1 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
3 * Copyright 2004-2005 The OpenLDAP Foundation.
4 * Portions Copyright 2004 Pierangelo Masarati.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted only as authorized by the OpenLDAP
11 * A copy of this license is available in file LICENSE in the
12 * top-level directory of the distribution or, alternatively, at
13 * <http://www.OpenLDAP.org/license.html>.
16 * This work was initially developed by Pierangelo Masarati for inclusion
17 * in OpenLDAP Software.
24 #include <ac/stdlib.h>
27 #include <ac/string.h>
28 #include <ac/socket.h>
29 #include <ac/unistd.h>
35 #include "slapcommon.h"
38 slapacl( int argc, char **argv )
40 int rc = EXIT_SUCCESS;
41 const char *progname = "slapacl";
42 Connection conn = { 0 };
44 char opbuf[OPERATION_BUFFER_SIZE];
46 Entry e = { 0 }, *ep = &e;
49 slap_tool_init( progname, SLAPACL, argc, argv );
51 argv = &argv[ optind ];
54 op = (Operation *)opbuf;
55 connection_fake_init( &conn, op, &conn );
57 conn.c_listener = &listener;
58 conn.c_listener_url = listener_url;
59 conn.c_peer_domain = peer_domain;
60 conn.c_peer_name = peer_name;
61 conn.c_sock_name = sock_name;
63 op->o_transport_ssf = transport_ssf;
64 op->o_tls_ssf = tls_ssf;
65 op->o_sasl_ssf = sasl_ssf;
67 if ( !BER_BVISNULL( &authcID ) ) {
68 rc = slap_sasl_getdn( &conn, op, &authcID, NULL,
69 &authcDN, SLAP_GETDN_AUTHCID );
70 if ( rc != LDAP_SUCCESS ) {
71 fprintf( stderr, "ID: <%s> check failed %d (%s)\n",
73 ldap_err2string( rc ) );
78 } else if ( !BER_BVISNULL( &authcDN ) ) {
81 rc = dnNormalize( 0, NULL, NULL, &authcDN, &ndn, NULL );
82 if ( rc != LDAP_SUCCESS ) {
83 fprintf( stderr, "autchDN=\"%s\" normalization failed %d (%s)\n",
85 ldap_err2string( rc ) );
89 ch_free( authcDN.bv_val );
94 if ( !BER_BVISNULL( &authcDN ) ) {
95 fprintf( stderr, "DN: \"%s\"\n", authcDN.bv_val );
98 assert( !BER_BVISNULL( &baseDN ) );
99 rc = dnPrettyNormal( NULL, &baseDN, &e.e_name, &e.e_nname, NULL );
100 if ( rc != LDAP_SUCCESS ) {
101 fprintf( stderr, "base=\"%s\" normalization failed %d (%s)\n",
103 ldap_err2string( rc ) );
109 if ( !BER_BVISNULL( &authcDN ) ) {
116 attr = slap_schema.si_ad_entry->ad_cname.bv_val;
122 if ( !be->be_entry_open ||
123 !be->be_entry_close ||
127 fprintf( stderr, "%s: target database "
128 "doesn't support necessary operations; "
129 "you may try with \"-u\" (dry run).\n",
135 if ( be->be_entry_open( be, 0 ) != 0 ) {
136 fprintf( stderr, "%s: could not open database.\n",
142 id = be->be_dn2id_get( be, &e.e_nname );
144 fprintf( stderr, "%s: unable to fetch ID of DN \"%s\"\n",
145 progname, e.e_nname.bv_val );
149 if ( be->be_id2entry_get( be, id, &ep ) != 0 ) {
150 fprintf( stderr, "%s: unable to fetch entry \"%s\" (%lu)\n",
151 progname, e.e_nname.bv_val, id );
158 for ( ; argc--; argv++ ) {
160 AttributeDescription *desc = NULL;
162 struct berval val = BER_BVNULL,
165 char accessmaskbuf[ACCESSMASK_MAXLEN];
167 slap_access_t access = ACL_AUTH;
169 if ( attr == NULL ) {
173 val.bv_val = strchr( attr, ':' );
174 if ( val.bv_val != NULL ) {
175 val.bv_val[0] = '\0';
177 val.bv_len = strlen( val.bv_val );
181 accessstr = strchr( attr, '/' );
182 if ( accessstr != NULL ) {
185 access = str2access( accessstr );
186 if ( access == ACL_INVALID_ACCESS ) {
187 fprintf( stderr, "unknown access \"%s\" for attribute \"%s\"\n",
189 if ( continuemode ) {
196 rc = slap_str2ad( attr, &desc, &text );
197 if ( rc != LDAP_SUCCESS ) {
198 fprintf( stderr, "slap_str2ad(%s) failed %d (%s)\n",
199 attr, rc, ldap_err2string( rc ) );
200 if ( continuemode ) {
206 rc = access_allowed_mask( op, ep, desc, valp, access,
210 fprintf( stderr, "%s access to %s%s%s: %s\n",
212 desc->ad_cname.bv_val,
213 val.bv_val ? "=" : "",
214 val.bv_val ? val.bv_val : "",
215 rc ? "ALLOWED" : "DENIED" );
218 fprintf( stderr, "%s%s%s: %s\n",
219 desc->ad_cname.bv_val,
220 val.bv_val ? "=" : "",
221 val.bv_val ? val.bv_val : "",
222 accessmask2str( mask, accessmaskbuf, 1 ) );
229 ber_memfree( e.e_name.bv_val );
230 ber_memfree( e.e_nname.bv_val );
233 be_entry_release_r( op, ep );
235 be->be_entry_close( be );