+#ifdef LDAP_DEBUG
+ char accessmaskbuf[ACCESSMASK_MAXLEN];
+#endif
+ slap_mask_t mask;
+ slap_control_t control;
+ slap_access_t access_level;
+ const char *attr;
+ regmatch_t matches[MAXREMATCHES];
+ int st_same_attr = 0;
+ static AccessControlState state_init = ACL_STATE_INIT;
+
+ assert( e != NULL );
+ assert( desc != NULL );
+
+ access_level = ACL_LEVEL( access );
+
+ assert( access_level > ACL_NONE );
+ if ( maskp ) ACL_INVALIDATE( *maskp );
+
+ attr = desc->ad_cname.bv_val;
+
+ assert( attr != NULL );
+
+ if ( op ) {
+ if ( op->o_is_auth_check &&
+ ( access_level == ACL_SEARCH || access_level == ACL_READ ) )
+ {
+ access = ACL_AUTH;
+
+ } else if ( get_manageDIT( op ) && access_level == ACL_WRITE &&
+ desc == slap_schema.si_ad_entry )
+ {
+ access = ACL_MANAGE;
+ }
+ }
+
+ if ( state ) {
+ if ( state->as_vd_ad == desc ) {
+ if ( state->as_recorded ) {
+ if ( ( state->as_recorded & ACL_STATE_RECORDED_NV ) &&
+ val == NULL )
+ {
+ return state->as_result;
+
+ } else if ( ( state->as_recorded & ACL_STATE_RECORDED_VD ) &&
+ val != NULL && state->as_vd_acl == NULL )
+ {
+ return state->as_result;
+ }
+ }
+ st_same_attr = 1;
+ } else {
+ *state = state_init;
+ }
+
+ state->as_vd_ad=desc;
+ }
+
+ Debug( LDAP_DEBUG_ACL,
+ "=> access_allowed: %s access to \"%s\" \"%s\" requested\n",
+ access2str( access ), e->e_dn, attr );
+
+ if ( op == NULL ) {
+ /* no-op call */
+ goto done;
+ }
+
+ be = op->o_bd;
+ if ( be == NULL ) {
+ be = LDAP_STAILQ_FIRST(&backendDB);
+ be_null = 1;
+#ifdef LDAP_DEVEL
+ /*
+ * FIXME: experimental; use first backend rules
+ * iff there is no global_acl (ITS#3100) */
+ if ( frontendDB->be_acl == NULL )
+#endif
+ {
+ op->o_bd = be;
+ }
+ }
+ assert( be != NULL );
+
+ /* grant database root access */
+ if ( be_isroot( op ) ) {
+ Debug( LDAP_DEBUG_ACL, "<= root access granted\n", 0, 0, 0 );
+ if ( maskp ) {
+ mask = ACL_LVL_MANAGE;
+ }
+
+ goto done;
+ }
+
+ /*
+ * no-user-modification operational attributes are ignored
+ * by ACL_WRITE checking as any found here are not provided
+ * by the user
+ *
+ * NOTE: but they are not ignored for ACL_MANAGE, because
+ * if we get here it means a non-root user is trying to
+ * manage data, so we need to check its privileges.
+ */
+ if ( access_level == ACL_WRITE && is_at_no_user_mod( desc->ad_type )
+ && desc != slap_schema.si_ad_entry
+ && desc != slap_schema.si_ad_children )
+ {
+ Debug( LDAP_DEBUG_ACL, "NoUserMod Operational attribute:"
+ " %s access granted\n",
+ attr, 0, 0 );
+ goto done;
+ }
+
+ /* use backend default access if no backend acls */
+ if ( be->be_acl == NULL ) {
+ Debug( LDAP_DEBUG_ACL,
+ "=> access_allowed: backend default %s "
+ "access %s to \"%s\"\n",
+ access2str( access ),
+ be->be_dfltaccess >= access_level ? "granted" : "denied",
+ op->o_dn.bv_val ? op->o_dn.bv_val : "(anonymous)" );
+ ret = be->be_dfltaccess >= access_level;
+
+ if ( maskp ) {
+ int i;
+
+ mask = ACL_PRIV_LEVEL;
+ for ( i = ACL_NONE; i <= be->be_dfltaccess; i++ ) {
+ mask |= ACL_ACCESS2PRIV( i );
+ }
+ }
+
+ goto done;
+
+#ifdef notdef
+ /* be is always non-NULL */
+ /* use global default access if no global acls */
+ } else if ( be == NULL && frontendDB->be_acl == NULL ) {
+ Debug( LDAP_DEBUG_ACL,
+ "=> access_allowed: global default %s access %s to \"%s\"\n",
+ access2str( access ),
+ frontendDB->be_dfltaccess >= access_level ?
+ "granted" : "denied", op->o_dn.bv_val );
+ ret = frontendDB->be_dfltaccess >= access_level;
+
+ if ( maskp ) {
+ int i;
+
+ mask = ACL_PRIV_LEVEL;
+ for ( i = ACL_NONE; i <= global_default_access; i++ ) {
+ mask |= ACL_ACCESS2PRIV( i );
+ }
+ }
+
+ goto done;
+#endif
+ }
+
+ ret = 0;
+ control = ACL_BREAK;
+
+ if ( st_same_attr ) {
+ assert( state->as_vd_acl != NULL );
+
+ a = state->as_vd_acl;
+ count = state->as_vd_acl_count;
+ if ( !ACL_IS_INVALID( state->as_vd_acl_mask ) ) {
+ mask = state->as_vd_acl_mask;
+ AC_MEMCPY( matches, state->as_vd_acl_matches, sizeof(matches) );
+ goto vd_access;
+ }
+
+ } else {
+ if ( state ) state->as_vi_acl = NULL;
+ a = NULL;
+ ACL_INIT(mask);
+ count = 0;
+ memset( matches, '\0', sizeof(matches) );
+ }
+
+ while ( ( a = slap_acl_get( a, &count, op, e, desc, val,
+ MAXREMATCHES, matches, state ) ) != NULL )
+ {
+ int i;
+
+ for ( i = 0; i < MAXREMATCHES && matches[i].rm_so > 0; i++ ) {
+ Debug( LDAP_DEBUG_ACL, "=> match[%d]: %d %d ", i,
+ (int)matches[i].rm_so, (int)matches[i].rm_eo );
+ if ( matches[i].rm_so <= matches[0].rm_eo ) {
+ int n;
+ for ( n = matches[i].rm_so; n < matches[i].rm_eo; n++ ) {
+ Debug( LDAP_DEBUG_ACL, "%c", e->e_ndn[n], 0, 0 );
+ }
+ }
+ Debug( LDAP_DEBUG_ARGS, "\n", 0, 0, 0 );
+ }
+
+ if ( state ) {
+ if ( state->as_vi_acl == a &&
+ ( state->as_recorded & ACL_STATE_RECORDED_NV ) )
+ {
+ Debug( LDAP_DEBUG_ACL,
+ "access_allowed: result from state (%s)\n",
+ attr, 0, 0 );
+ ret = state->as_result;
+ goto done;
+ } else {
+ Debug( LDAP_DEBUG_ACL,
+ "access_allowed: no res from state (%s)\n",
+ attr, 0, 0 );
+ }
+ }
+
+vd_access:
+ control = slap_acl_mask( a, &mask, op,
+ e, desc, val, MAXREMATCHES, matches, count, state );
+
+ if ( control != ACL_BREAK ) {
+ break;
+ }
+
+ memset( matches, '\0', sizeof(matches) );
+ }
+
+ if ( ACL_IS_INVALID( mask ) ) {
+ Debug( LDAP_DEBUG_ACL,
+ "=> access_allowed: \"%s\" (%s) invalid!\n",
+ e->e_dn, attr, 0 );
+ ACL_INIT(mask);
+
+ } else if ( control == ACL_BREAK ) {
+ Debug( LDAP_DEBUG_ACL,
+ "=> access_allowed: no more rules\n", 0, 0, 0 );
+
+ goto done;
+ }
+
+ Debug( LDAP_DEBUG_ACL,
+ "=> access_allowed: %s access %s by %s\n",
+ access2str( access ),
+ ACL_GRANT(mask, access) ? "granted" : "denied",
+ accessmask2str( mask, accessmaskbuf, 1 ) );
+
+ ret = ACL_GRANT(mask, access);
+
+done:
+ if ( state != NULL ) {
+ /* If not value-dependent, save ACL in case of more attrs */
+ if ( !( state->as_recorded & ACL_STATE_RECORDED_VD ) ) {
+ state->as_vi_acl = a;
+ state->as_result = ret;
+ }
+ state->as_recorded |= ACL_STATE_RECORDED;
+ }
+ if ( be_null ) op->o_bd = NULL;
+ if ( maskp ) *maskp = mask;
+ return ret;
+}
+
+#endif /* SLAP_OVERLAY_ACCESS */
+
+/*
+ * slap_acl_get - return the acl applicable to entry e, attribute
+ * attr. the acl returned is suitable for use in subsequent calls to
+ * acl_access_allowed().
+ */
+
+static AccessControl *
+slap_acl_get(
+ AccessControl *a,
+ int *count,