+
+ if ( strcasecmp( argv[i], "*" ) == 0 ) {
+ pat = ch_strdup( "*" );
+
+ } else if ( strcasecmp( argv[i], "anonymous" ) == 0 ) {
+ pat = ch_strdup( "anonymous" );
+
+ } else if ( strcasecmp( argv[i], "self" ) == 0 ) {
+ pat = ch_strdup( "self" );
+
+ } else if ( strcasecmp( argv[i], "users" ) == 0 ) {
+ pat = ch_strdup( "users" );
+
+ } else if ( strcasecmp( left, "dn" ) == 0 ) {
+ if ( sty == ACL_STYLE_REGEX ) {
+ b->a_dn_style = ACL_STYLE_REGEX;
+ if( right == NULL ) {
+ /* no '=' */
+ pat = ch_strdup( "users" );
+
+ } else if (*right == '\0' ) {
+ /* dn="" */
+ pat = ch_strdup( "anonymous" );
+
+ } else if ( strcmp( right, "*" ) == 0 ) {
+ /* dn=* */
+ /* any or users? users for now */
+ pat = ch_strdup( "users" );
+
+ } else if ( strcmp( right, ".+" ) == 0
+ || strcmp( right, "^.+" ) == 0
+ || strcmp( right, ".+$" ) == 0
+ || strcmp( right, "^.+$" ) == 0
+ || strcmp( right, ".+$$" ) == 0
+ || strcmp( right, "^.+$$" ) == 0 )
+ {
+ pat = ch_strdup( "users" );
+
+ } else if ( strcmp( right, ".*" ) == 0
+ || strcmp( right, "^.*" ) == 0
+ || strcmp( right, ".*$" ) == 0
+ || strcmp( right, "^.*$" ) == 0
+ || strcmp( right, ".*$$" ) == 0
+ || strcmp( right, "^.*$$" ) == 0 )
+ {
+ pat = ch_strdup( "*" );
+
+ } else {
+ pat = acl_regex_normalized_dn( right );
+ regtest(fname, lineno, pat);
+ }
+ } else if ( right == NULL || *right == '\0' ) {
+ fprintf( stderr,
+ "%s: line %d: missing \"=\" in (or value after) \"%s\" in by clause\n",
+ fname, lineno, left );
+ acl_usage();
+
+ } else {
+ pat = ch_strdup( right );
+ }
+
+ } else {
+ pat = NULL;
+ }
+
+ if( pat != NULL ) {
+ if( b->a_dn_pat != NULL ) {
+ fprintf( stderr,
+ "%s: line %d: dn pattern already specified.\n",
+ fname, lineno );
+ acl_usage();
+ }
+
+ b->a_dn_pat = pat;
+ b->a_dn_style = sty;
+ if ( sty != ACL_STYLE_REGEX )
+ dn_normalize(pat);
+ continue;
+ }
+
+ if ( strcasecmp( left, "dnattr" ) == 0 ) {
+ if ( right == NULL || right[ 0 ] == '\0' ) {
+ fprintf( stderr,
+ "%s: line %d: missing \"=\" in (or value after) \"%s\" in by clause\n",
+ fname, lineno, left );
+ acl_usage();
+ }
+
+ if( b->a_dn_at != NULL ) {
+ fprintf( stderr,
+ "%s: line %d: dnattr already specified.\n",
+ fname, lineno );
+ acl_usage();
+ }
+
+ rc = slap_str2ad( right, &b->a_dn_at, &text );
+
+ if( rc != LDAP_SUCCESS ) {
+ fprintf( stderr,
+ "%s: line %d: dnattr \"%s\": %s\n",
+ fname, lineno, right, text );
+ acl_usage();
+ }
+
+
+ if( !is_at_syntax( b->a_dn_at->ad_type,
+ SLAPD_DN_SYNTAX ) &&
+ !is_at_syntax( b->a_dn_at->ad_type,
+ SLAPD_NAMEUID_SYNTAX ))
+ {
+ fprintf( stderr,
+ "%s: line %d: dnattr \"%s\": "
+ "inappropriate syntax: %s\n",
+ fname, lineno, right,
+ b->a_dn_at->ad_type->sat_syntax_oid );
+ acl_usage();
+ }
+
+ continue;
+ }
+
+ if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
+ fprintf( stderr,
+ "%s: line %d: inappropriate style \"%s\" in by clause\n",
+ fname, lineno, style );
+ acl_usage();
+ }
+
+ if ( strncasecmp( left, "group", sizeof("group")-1 ) == 0 ) {
+ char *name = NULL;
+ char *value = NULL;
+
+ if ( right == NULL || right[ 0 ] == '\0' ) {
+ fprintf( stderr,
+ "%s: line %d: missing \"=\" in (or value after) \"%s\" in by clause\n",
+ fname, lineno, left );
+ acl_usage();
+ }
+
+ if( b->a_group_pat != NULL ) {
+ fprintf( stderr,
+ "%s: line %d: group pattern already specified.\n",
+ fname, lineno );
+ acl_usage();
+ }
+
+ /* format of string is "group/objectClassValue/groupAttrName" */
+ if ((value = strchr(left, '/')) != NULL) {
+ *value++ = '\0';
+ if (*value
+ && (name = strchr(value, '/')) != NULL)
+ {
+ *name++ = '\0';
+ }
+ }
+
+ b->a_group_style = sty;
+ if (sty == ACL_STYLE_REGEX) {
+ char *tmp = acl_regex_normalized_dn( right );
+ regtest(fname, lineno, tmp);
+ b->a_group_pat = tmp;
+ } else {
+ b->a_group_pat = ch_strdup( right );
+ dn_normalize(b->a_group_pat);
+ }
+
+ if (value && *value) {
+ b->a_group_oc = oc_find( value );
+ *--value = '/';
+
+ if( b->a_group_oc == NULL ) {
+ fprintf( stderr,
+ "%s: line %d: group objectclass "
+ "\"%s\" unknown\n",
+ fname, lineno, value );
+ acl_usage();
+ }
+ } else {
+ b->a_group_oc = oc_find(SLAPD_GROUP_CLASS);
+
+ if( b->a_group_oc == NULL ) {
+ fprintf( stderr,
+ "%s: line %d: group default objectclass "
+ "\"%s\" unknown\n",
+ fname, lineno, SLAPD_GROUP_CLASS );
+ acl_usage();
+ }
+ }
+
+ if( is_object_subclass( b->a_group_oc,
+ slap_schema.si_oc_referral ) )
+ {
+ fprintf( stderr,
+ "%s: line %d: group objectclass \"%s\" "
+ "is subclass of referral\n",
+ fname, lineno, value );
+ acl_usage();
+ }
+
+ if( is_object_subclass( b->a_group_oc,
+ slap_schema.si_oc_alias ) )
+ {
+ fprintf( stderr,
+ "%s: line %d: group objectclass \"%s\" "
+ "is subclass of alias\n",
+ fname, lineno, value );
+ acl_usage();
+ }
+
+ if (name && *name) {
+ rc = slap_str2ad( name, &b->a_group_at, &text );
+
+ if( rc != LDAP_SUCCESS ) {
+ fprintf( stderr,
+ "%s: line %d: group \"%s\": %s\n",
+ fname, lineno, right, text );
+ acl_usage();
+ }
+ *--name = '/';
+ } else {
+ rc = slap_str2ad( SLAPD_GROUP_ATTR, &b->a_group_at, &text );
+
+ if( rc != LDAP_SUCCESS ) {
+ fprintf( stderr,
+ "%s: line %d: group \"%s\": %s\n",
+ fname, lineno, SLAPD_GROUP_ATTR, text );
+ acl_usage();
+ }
+ }
+
+ if( !is_at_syntax( b->a_group_at->ad_type,
+ SLAPD_DN_SYNTAX ) &&
+ !is_at_syntax( b->a_group_at->ad_type,
+ SLAPD_NAMEUID_SYNTAX ) )
+ {
+ fprintf( stderr,
+ "%s: line %d: group \"%s\": inappropriate syntax: %s\n",
+ fname, lineno, right,
+ b->a_group_at->ad_type->sat_syntax_oid );
+ acl_usage();
+ }
+
+
+ {
+ int rc;
+ struct berval val;
+ struct berval *vals[2];
+
+ val.bv_val = b->a_group_oc->soc_oid;
+ val.bv_len = strlen(val.bv_val);
+ vals[0] = &val;
+ vals[1] = NULL;
+
+
+ rc = oc_check_allowed( b->a_group_at->ad_type, vals );
+
+ if( rc != 0 ) {
+ fprintf( stderr,
+ "%s: line %d: group: \"%s\" not allowed by \"%s\"\n",
+ fname, lineno,
+ b->a_group_at->ad_cname.bv_val,
+ b->a_group_oc->soc_oid );
+ acl_usage();
+ }
+ }
+ continue;
+ }
+
+ if ( strcasecmp( left, "peername" ) == 0 ) {
+ if ( right == NULL || right[ 0 ] == '\0' ) {
+ fprintf( stderr,
+ "%s: line %d: missing \"=\" in (or value after) \"%s\" in by clause\n",
+ fname, lineno, left );
+ acl_usage();
+ }
+
+ if( b->a_peername_pat != NULL ) {
+ fprintf( stderr,
+ "%s: line %d: peername pattern already specified.\n",
+ fname, lineno );
+ acl_usage();
+ }
+
+ b->a_peername_style = sty;
+ if (sty == ACL_STYLE_REGEX) {
+ char *tmp = acl_regex_normalized_dn( right );
+ regtest(fname, lineno, tmp);
+ b->a_peername_pat = tmp;
+ } else {
+ b->a_peername_pat = ch_strdup( right );
+ }
+ continue;
+ }
+
+ if ( strcasecmp( left, "sockname" ) == 0 ) {
+ if ( right == NULL || right[ 0 ] == '\0' ) {
+ fprintf( stderr,
+ "%s: line %d: missing \"=\" in (or value after) \"%s\" in by clause\n",
+ fname, lineno, left );
+ acl_usage();
+ }
+
+ if( b->a_sockname_pat != NULL ) {
+ fprintf( stderr,
+ "%s: line %d: sockname pattern already specified.\n",
+ fname, lineno );
+ acl_usage();
+ }
+
+ b->a_sockname_style = sty;
+ if (sty == ACL_STYLE_REGEX) {
+ char *tmp = acl_regex_normalized_dn( right );
+ regtest(fname, lineno, tmp);
+ b->a_sockname_pat = tmp;
+ } else {
+ b->a_sockname_pat = ch_strdup( right );
+ }
+ continue;
+ }
+
+ if ( strcasecmp( left, "domain" ) == 0 ) {
+ if ( right == NULL || right[ 0 ] == '\0' ) {
+ fprintf( stderr,
+ "%s: line %d: missing \"=\" in (or value after) \"%s\" in by clause\n",
+ fname, lineno, left );
+ acl_usage();
+ }
+
+ if( b->a_domain_pat != NULL ) {
+ fprintf( stderr,
+ "%s: line %d: domain pattern already specified.\n",
+ fname, lineno );
+ acl_usage();
+ }
+
+ b->a_domain_style = sty;
+ if (sty == ACL_STYLE_REGEX) {
+ char *tmp = acl_regex_normalized_dn( right );
+ regtest(fname, lineno, tmp);
+ b->a_domain_pat = tmp;
+ } else {
+ b->a_domain_pat = ch_strdup( right );
+ }
+ continue;
+ }
+
+ if ( strcasecmp( left, "sockurl" ) == 0 ) {
+ if ( right == NULL || right[ 0 ] == '\0' ) {
+ fprintf( stderr,
+ "%s: line %d: missing \"=\" in (or value after) \"%s\" in by clause\n",
+ fname, lineno, left );
+ acl_usage();
+ }
+
+ if( b->a_sockurl_pat != NULL ) {
+ fprintf( stderr,
+ "%s: line %d: sockurl pattern already specified.\n",
+ fname, lineno );
+ acl_usage();
+ }
+
+ b->a_sockurl_style = sty;
+ if (sty == ACL_STYLE_REGEX) {
+ char *tmp = acl_regex_normalized_dn( right );
+ regtest(fname, lineno, tmp);
+ b->a_sockurl_pat = tmp;
+ } else {
+ b->a_sockurl_pat = ch_strdup( right );
+ }
+ continue;
+ }
+
+ if ( strcasecmp( left, "set" ) == 0 ) {
+ if( b->a_set_pat != NULL ) {
+ fprintf( stderr,
+ "%s: line %d: set attribute already specified.\n",
+ fname, lineno );
+ acl_usage();
+ }
+
+ if ( right == NULL || *right == '\0' ) {
+ fprintf( stderr,
+ "%s: line %d: no set is defined\n",
+ fname, lineno );
+ acl_usage();
+ }
+
+ b->a_set_style = sty;
+ b->a_set_pat = ch_strdup(right);
+
+ continue;
+ }
+
+#ifdef SLAPD_ACI_ENABLED
+ if ( strcasecmp( left, "aci" ) == 0 ) {
+ if( b->a_aci_at != NULL ) {
+ fprintf( stderr,
+ "%s: line %d: aci attribute already specified.\n",
+ fname, lineno );
+ acl_usage();
+ }
+
+ if ( right != NULL && *right != '\0' ) {
+ rc = slap_str2ad( right, &b->a_aci_at, &text );
+
+ if( rc != LDAP_SUCCESS ) {
+ fprintf( stderr,
+ "%s: line %d: aci \"%s\": %s\n",
+ fname, lineno, right, text );
+ acl_usage();
+ }
+
+ } else {
+ rc = slap_str2ad( SLAPD_ACI_ATTR, &b->a_aci_at, &text );
+
+ if( rc != LDAP_SUCCESS ) {
+ fprintf( stderr,
+ "%s: line %d: aci \"%s\": %s\n",
+ fname, lineno, SLAPD_ACI_ATTR, text );
+ acl_usage();
+ }
+ }
+
+ if( !is_at_syntax( b->a_aci_at->ad_type,
+ SLAPD_ACI_SYNTAX) )
+ {
+ fprintf( stderr,
+ "%s: line %d: aci \"%s\": inappropriate syntax: %s\n",
+ fname, lineno, right,
+ b->a_aci_at->ad_type->sat_syntax_oid );
+ acl_usage();
+ }
+
+ continue;
+ }
+#endif /* SLAPD_ACI_ENABLED */
+
+ if ( strcasecmp( left, "ssf" ) == 0 ) {
+ if( b->a_authz.sai_ssf ) {
+ fprintf( stderr,
+ "%s: line %d: ssf attribute already specified.\n",
+ fname, lineno );
+ acl_usage();
+ }
+
+ if ( right == NULL || *right == '\0' ) {
+ fprintf( stderr,
+ "%s: line %d: no ssf is defined\n",
+ fname, lineno );
+ acl_usage();
+ }
+
+ b->a_authz.sai_ssf = atoi( right );
+
+ if( !b->a_authz.sai_ssf ) {
+ fprintf( stderr,
+ "%s: line %d: invalid ssf value (%s)\n",
+ fname, lineno, right );
+ acl_usage();
+ }
+ continue;
+ }
+
+ if ( strcasecmp( left, "transport_ssf" ) == 0 ) {
+ if( b->a_authz.sai_transport_ssf ) {
+ fprintf( stderr,
+ "%s: line %d: transport_ssf attribute already specified.\n",
+ fname, lineno );
+ acl_usage();
+ }
+
+ if ( right == NULL || *right == '\0' ) {
+ fprintf( stderr,
+ "%s: line %d: no transport_ssf is defined\n",
+ fname, lineno );
+ acl_usage();
+ }
+
+ b->a_authz.sai_transport_ssf = atoi( right );
+
+ if( !b->a_authz.sai_transport_ssf ) {
+ fprintf( stderr,
+ "%s: line %d: invalid transport_ssf value (%s)\n",
+ fname, lineno, right );
+ acl_usage();
+ }
+ continue;
+ }
+
+ if ( strcasecmp( left, "tls_ssf" ) == 0 ) {
+ if( b->a_authz.sai_tls_ssf ) {
+ fprintf( stderr,
+ "%s: line %d: tls_ssf attribute already specified.\n",
+ fname, lineno );
+ acl_usage();
+ }
+
+ if ( right == NULL || *right == '\0' ) {
+ fprintf( stderr,
+ "%s: line %d: no tls_ssf is defined\n",
+ fname, lineno );
+ acl_usage();
+ }
+
+ b->a_authz.sai_tls_ssf = atoi( right );
+
+ if( !b->a_authz.sai_tls_ssf ) {
+ fprintf( stderr,
+ "%s: line %d: invalid tls_ssf value (%s)\n",
+ fname, lineno, right );
+ acl_usage();
+ }
+ continue;
+ }
+
+ if ( strcasecmp( left, "sasl_ssf" ) == 0 ) {
+ if( b->a_authz.sai_sasl_ssf ) {
+ fprintf( stderr,
+ "%s: line %d: sasl_ssf attribute already specified.\n",
+ fname, lineno );
+ acl_usage();
+ }
+
+ if ( right == NULL || *right == '\0' ) {
+ fprintf( stderr,
+ "%s: line %d: no sasl_ssf is defined\n",
+ fname, lineno );
+ acl_usage();
+ }
+
+ b->a_authz.sai_sasl_ssf = atoi( right );
+
+ if( !b->a_authz.sai_sasl_ssf ) {
+ fprintf( stderr,
+ "%s: line %d: invalid sasl_ssf value (%s)\n",
+ fname, lineno, right );
+ acl_usage();
+ }
+ continue;
+ }
+
+ if( right != NULL ) {
+ /* unsplit */
+ right[-1] = '=';
+ }
+ break;