "*" ) == 0 ) {
737 ber_str2bv( "*", STRLENOF( "*" ), 1, &bv );
738 sty = ACL_STYLE_REGEX;
740 } else if ( strcasecmp( left, "anonymous" ) == 0 ) {
741 ber_str2bv("anonymous", STRLENOF( "anonymous" ), 1, &bv);
742 sty = ACL_STYLE_ANONYMOUS;
744 } else if ( strcasecmp( left, "users" ) == 0 ) {
745 ber_str2bv("users", STRLENOF( "users" ), 1, &bv);
746 sty = ACL_STYLE_USERS;
748 } else if ( strcasecmp( left, "self" ) == 0 ) {
749 ber_str2bv("self", STRLENOF( "self" ), 1, &bv);
750 sty = ACL_STYLE_SELF;
752 } else if ( strcasecmp( left, "dn" ) == 0 ) {
753 if ( sty == ACL_STYLE_REGEX ) {
754 bdn->a_style = ACL_STYLE_REGEX;
755 if ( right == NULL ) {
760 bdn->a_style = ACL_STYLE_USERS;
762 } else if (*right == '\0' ) {
764 ber_str2bv("anonymous",
765 STRLENOF( "anonymous" ),
767 bdn->a_style = ACL_STYLE_ANONYMOUS;
769 } else if ( strcmp( right, "*" ) == 0 ) {
771 /* any or users? users for now */
775 bdn->a_style = ACL_STYLE_USERS;
777 } else if ( strcmp( right, ".+" ) == 0
778 || strcmp( right, "^.+" ) == 0
779 || strcmp( right, ".+$" ) == 0
780 || strcmp( right, "^.+$" ) == 0
781 || strcmp( right, ".+$$" ) == 0
782 || strcmp( right, "^.+$$" ) == 0 )
787 bdn->a_style = ACL_STYLE_USERS;
789 } else if ( strcmp( right, ".*" ) == 0
790 || strcmp( right, "^.*" ) == 0
791 || strcmp( right, ".*$" ) == 0
792 || strcmp( right, "^.*$" ) == 0
793 || strcmp( right, ".*$$" ) == 0
794 || strcmp( right, "^.*$$" ) == 0 )
801 acl_regex_normalized_dn( right, &bv );
802 if ( !ber_bvccmp( &bv, '*' ) ) {
803 regtest( fname, lineno, bv.bv_val );
807 } else if ( right == NULL || *right == '\0' ) {
808 fprintf( stderr, "%s: line %d: "
809 "missing \"=\" in (or value after) \"%s\" "
811 fname, lineno, left );
815 ber_str2bv( right, 0, 1, &bv );
822 if ( !BER_BVISNULL( &bv ) ) {
823 if ( !BER_BVISEMPTY( &bdn->a_pat ) ) {
825 "%s: line %d: dn pattern already specified.\n",
830 if ( sty != ACL_STYLE_REGEX &&
831 sty != ACL_STYLE_ANONYMOUS &&
832 sty != ACL_STYLE_USERS &&
833 sty != ACL_STYLE_SELF &&
836 rc = dnNormalize(0, NULL, NULL,
837 &bv, &bdn->a_pat, NULL);
838 if ( rc != LDAP_SUCCESS ) {
840 "%s: line %d: bad DN \"%s\" in by DN clause\n",
841 fname, lineno, bv.bv_val );
850 bdn->a_expand = expand;
851 if ( sty == ACL_STYLE_SELF ) {
852 bdn->a_self_level = level;
857 "%s: line %d: bad negative level \"%d\" "
859 fname, lineno, level );
861 } else if ( level == 1 ) {
863 "%s: line %d: \"onelevel\" should be used "
864 "instead of \"level{1}\" in by DN clause\n",
866 } else if ( level == 0 && sty == ACL_STYLE_LEVEL ) {
868 "%s: line %d: \"base\" should be used "
869 "instead of \"level{0}\" in by DN clause\n",
873 bdn->a_level = level;
878 if ( strcasecmp( left, "dnattr" ) == 0 ) {
879 if ( right == NULL || right[0] == '\0' ) {
880 fprintf( stderr, "%s: line %d: "
881 "missing \"=\" in (or value after) \"%s\" "
883 fname, lineno, left );
887 if( bdn->a_at != NULL ) {
889 "%s: line %d: dnattr already specified.\n",
894 rc = slap_str2ad( right, &bdn->a_at, &text );
896 if( rc != LDAP_SUCCESS ) {
898 "%s: line %d: dnattr \"%s\": %s\n",
899 fname, lineno, right, text );
904 if( !is_at_syntax( bdn->a_at->ad_type,
906 !is_at_syntax( bdn->a_at->ad_type,
907 SLAPD_NAMEUID_SYNTAX ))
910 "%s: line %d: dnattr \"%s\": "
911 "inappropriate syntax: %s\n",
912 fname, lineno, right,
913 bdn->a_at->ad_type->sat_syntax_oid );
917 if( bdn->a_at->ad_type->sat_equality == NULL ) {
919 "%s: line %d: dnattr \"%s\": "
920 "inappropriate matching (no EQUALITY)\n",
921 fname, lineno, right );
928 if ( strncasecmp( left, "group", STRLENOF( "group" ) ) == 0 ) {
933 case ACL_STYLE_REGEX:
934 /* legacy, tolerated */
935 fprintf( stderr, "%s: line %d: "
936 "deprecated group style \"regex\"; "
937 "use \"expand\" instead\n",
938 fname, lineno, style );
939 sty = ACL_STYLE_EXPAND;
943 /* legal, traditional */
944 case ACL_STYLE_EXPAND:
945 /* legal, substring expansion; supersedes regex */
950 fprintf( stderr, "%s: line %d: "
951 "inappropriate style \"%s\" in by clause\n",
952 fname, lineno, style );
956 if ( right == NULL || right[0] == '\0' ) {
957 fprintf( stderr, "%s: line %d: "
958 "missing \"=\" in (or value after) \"%s\" "
960 fname, lineno, left );
964 if ( !BER_BVISEMPTY( &b->a_group_pat ) ) {
966 "%s: line %d: group pattern already specified.\n",
971 /* format of string is
972 "group/objectClassValue/groupAttrName" */
973 if ( ( value = strchr(left, '/') ) != NULL ) {
975 if ( *value && ( name = strchr( value, '/' ) ) != NULL ) {
980 b->a_group_style = sty;
981 if ( sty == ACL_STYLE_EXPAND ) {
982 acl_regex_normalized_dn( right, &bv );
983 if ( !ber_bvccmp( &bv, '*' ) ) {
984 regtest( fname, lineno, bv.bv_val );
989 ber_str2bv( right, 0, 0, &bv );
990 rc = dnNormalize( 0, NULL, NULL, &bv,
991 &b->a_group_pat, NULL );
992 if ( rc != LDAP_SUCCESS ) {
994 "%s: line %d: bad DN \"%s\"\n",
995 fname, lineno, right );
1000 if ( value && *value ) {
1001 b->a_group_oc = oc_find( value );
1004 if ( b->a_group_oc == NULL ) {
1006 "%s: line %d: group objectclass "
1008 fname, lineno, value );
1013 b->a_group_oc = oc_find(SLAPD_GROUP_CLASS);
1015 if( b->a_group_oc == NULL ) {
1017 "%s: line %d: group default objectclass "
1019 fname, lineno, SLAPD_GROUP_CLASS );
1024 if ( is_object_subclass( slap_schema.si_oc_referral,
1028 "%s: line %d: group objectclass \"%s\" "
1029 "is subclass of referral\n",
1030 fname, lineno, value );
1034 if ( is_object_subclass( slap_schema.si_oc_alias,
1038 "%s: line %d: group objectclass \"%s\" "
1039 "is subclass of alias\n",
1040 fname, lineno, value );
1044 if ( name && *name ) {
1045 rc = slap_str2ad( name, &b->a_group_at, &text );
1047 if( rc != LDAP_SUCCESS ) {
1049 "%s: line %d: group \"%s\": %s\n",
1050 fname, lineno, right, text );
1056 rc = slap_str2ad( SLAPD_GROUP_ATTR, &b->a_group_at, &text );
1058 if ( rc != LDAP_SUCCESS ) {
1060 "%s: line %d: group \"%s\": %s\n",
1061 fname, lineno, SLAPD_GROUP_ATTR, text );
1066 if ( !is_at_syntax( b->a_group_at->ad_type,
1067 SLAPD_DN_SYNTAX ) &&
1068 !is_at_syntax( b->a_group_at->ad_type,
1069 SLAPD_NAMEUID_SYNTAX ) &&
1070 !is_at_subtype( b->a_group_at->ad_type, slap_schema.si_ad_labeledURI->ad_type ) )
1073 "%s: line %d: group \"%s\": inappropriate syntax: %s\n",
1074 fname, lineno, right,
1075 b->a_group_at->ad_type->sat_syntax_oid );
1082 struct berval vals[2];
1084 ber_str2bv( b->a_group_oc->soc_oid, 0, 0, &vals[0] );
1085 BER_BVZERO( &vals[1] );
1087 rc = oc_check_allowed( b->a_group_at->ad_type,
1091 fprintf( stderr, "%s: line %d: "
1092 "group: \"%s\" not allowed by \"%s\"\n",
1094 b->a_group_at->ad_cname.bv_val,
1095 b->a_group_oc->soc_oid );
1102 if ( strcasecmp( left, "peername" ) == 0 ) {
1104 case ACL_STYLE_REGEX:
1105 case ACL_STYLE_BASE:
1106 /* legal, traditional */
1107 case ACL_STYLE_EXPAND:
1108 /* cheap replacement to regex for simple expansion */
1110 case ACL_STYLE_PATH:
1111 /* legal, peername specific */
1115 fprintf( stderr, "%s: line %d: "
1116 "inappropriate style \"%s\" in by clause\n",
1117 fname, lineno, style );
1121 if ( right == NULL || right[0] == '\0' ) {
1122 fprintf( stderr, "%s: line %d: "
1123 "missing \"=\" in (or value after) \"%s\" "
1125 fname, lineno, left );
1129 if ( !BER_BVISEMPTY( &b->a_peername_pat ) ) {
1130 fprintf( stderr, "%s: line %d: "
1131 "peername pattern already specified.\n",
1136 b->a_peername_style = sty;
1137 if ( sty == ACL_STYLE_REGEX ) {
1138 acl_regex_normalized_dn( right, &bv );
1139 if ( !ber_bvccmp( &bv, '*' ) ) {
1140 regtest( fname, lineno, bv.bv_val );
1142 b->a_peername_pat = bv;
1145 ber_str2bv( right, 0, 1, &b->a_peername_pat );
1147 if ( sty == ACL_STYLE_IP ) {
1152 split( right, '{', &addr, &port );
1153 split( addr, '%', &addr, &mask );
1155 b->a_peername_addr = inet_addr( addr );
1156 if ( b->a_peername_addr == (unsigned long)(-1) ) {
1157 /* illegal address */
1158 fprintf( stderr, "%s: line %d: "
1159 "illegal peername address \"%s\".\n",
1160 fname, lineno, addr );
1164 b->a_peername_mask = (unsigned long)(-1);
1165 if ( mask != NULL ) {
1166 b->a_peername_mask = inet_addr( mask );
1167 if ( b->a_peername_mask ==
1168 (unsigned long)(-1) )
1171 fprintf( stderr, "%s: line %d: "
1172 "illegal peername address mask "
1174 fname, lineno, mask );
1179 b->a_peername_port = -1;
1183 b->a_peername_port = strtol( port, &end, 10 );
1184 if ( end[0] != '}' ) {
1186 fprintf( stderr, "%s: line %d: "
1187 "illegal peername port specification "
1189 fname, lineno, port );
1198 if ( strcasecmp( left, "sockname" ) == 0 ) {
1200 case ACL_STYLE_REGEX:
1201 case ACL_STYLE_BASE:
1202 /* legal, traditional */
1203 case ACL_STYLE_EXPAND:
1204 /* cheap replacement to regex for simple expansion */
1209 fprintf( stderr, "%s: line %d: "
1210 "inappropriate style \"%s\" in by clause\n",
1211 fname, lineno, style );
1215 if ( right == NULL || right[0] == '\0' ) {
1216 fprintf( stderr, "%s: line %d: "
1217 "missing \"=\" in (or value after) \"%s\" "
1219 fname, lineno, left );
1223 if ( !BER_BVISNULL( &b->a_sockname_pat ) ) {
1224 fprintf( stderr, "%s: line %d: "
1225 "sockname pattern already specified.\n",
1230 b->a_sockname_style = sty;
1231 if ( sty == ACL_STYLE_REGEX ) {
1232 acl_regex_normalized_dn( right, &bv );
1233 if ( !ber_bvccmp( &bv, '*' ) ) {
1234 regtest( fname, lineno, bv.bv_val );
1236 b->a_sockname_pat = bv;
1239 ber_str2bv( right, 0, 1, &b->a_sockname_pat );
1244 if ( strcasecmp( left, "domain" ) == 0 ) {
1246 case ACL_STYLE_REGEX:
1247 case ACL_STYLE_BASE:
1248 case ACL_STYLE_SUBTREE:
1249 /* legal, traditional */
1252 case ACL_STYLE_EXPAND:
1253 /* tolerated: means exact,expand */
1257 "\"expand\" modifier "
1258 "with \"expand\" style\n",
1261 sty = ACL_STYLE_BASE;
1267 fprintf( stderr, "%s: line %d: "
1268 "inappropriate style \"%s\" in by clause\n",
1269 fname, lineno, style );
1273 if ( right == NULL || right[0] == '\0' ) {
1274 fprintf( stderr, "%s: line %d: "
1275 "missing \"=\" in (or value after) \"%s\" "
1277 fname, lineno, left );
1281 if ( !BER_BVISEMPTY( &b->a_domain_pat ) ) {
1283 "%s: line %d: domain pattern already specified.\n",
1288 b->a_domain_style = sty;
1289 b->a_domain_expand = expand;
1290 if ( sty == ACL_STYLE_REGEX ) {
1291 acl_regex_normalized_dn( right, &bv );
1292 if ( !ber_bvccmp( &bv, '*' ) ) {
1293 regtest( fname, lineno, bv.bv_val );
1295 b->a_domain_pat = bv;
1298 ber_str2bv( right, 0, 1, &b->a_domain_pat );
1303 if ( strcasecmp( left, "sockurl" ) == 0 ) {
1305 case ACL_STYLE_REGEX:
1306 case ACL_STYLE_BASE:
1307 /* legal, traditional */
1308 case ACL_STYLE_EXPAND:
1309 /* cheap replacement to regex for simple expansion */
1314 fprintf( stderr, "%s: line %d: "
1315 "inappropriate style \"%s\" in by clause\n",
1316 fname, lineno, style );
1320 if ( right == NULL || right[0] == '\0' ) {
1321 fprintf( stderr, "%s: line %d: "
1322 "missing \"=\" in (or value after) \"%s\" "
1324 fname, lineno, left );
1328 if ( !BER_BVISEMPTY( &b->a_sockurl_pat ) ) {
1330 "%s: line %d: sockurl pattern already specified.\n",
1335 b->a_sockurl_style = sty;
1336 if ( sty == ACL_STYLE_REGEX ) {
1337 acl_regex_normalized_dn( right, &bv );
1338 if ( !ber_bvccmp( &bv, '*' ) ) {
1339 regtest( fname, lineno, bv.bv_val );
1341 b->a_sockurl_pat = bv;
1344 ber_str2bv( right, 0, 1, &b->a_sockurl_pat );
1349 if ( strcasecmp( left, "set" ) == 0 ) {
1352 case ACL_STYLE_REGEX:
1353 fprintf( stderr, "%s: line %d: "
1354 "deprecated set style "
1355 "\"regex\" in <by> clause; "
1356 "use \"expand\" instead\n",
1358 sty = ACL_STYLE_EXPAND;
1361 case ACL_STYLE_BASE:
1362 case ACL_STYLE_EXPAND:
1366 fprintf( stderr, "%s: line %d: "
1367 "inappropriate style \"%s\" in by clause\n",
1368 fname, lineno, style );
1372 if ( !BER_BVISEMPTY( &b->a_set_pat ) ) {
1374 "%s: line %d: set attribute already specified.\n",
1379 if ( right == NULL || *right == '\0' ) {
1381 "%s: line %d: no set is defined\n",
1386 b->a_set_style = sty;
1387 ber_str2bv( right, 0, 1, &b->a_set_pat );
1396 if ( strcasecmp( left, "aci" ) == 0 ) {
1399 } else if ( strncasecmp( left, "dynacl/", STRLENOF( "dynacl/" ) ) == 0 ) {
1400 name = &left[ STRLENOF( "dynacl/" ) ];
1404 if ( slap_dynacl_config( fname, lineno, b, name, sty, right ) ) {
1405 fprintf( stderr, "%s: line %d: "
1406 "unable to configure dynacl \"%s\"\n",
1407 fname, lineno, name );
1414 #else /* ! SLAP_DYNACL */
1416 #ifdef SLAPD_ACI_ENABLED
1417 if ( strcasecmp( left, "aci" ) == 0 ) {
1418 if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
1419 fprintf( stderr, "%s: line %d: "
1420 "inappropriate style \"%s\" in by clause\n",
1421 fname, lineno, style );
1425 if( b->a_aci_at != NULL ) {
1427 "%s: line %d: aci attribute already specified.\n",
1432 if ( right != NULL && *right != '\0' ) {
1433 rc = slap_str2ad( right, &b->a_aci_at, &text );
1435 if( rc != LDAP_SUCCESS ) {
1437 "%s: line %d: aci \"%s\": %s\n",
1438 fname, lineno, right, text );
1443 b->a_aci_at = slap_schema.si_ad_aci;
1446 if( !is_at_syntax( b->a_aci_at->ad_type,
1449 fprintf( stderr, "%s: line %d: "
1450 "aci \"%s\": inappropriate syntax: %s\n",
1451 fname, lineno, right,
1452 b->a_aci_at->ad_type->sat_syntax_oid );
1458 #endif /* SLAPD_ACI_ENABLED */
1459 #endif /* ! SLAP_DYNACL */
1461 if ( strcasecmp( left, "ssf" ) == 0 ) {
1462 if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
1463 fprintf( stderr, "%s: line %d: "
1464 "inappropriate style \"%s\" in by clause\n",
1465 fname, lineno, style );
1469 if ( b->a_authz.sai_ssf ) {
1471 "%s: line %d: ssf attribute already specified.\n",
1476 if ( right == NULL || *right == '\0' ) {
1478 "%s: line %d: no ssf is defined\n",
1483 b->a_authz.sai_ssf = strtol( right, &next, 10 );
1484 if ( next == NULL || next[0] != '\0' ) {
1486 "%s: line %d: unable to parse ssf value (%s)\n",
1487 fname, lineno, right );
1491 if ( !b->a_authz.sai_ssf ) {
1493 "%s: line %d: invalid ssf value (%s)\n",
1494 fname, lineno, right );
1500 if ( strcasecmp( left, "transport_ssf" ) == 0 ) {
1501 if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
1502 fprintf( stderr, "%s: line %d: "
1503 "inappropriate style \"%s\" in by clause\n",
1504 fname, lineno, style );
1508 if ( b->a_authz.sai_transport_ssf ) {
1509 fprintf( stderr, "%s: line %d: "
1510 "transport_ssf attribute already specified.\n",
1515 if ( right == NULL || *right == '\0' ) {
1517 "%s: line %d: no transport_ssf is defined\n",
1522 b->a_authz.sai_transport_ssf = strtol( right, &next, 10 );
1523 if ( next == NULL || next[0] != '\0' ) {
1524 fprintf( stderr, "%s: line %d: "
1525 "unable to parse transport_ssf value (%s)\n",
1526 fname, lineno, right );
1530 if ( !b->a_authz.sai_transport_ssf ) {
1532 "%s: line %d: invalid transport_ssf value (%s)\n",
1533 fname, lineno, right );
1539 if ( strcasecmp( left, "tls_ssf" ) == 0 ) {
1540 if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
1541 fprintf( stderr, "%s: line %d: "
1542 "inappropriate style \"%s\" in by clause\n",
1543 fname, lineno, style );
1547 if ( b->a_authz.sai_tls_ssf ) {
1548 fprintf( stderr, "%s: line %d: "
1549 "tls_ssf attribute already specified.\n",
1554 if ( right == NULL || *right == '\0' ) {
1556 "%s: line %d: no tls_ssf is defined\n",
1561 b->a_authz.sai_tls_ssf = strtol( right, &next, 10 );
1562 if ( next == NULL || next[0] != '\0' ) {
1563 fprintf( stderr, "%s: line %d: "
1564 "unable to parse tls_ssf value (%s)\n",
1565 fname, lineno, right );
1569 if ( !b->a_authz.sai_tls_ssf ) {
1571 "%s: line %d: invalid tls_ssf value (%s)\n",
1572 fname, lineno, right );
1578 if ( strcasecmp( left, "sasl_ssf" ) == 0 ) {
1579 if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
1580 fprintf( stderr, "%s: line %d: "
1581 "inappropriate style \"%s\" in by clause\n",
1582 fname, lineno, style );
1586 if ( b->a_authz.sai_sasl_ssf ) {
1587 fprintf( stderr, "%s: line %d: "
1588 "sasl_ssf attribute already specified.\n",
1593 if ( right == NULL || *right == '\0' ) {
1595 "%s: line %d: no sasl_ssf is defined\n",
1600 b->a_authz.sai_sasl_ssf = strtol( right, &next, 10 );
1601 if ( next == NULL || next[0] != '\0' ) {
1602 fprintf( stderr, "%s: line %d: "
1603 "unable to parse sasl_ssf value (%s)\n",
1604 fname, lineno, right );
1608 if ( !b->a_authz.sai_sasl_ssf ) {
1610 "%s: line %d: invalid sasl_ssf value (%s)\n",
1611 fname, lineno, right );
1617 if ( right != NULL ) {
1624 if ( i == argc || ( strcasecmp( left, "stop" ) == 0 ) ) {
1625 /* out of arguments or plain stop */
1627 ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
1628 b->a_type = ACL_STOP;
1630 access_append( &a->acl_access, b );
1634 if ( strcasecmp( left, "continue" ) == 0 ) {
1635 /* plain continue */
1637 ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
1638 b->a_type = ACL_CONTINUE;
1640 access_append( &a->acl_access, b );
1644 if ( strcasecmp( left, "break" ) == 0 ) {
1645 /* plain continue */
1647 ACL_PRIV_ASSIGN(b->a_access_mask, ACL_PRIV_ADDITIVE);
1648 b->a_type = ACL_BREAK;
1650 access_append( &a->acl_access, b );
1654 if ( strcasecmp( left, "by" ) == 0 ) {
1655 /* we've gone too far */
1657 ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
1658 b->a_type = ACL_STOP;
1660 access_append( &a->acl_access, b );
1665 if ( strncasecmp( left, "self", STRLENOF( "self" ) ) == 0 ) {
1667 ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( &left[ STRLENOF( "self" ) ] ) );
1669 } else if ( strncasecmp( left, "realself", STRLENOF( "realself" ) ) == 0 ) {
1670 b->a_realdn_self = 1;
1671 ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( &left[ STRLENOF( "realself" ) ] ) );
1674 ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( left ) );
1677 if ( ACL_IS_INVALID( b->a_access_mask ) ) {
1679 "%s: line %d: expecting <access> got \"%s\"\n",
1680 fname, lineno, left );
1684 b->a_type = ACL_STOP;
1686 if ( ++i == argc ) {
1687 /* out of arguments or plain stop */
1688 access_append( &a->acl_access, b );
1692 if ( strcasecmp( argv[i], "continue" ) == 0 ) {
1693 /* plain continue */
1694 b->a_type = ACL_CONTINUE;
1696 } else if ( strcasecmp( argv[i], "break" ) == 0 ) {
1697 /* plain continue */
1698 b->a_type = ACL_BREAK;
1700 } else if ( strcasecmp( argv[i], "stop" ) != 0 ) {
1705 access_append( &a->acl_access, b );
1709 "%s: line %d: expecting \"to\" "
1710 "or \"by\" got \"%s\"\n",
1711 fname, lineno, argv[i] );
1716 /* if we have no real access clause, complain and do nothing */
1718 fprintf( stderr, "%s: line %d: "
1719 "warning: no access clause(s) specified in access line\n",
1724 if ( ldap_debug & LDAP_DEBUG_ACL ) {
1729 if ( a->acl_access == NULL ) {
1730 fprintf( stderr, "%s: line %d: "
1731 "warning: no by clause(s) specified in access line\n",
1736 if ( !BER_BVISNULL( &be->be_nsuffix[ 1 ] ) ) {
1737 fprintf( stderr, "%s: line %d: warning: "
1738 "scope checking only applies to single-valued "
1739 "suffix databases\n",
1741 /* go ahead, since checking is not authoritative */
1744 switch ( check_scope( be, a ) ) {
1745 case ACL_SCOPE_UNKNOWN:
1746 fprintf( stderr, "%s: line %d: warning: "
1747 "cannot assess the validity of the ACL scope within "
1748 "backend naming context\n",
1752 case ACL_SCOPE_WARN:
1753 fprintf( stderr, "%s: line %d: warning: "
1754 "ACL could be out of scope within backend naming context\n",
1758 case ACL_SCOPE_PARTIAL:
1759 fprintf( stderr, "%s: line %d: warning: "
1760 "ACL appears to be partially out of scope within "
1761 "backend naming context\n",
1766 fprintf( stderr, "%s: line %d: warning: "
1767 "ACL appears to be out of scope within "
1768 "backend naming context\n",
1775 acl_append( &be->be_acl, a );
1778 acl_append( &frontendDB->be_acl, a );
1784 accessmask2str( slap_mask_t mask, char *buf, int debug )
1789 assert( buf != NULL );
1791 if ( ACL_IS_INVALID( mask ) ) {
1797 if ( ACL_IS_LEVEL( mask ) ) {
1798 if ( ACL_LVL_IS_NONE(mask) ) {
1799 ptr = lutil_strcopy( ptr, "none" );
1801 } else if ( ACL_LVL_IS_DISCLOSE(mask) ) {
1802 ptr = lutil_strcopy( ptr, "disclose" );
1804 } else if ( ACL_LVL_IS_AUTH(mask) ) {
1805 ptr = lutil_strcopy( ptr, "auth" );
1807 } else if ( ACL_LVL_IS_COMPARE(mask) ) {
1808 ptr = lutil_strcopy( ptr, "compare" );
1810 } else if ( ACL_LVL_IS_SEARCH(mask) ) {
1811 ptr = lutil_strcopy( ptr, "search" );
1813 } else if ( ACL_LVL_IS_READ(mask) ) {
1814 ptr = lutil_strcopy( ptr, "read" );
1816 } else if ( ACL_LVL_IS_WRITE(mask) ) {
1817 ptr = lutil_strcopy( ptr, "write" );
1819 } else if ( ACL_LVL_IS_MANAGE(mask) ) {
1820 ptr = lutil_strcopy( ptr, "manage" );
1823 ptr = lutil_strcopy( ptr, "unknown" );
1833 if( ACL_IS_ADDITIVE( mask ) ) {
1836 } else if( ACL_IS_SUBTRACTIVE( mask ) ) {
1843 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_MANAGE) ) {
1848 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_WRITE) ) {
1853 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_READ) ) {
1858 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_SEARCH) ) {
1863 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_COMPARE) ) {
1868 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_AUTH) ) {
1873 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_DISCLOSE) ) {
1878 if ( none && ACL_PRIV_ISSET(mask, ACL_PRIV_NONE) ) {
1887 if ( ACL_IS_LEVEL( mask ) ) {
1897 str2accessmask( const char *str )
1901 if( !ASCII_ALPHA(str[0]) ) {
1904 if ( str[0] == '=' ) {
1907 } else if( str[0] == '+' ) {
1908 ACL_PRIV_ASSIGN(mask, ACL_PRIV_ADDITIVE);
1910 } else if( str[0] == '-' ) {
1911 ACL_PRIV_ASSIGN(mask, ACL_PRIV_SUBSTRACTIVE);
1914 ACL_INVALIDATE(mask);
1918 for( i=1; str[i] != '\0'; i++ ) {
1919 if( TOLOWER((unsigned char) str[i]) == 'm' ) {
1920 ACL_PRIV_SET(mask, ACL_PRIV_MANAGE);
1922 } else if( TOLOWER((unsigned char) str[i]) == 'w' ) {
1923 ACL_PRIV_SET(mask, ACL_PRIV_WRITE);
1925 } else if( TOLOWER((unsigned char) str[i]) == 'r' ) {
1926 ACL_PRIV_SET(mask, ACL_PRIV_READ);
1928 } else if( TOLOWER((unsigned char) str[i]) == 's' ) {
1929 ACL_PRIV_SET(mask, ACL_PRIV_SEARCH);
1931 } else if( TOLOWER((unsigned char) str[i]) == 'c' ) {
1932 ACL_PRIV_SET(mask, ACL_PRIV_COMPARE);
1934 } else if( TOLOWER((unsigned char) str[i]) == 'x' ) {
1935 ACL_PRIV_SET(mask, ACL_PRIV_AUTH);
1937 } else if( TOLOWER((unsigned char) str[i]) == 'd' ) {
1938 ACL_PRIV_SET(mask, ACL_PRIV_DISCLOSE);
1940 } else if( str[i] != '0' ) {
1941 ACL_INVALIDATE(mask);
1949 if ( strcasecmp( str, "none" ) == 0 ) {
1950 ACL_LVL_ASSIGN_NONE(mask);
1952 } else if ( strcasecmp( str, "disclose" ) == 0 ) {
1953 ACL_LVL_ASSIGN_DISCLOSE(mask);
1955 } else if ( strcasecmp( str, "auth" ) == 0 ) {
1956 ACL_LVL_ASSIGN_AUTH(mask);
1958 } else if ( strcasecmp( str, "compare" ) == 0 ) {
1959 ACL_LVL_ASSIGN_COMPARE(mask);
1961 } else if ( strcasecmp( str, "search" ) == 0 ) {
1962 ACL_LVL_ASSIGN_SEARCH(mask);
1964 } else if ( strcasecmp( str, "read" ) == 0 ) {
1965 ACL_LVL_ASSIGN_READ(mask);
1967 } else if ( strcasecmp( str, "write" ) == 0 ) {
1968 ACL_LVL_ASSIGN_WRITE(mask);
1970 } else if ( strcasecmp( str, "manage" ) == 0 ) {
1971 ACL_LVL_ASSIGN_MANAGE(mask);
1974 ACL_INVALIDATE( mask );
1983 fprintf( stderr, "%s%s%s\n",
1984 "<access clause> ::= access to <what> "
1985 "[ by <who> <access> [ <control> ] ]+ \n"
1986 "<what> ::= * | [dn[.<dnstyle>]=<DN>] [filter=<filter>] [attrs=<attrlist>]\n"
1987 "<attrlist> ::= <attr> [val[.<attrstyle>]=<value>] | <attr> , <attrlist>\n"
1988 "<attr> ::= <attrname> | entry | children\n",
1989 "<who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ]\n"
1990 "\t[ realanonymous | realusers | realself | realdn[.<dnstyle>]=<DN> ]\n"
1991 "\t[dnattr=<attrname>]\n"
1992 "\t[realdnattr=<attrname>]\n"
1993 "\t[group[/<objectclass>[/<attrname>]][.<style>]=<group>]\n"
1994 "\t[peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>]\n"
1995 "\t[domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>]\n"
1996 #ifdef SLAPD_ACI_ENABLED
1997 "\t[aci=[<attrname>]]\n"
2000 "\t[dynacl/<name>[.<dynstyle>][=<pattern>]]\n"
2001 #endif /* SLAP_DYNACL */
2002 "\t[ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]\n",
2003 "<style> ::= exact | regex | base(Object)\n"
2004 "<dnstyle> ::= base(Object) | one(level) | sub(tree) | children | "
2006 "<attrstyle> ::= exact | regex | base(Object) | one(level) | "
2007 "sub(tree) | children\n"
2008 "<peernamestyle> ::= exact | regex | ip | path\n"
2009 "<domainstyle> ::= exact | regex | base(Object) | sub(tree)\n"
2010 "<access> ::= [[real]self]{<level>|<priv>}\n"
2011 "<level> ::= none|disclose|auth|compare|search|read|write|manage\n"
2012 "<priv> ::= {=|+|-}{0|d|x|c|s|r|w|m}+\n"
2013 "<control> ::= [ stop | continue | break ]\n"
2015 exit( EXIT_FAILURE );
2019 * Set pattern to a "normalized" DN from src.
2020 * At present it simply eats the (optional) space after
2021 * a RDN separator (,)
2022 * Eventually will evolve in a more complete normalization
2025 acl_regex_normalized_dn(
2027 struct berval *pattern )
2032 str = ch_strdup( src );
2033 len = strlen( src );
2035 for ( p = str; p && p[0]; p++ ) {
2037 if ( p[0] == '\\' && p[1] ) {
2039 * if escaping a hex pair we should
2040 * increment p twice; however, in that
2041 * case the second hex number does
2047 if ( p[0] == ',' && p[1] == ' ' ) {
2051 * too much space should be an error if we are pedantic
2053 for ( q = &p[2]; q[0] == ' '; q++ ) {
2056 AC_MEMCPY( p+1, q, len-(q-str)+1);
2059 pattern->bv_val = str;
2060 pattern->bv_len = p - str;
2073 if ( (*right = strchr( line, splitchar )) != NULL ) {
2074 *((*right)++) = '\0';
2079 access_append( Access **l, Access *a )
2081 for ( ; *l != NULL; l = &(*l)->a_next ) {
2089 acl_append( AccessControl **l, AccessControl *a )
2091 for ( ; *l != NULL; l = &(*l)->acl_next ) {
2099 access_free( Access *a )
2101 if ( !BER_BVISNULL( &a->a_dn_pat ) ) {
2102 free( a->a_dn_pat.bv_val );
2104 if ( !BER_BVISNULL( &a->a_realdn_pat ) ) {
2105 free( a->a_realdn_pat.bv_val );
2107 if ( !BER_BVISNULL( &a->a_peername_pat ) ) {
2108 free( a->a_peername_pat.bv_val );
2110 if ( !BER_BVISNULL( &a->a_sockname_pat ) ) {
2111 free( a->a_sockname_pat.bv_val );
2113 if ( !BER_BVISNULL( &a->a_domain_pat ) ) {
2114 free( a->a_domain_pat.bv_val );
2116 if ( !BER_BVISNULL( &a->a_sockurl_pat ) ) {
2117 free( a->a_sockurl_pat.bv_val );
2119 if ( !BER_BVISNULL( &a->a_set_pat ) ) {
2120 free( a->a_set_pat.bv_val );
2122 if ( !BER_BVISNULL( &a->a_group_pat ) ) {
2123 free( a->a_group_pat.bv_val );
2129 acl_free( AccessControl *a )
2134 if ( a->acl_filter ) {
2135 filter_free( a->acl_filter );
2137 if ( !BER_BVISNULL( &a->acl_dn_pat ) ) {
2138 free ( a->acl_dn_pat.bv_val );
2140 if ( a->acl_attrs ) {
2141 for ( an = a->acl_attrs; !BER_BVISNULL( &an->an_name ); an++ ) {
2142 free( an->an_name.bv_val );
2144 free( a->acl_attrs );
2146 for ( ; a->acl_access; a->acl_access = n ) {
2147 n = a->acl_access->a_next;
2148 access_free( a->acl_access );
2153 /* Because backend_startup uses acl_append to tack on the global_acl to
2154 * the end of each backend's acl, we cannot just take one argument and
2155 * merrily free our way to the end of the list. backend_destroy calls us
2156 * with the be_acl in arg1, and global_acl in arg2 to give us a stopping
2157 * point. config_destroy calls us with global_acl in arg1 and NULL in
2158 * arg2, so we then proceed to polish off the global_acl.
2161 acl_destroy( AccessControl *a, AccessControl *end )
2165 for (; a && a!= end; a=n) {
2172 access2str( slap_access_t access )
2174 if ( access == ACL_NONE ) {
2177 } else if ( access == ACL_DISCLOSE ) {
2180 } else if ( access == ACL_AUTH ) {
2183 } else if ( access == ACL_COMPARE ) {
2186 } else if ( access == ACL_SEARCH ) {
2189 } else if ( access == ACL_READ ) {
2192 } else if ( access == ACL_WRITE ) {
2195 } else if ( access == ACL_MANAGE ) {
2204 str2access( const char *str )
2206 if ( strcasecmp( str, "none" ) == 0 ) {
2209 } else if ( strcasecmp( str, "disclose" ) == 0 ) {
2210 return ACL_DISCLOSE;
2212 } else if ( strcasecmp( str, "auth" ) == 0 ) {
2215 } else if ( strcasecmp( str, "compare" ) == 0 ) {
2218 } else if ( strcasecmp( str, "search" ) == 0 ) {
2221 } else if ( strcasecmp( str, "read" ) == 0 ) {
2224 } else if ( strcasecmp( str, "write" ) == 0 ) {
2227 } else if ( strcasecmp( str, "manage" ) == 0 ) {
2231 return( ACL_INVALID_ACCESS );
2234 #define ACLBUF_MAXLEN 8192
2236 static char aclbuf[ACLBUF_MAXLEN];
2239 dnaccess2text( slap_dn_access *bdn, char *ptr, int is_realdn )
2244 ptr = lutil_strcopy( ptr, "real" );
2247 if ( ber_bvccmp( &bdn->a_pat, '*' ) ||
2248 bdn->a_style == ACL_STYLE_ANONYMOUS ||
2249 bdn->a_style == ACL_STYLE_USERS ||
2250 bdn->a_style == ACL_STYLE_SELF )
2253 assert( ! ber_bvccmp( &bdn->a_pat, '*' ) );
2256 ptr = lutil_strcopy( ptr, bdn->a_pat.bv_val );
2257 if ( bdn->a_style == ACL_STYLE_SELF && bdn->a_self_level != 0 ) {
2258 int n = sprintf( ptr, ".level{%d}", bdn->a_self_level );
2265 ptr = lutil_strcopy( ptr, "dn." );
2266 ptr = lutil_strcopy( ptr, style_strings[bdn->a_style] );
2267 if ( bdn->a_style == ACL_STYLE_LEVEL ) {
2268 int n = sprintf( ptr, "{%d}", bdn->a_level );
2273 if ( bdn->a_expand ) {
2274 ptr = lutil_strcopy( ptr, ",expand" );
2278 ptr = lutil_strcopy( ptr, bdn->a_pat.bv_val );
2282 if ( bdn->a_at != NULL ) {
2285 ptr = lutil_strcopy( ptr, "real" );
2287 ptr = lutil_strcopy( ptr, "dnattr=" );
2288 ptr = lutil_strcopy( ptr, bdn->a_at->ad_cname.bv_val );
2295 access2text( Access *b, char *ptr )
2297 char maskbuf[ACCESSMASK_MAXLEN];
2299 ptr = lutil_strcopy( ptr, "\tby" );
2301 if ( !BER_BVISEMPTY( &b->a_dn_pat ) ) {
2302 ptr = dnaccess2text( &b->a_dn, ptr, 0 );
2305 if ( !BER_BVISEMPTY( &b->a_realdn_pat ) ) {
2306 ptr = dnaccess2text( &b->a_realdn, ptr, 1 );
2309 if ( !BER_BVISEMPTY( &b->a_group_pat ) ) {
2310 ptr = lutil_strcopy( ptr, " group/" );
2311 ptr = lutil_strcopy( ptr, b->a_group_oc ?
2312 b->a_group_oc->soc_cname.bv_val : "groupOfNames" );
2314 ptr = lutil_strcopy( ptr, b->a_group_at ?
2315 b->a_group_at->ad_cname.bv_val : "member" );
2317 ptr = lutil_strcopy( ptr, style_strings[b->a_group_style] );
2320 ptr = lutil_strcopy( ptr, b->a_group_pat.bv_val );
2324 if ( !BER_BVISEMPTY( &b->a_peername_pat ) ) {
2325 ptr = lutil_strcopy( ptr, " peername=\"" );
2326 ptr = lutil_strcopy( ptr, b->a_peername_pat.bv_val );
2330 if ( !BER_BVISEMPTY( &b->a_sockname_pat ) ) {
2331 ptr = lutil_strcopy( ptr, " sockname=\"" );
2332 ptr = lutil_strcopy( ptr, b->a_sockname_pat.bv_val );
2336 if ( !BER_BVISEMPTY( &b->a_domain_pat ) ) {
2337 ptr = lutil_strcopy( ptr, " domain=" );
2338 ptr = lutil_strcopy( ptr, b->a_domain_pat.bv_val );
2341 if ( !BER_BVISEMPTY( &b->a_sockurl_pat ) ) {
2342 ptr = lutil_strcopy( ptr, " sockurl=\"" );
2343 ptr = lutil_strcopy( ptr, b->a_sockurl_pat.bv_val );
2347 if ( !BER_BVISEMPTY( &b->a_set_pat ) ) {
2348 ptr = lutil_strcopy( ptr, " set=\"" );
2349 ptr = lutil_strcopy( ptr, b->a_set_pat.bv_val );
2354 if ( b->a_dynacl ) {
2357 for ( da = b->a_dynacl; da; da = da->da_next ) {
2358 if ( da->da_unparse ) {
2360 (void)( *da->da_unparse )( da->da_private, &bv );
2361 ptr = lutil_strcopy( ptr, bv.bv_val );
2362 ch_free( bv.bv_val );
2366 #else /* ! SLAP_DYNACL */
2367 #ifdef SLAPD_ACI_ENABLED
2368 if ( b->a_aci_at != NULL ) {
2369 ptr = lutil_strcopy( ptr, " aci=" );
2370 ptr = lutil_strcopy( ptr, b->a_aci_at->ad_cname.bv_val );
2373 #endif /* SLAP_DYNACL */
2375 /* Security Strength Factors */
2376 if ( b->a_authz.sai_ssf ) {
2377 ptr += sprintf( ptr, " ssf=%u",
2378 b->a_authz.sai_ssf );
2380 if ( b->a_authz.sai_transport_ssf ) {
2381 ptr += sprintf( ptr, " transport_ssf=%u",
2382 b->a_authz.sai_transport_ssf );
2384 if ( b->a_authz.sai_tls_ssf ) {
2385 ptr += sprintf( ptr, " tls_ssf=%u",
2386 b->a_authz.sai_tls_ssf );
2388 if ( b->a_authz.sai_sasl_ssf ) {
2389 ptr += sprintf( ptr, " sasl_ssf=%u",
2390 b->a_authz.sai_sasl_ssf );
2394 if ( b->a_dn_self ) {
2395 ptr = lutil_strcopy( ptr, "self" );
2396 } else if ( b->a_realdn_self ) {
2397 ptr = lutil_strcopy( ptr, "realself" );
2399 ptr = lutil_strcopy( ptr, accessmask2str( b->a_access_mask, maskbuf, 0 ));
2400 if ( !maskbuf[0] ) ptr--;
2402 if( b->a_type == ACL_BREAK ) {
2403 ptr = lutil_strcopy( ptr, " break" );
2405 } else if( b->a_type == ACL_CONTINUE ) {
2406 ptr = lutil_strcopy( ptr, " continue" );
2408 } else if( b->a_type != ACL_STOP ) {
2409 ptr = lutil_strcopy( ptr, " unknown-control" );
2411 if ( !maskbuf[0] ) ptr = lutil_strcopy( ptr, " stop" );
2419 acl_unparse( AccessControl *a, struct berval *bv )
2426 bv->bv_val = aclbuf;
2431 ptr = lutil_strcopy( ptr, "to" );
2432 if ( !BER_BVISNULL( &a->acl_dn_pat ) ) {
2434 ptr = lutil_strcopy( ptr, " dn." );
2435 ptr = lutil_strcopy( ptr, style_strings[a->acl_dn_style] );
2438 ptr = lutil_strcopy( ptr, a->acl_dn_pat.bv_val );
2439 ptr = lutil_strcopy( ptr, "\"\n" );
2442 if ( a->acl_filter != NULL ) {
2443 struct berval bv = BER_BVNULL;
2446 filter2bv( a->acl_filter, &bv );
2447 ptr = lutil_strcopy( ptr, " filter=\"" );
2448 ptr = lutil_strcopy( ptr, bv.bv_val );
2451 ch_free( bv.bv_val );
2454 if ( a->acl_attrs != NULL ) {
2459 ptr = lutil_strcopy( ptr, " attrs=" );
2460 for ( an = a->acl_attrs; an && !BER_BVISNULL( &an->an_name ); an++ ) {
2461 if ( ! first ) *ptr++ = ',';
2463 *ptr++ = an->an_oc_exclude ? '!' : '@';
2464 ptr = lutil_strcopy( ptr, an->an_oc->soc_cname.bv_val );
2467 ptr = lutil_strcopy( ptr, an->an_name.bv_val );
2474 if ( !BER_BVISEMPTY( &a->acl_attrval ) ) {
2476 ptr = lutil_strcopy( ptr, " val." );
2477 ptr = lutil_strcopy( ptr, style_strings[a->acl_attrval_style] );
2480 ptr = lutil_strcopy( ptr, a->acl_attrval.bv_val );
2486 ptr = lutil_strcopy( ptr, " *\n" );
2489 for ( b = a->acl_access; b != NULL; b = b->a_next ) {
2490 ptr = access2text( b, ptr );
2493 bv->bv_len = ptr - bv->bv_val;
2499 print_acl( Backend *be, AccessControl *a )
2505 acl_unparse( a, &bv );
2506 fprintf( stderr, "%s ACL: access %s\n",
2507 be == NULL ? "Global" : "Backend", bv.bv_val );
2509 #endif /* LDAP_DEBUG */