+ } else if ( strncasecmp( left, "val", 3 ) == 0 ) {
+ char *mr;
+
+ if ( !BER_BVISEMPTY( &a->acl_attrval ) ) {
+ Debug( LDAP_DEBUG_ANY,
+ "%s: line %d: attr val already specified in to clause.\n",
+ fname, lineno, 0 );
+ acl_usage();
+ }
+ if ( a->acl_attrs == NULL || !BER_BVISEMPTY( &a->acl_attrs[1].an_name ) )
+ {
+ Debug( LDAP_DEBUG_ANY,
+ "%s: line %d: attr val requires a single attribute.\n",
+ fname, lineno, 0 );
+ acl_usage();
+ }
+
+ ber_str2bv( right, 0, 1, &a->acl_attrval );
+ a->acl_attrval_style = ACL_STYLE_BASE;
+
+ mr = strchr( left, '/' );
+ if ( mr != NULL ) {
+ mr[ 0 ] = '\0';
+ mr++;
+
+ a->acl_attrval_mr = mr_find( mr );
+ if ( a->acl_attrval_mr == NULL ) {
+ Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+ "invalid matching rule \"%s\".\n",
+ fname, lineno, mr );
+ acl_usage();
+ }
+
+ if( !mr_usable_with_at( a->acl_attrval_mr, a->acl_attrs[ 0 ].an_desc->ad_type ) )
+ {
+ char buf[ SLAP_TEXT_BUFLEN ];
+
+ snprintf( buf, sizeof( buf ),
+ "matching rule \"%s\" use "
+ "with attr \"%s\" not appropriate.",
+ mr, a->acl_attrs[ 0 ].an_name.bv_val );
+
+
+ Debug( LDAP_DEBUG_ANY, "%s: line %d: %s\n",
+ fname, lineno, buf );
+ acl_usage();
+ }
+ }
+
+ if ( style != NULL ) {
+ if ( strcasecmp( style, "regex" ) == 0 ) {
+ int e = regcomp( &a->acl_attrval_re, a->acl_attrval.bv_val,
+ REG_EXTENDED | REG_ICASE | REG_NOSUB );
+ if ( e ) {
+ char err[SLAP_TEXT_BUFLEN],
+ buf[ SLAP_TEXT_BUFLEN ];
+
+ regerror( e, &a->acl_attrval_re, err, sizeof( err ) );
+
+ snprintf( buf, sizeof( buf ),
+ "regular expression \"%s\" bad because of %s",
+ right, err );
+
+ Debug( LDAP_DEBUG_ANY, "%s: line %d: %s\n",
+ fname, lineno, buf );
+ acl_usage();
+ }
+ a->acl_attrval_style = ACL_STYLE_REGEX;
+
+ } else {
+ /* FIXME: if the attribute has DN syntax, we might
+ * allow one, subtree and children styles as well */
+ if ( !strcasecmp( style, "base" ) ||
+ !strcasecmp( style, "exact" ) ) {
+ a->acl_attrval_style = ACL_STYLE_BASE;
+
+ } else if ( a->acl_attrs[0].an_desc->ad_type->
+ sat_syntax == slap_schema.si_syn_distinguishedName )
+ {
+ struct berval bv;
+
+ if ( !strcasecmp( style, "baseObject" ) ||
+ !strcasecmp( style, "base" ) )
+ {
+ a->acl_attrval_style = ACL_STYLE_BASE;
+ } else if ( !strcasecmp( style, "onelevel" ) ||
+ !strcasecmp( style, "one" ) )
+ {
+ a->acl_attrval_style = ACL_STYLE_ONE;
+ } else if ( !strcasecmp( style, "subtree" ) ||
+ !strcasecmp( style, "sub" ) )
+ {
+ a->acl_attrval_style = ACL_STYLE_SUBTREE;
+ } else if ( !strcasecmp( style, "children" ) ) {
+ a->acl_attrval_style = ACL_STYLE_CHILDREN;
+ } else {
+ char buf[ SLAP_TEXT_BUFLEN ];
+
+ /* FIXME: should be an error */
+
+ snprintf( buf, sizeof( buf ),
+ "unknown val.<style> \"%s\" "
+ "for attributeType \"%s\" with DN syntax; "
+ "using \"base\""
+ SLAPD_CONF_UNKNOWN_IGNORED ".",
+ style,
+ a->acl_attrs[0].an_desc->ad_cname.bv_val );
+
+ Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL,
+ "%s: line %d: %s\n",
+ fname, lineno, buf );
+#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
+ acl_usage();
+#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
+ a->acl_attrval_style = ACL_STYLE_BASE;
+ }
+
+ bv = a->acl_attrval;
+ rc = dnNormalize( 0, NULL, NULL, &bv, &a->acl_attrval, NULL );
+ if ( rc != LDAP_SUCCESS ) {
+ char buf[ SLAP_TEXT_BUFLEN ];
+
+ snprintf( buf, sizeof( buf ),
+ "unable to normalize DN \"%s\" "
+ "for attributeType \"%s\" (%d).",
+ bv.bv_val,
+ a->acl_attrs[0].an_desc->ad_cname.bv_val,
+ rc );
+ Debug( LDAP_DEBUG_ANY,
+ "%s: line %d: %s\n",
+ fname, lineno, buf );
+ acl_usage();
+ }
+ ber_memfree( bv.bv_val );
+
+ } else {
+ char buf[ SLAP_TEXT_BUFLEN ];
+
+ /* FIXME: should be an error */
+
+ snprintf( buf, sizeof( buf ),
+ "unknown val.<style> \"%s\" "
+ "for attributeType \"%s\"; using \"exact\""
+ SLAPD_CONF_UNKNOWN_IGNORED ".",
+ style, a->acl_attrs[0].an_desc->ad_cname.bv_val );
+ Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL,
+ "%s: line %d: %s\n",
+ fname, lineno, buf );
+#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
+ acl_usage();
+#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
+ a->acl_attrval_style = ACL_STYLE_BASE;
+ }
+ }
+ }
+
+ /* Check for appropriate matching rule */
+ if ( a->acl_attrval_style != ACL_STYLE_REGEX ) {
+ if ( a->acl_attrval_mr == NULL ) {
+ a->acl_attrval_mr = a->acl_attrs[ 0 ].an_desc->ad_type->sat_equality;
+ }
+
+ if ( a->acl_attrval_mr == NULL ) {
+ Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+ "attr \"%s\" must have an EQUALITY matching rule.\n",
+ fname, lineno, a->acl_attrs[ 0 ].an_name.bv_val );
+ acl_usage();
+ }
+ }
+