/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2007 The OpenLDAP Foundation.
+ * Copyright 1998-2011 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
ACL_INIT(mask);
for ( i = 1; acl_get_part( list, i + 1, ';', &bv ) >= 0; i += 2 ) {
if ( aci_list_has_attr( &bv, attr, val ) == 0 ) {
- Debug( LDAP_DEBUG_ACL, " <= aci_list_get_attr_rights test %s for %s -> failed\n", bv.bv_val, attr->bv_val, 0 );
+ Debug( LDAP_DEBUG_ACL,
+ " <= aci_list_get_attr_rights "
+ "test %s for %s -> failed\n",
+ bv.bv_val, attr->bv_val, 0 );
continue;
}
- Debug( LDAP_DEBUG_ACL, " <= aci_list_get_attr_rights test %s for %s -> ok\n", bv.bv_val, attr->bv_val, 0 );
+
+ Debug( LDAP_DEBUG_ACL,
+ " <= aci_list_get_attr_rights "
+ "test %s for %s -> ok\n",
+ bv.bv_val, attr->bv_val, 0 );
if ( acl_get_part( list, i, ';', &bv ) < 0 ) {
- Debug( LDAP_DEBUG_ACL, " <= aci_list_get_attr_rights test no rightsk\n", 0, 0, 0 );
+ Debug( LDAP_DEBUG_ACL,
+ " <= aci_list_get_attr_rights "
+ "test no rights\n",
+ 0, 0, 0 );
continue;
}
mask |= aci_list_map_rights( &bv );
- Debug( LDAP_DEBUG_ACL, " <= aci_list_get_attr_rights rights %s to mask 0x%x\n", bv.bv_val, mask, 0 );
+ Debug( LDAP_DEBUG_ACL,
+ " <= aci_list_get_attr_rights "
+ "rights %s to mask 0x%x\n",
+ bv.bv_val, mask, 0 );
}
return mask;
continue;
}
- found = 1;
*mask |= aci_list_get_attr_rights( &perm, attr, val );
*mask |= aci_list_get_attr_rights( &perm, &aci_bv[ ACI_BV_BR_ALL ], NULL );
+
+ if ( *mask != ACL_PRIV_NONE ) {
+ found = 1;
+ }
}
return found;
if ( grp_oc != NULL && grp_ad != NULL ) {
char buf[ ACI_BUF_SIZE ];
struct berval bv, ndn;
+ AclRegexMatches amatches = { 0 };
+
+ amatches.dn_count = nmatch;
+ AC_MEMCPY( amatches.dn_data, matches, sizeof( amatches.dn_data ) );
bv.bv_len = sizeof( buf ) - 1;
bv.bv_val = (char *)&buf;
if ( acl_string_expand( &bv, &subjdn,
- e->e_ndn, nmatch, matches ) )
+ &e->e_nname, NULL, &amatches ) )
{
rc = LDAP_OTHER;
goto done;
opts,
sdn;
int rc;
-
+
+ ACL_INIT( *grant );
+ ACL_INIT( *deny );
assert( !BER_BVISNULL( &desc->ad_cname ) );
This routine now supports scope={ENTRY,CHILDREN}
with the semantics:
- ENTRY applies to "entry" and "subtree";
- - CHILDREN aplies to "children" and "subtree"
+ - CHILDREN applies to "children" and "subtree"
*/
/* check that the aci has all 5 components */
at != NULL;
at = attrs_find( at->a_next, ad ) )
{
- if ( value_find_ex( ad,
+ if ( attr_valfind( at,
SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
- at->a_nvals,
- &op->o_ndn, op->o_tmpmemctx ) == 0 )
+ &op->o_ndn, NULL, op->o_tmpmemctx ) == 0 )
{
rc = 1;
break;
static slap_syntax_defs_rec aci_syntax_def = {
"( 1.3.6.1.4.1.4203.666.2.1 DESC 'OpenLDAP Experimental ACI' )",
SLAP_SYNTAX_HIDE,
+ NULL,
OpenLDAPaciValidate,
OpenLDAPaciPretty
};
* action := perms;attrs[[;perms;attrs]...]
* perms := perm[[,perm]...]
* perm := c|s|r|w|x
- * attrs := attribute[[,attribute]..]|[all]
+ * attrs := attribute[[,attribute]..]|"[all]"
* attribute := attributeType|attributeType=attributeValue|attributeType=attributeValuePrefix*
* type := public|users|self|dnattr|group|role|set|set-ref|
* access_id|subtree|onelevel|children
OpenLDAPaciValidatePerms(
struct berval *perms )
{
- int i;
+ ber_len_t i;
for ( i = 0; i < perms->bv_len; ) {
switch ( perms->bv_val[ i ] ) {
freetype = 0;
char *ptr;
+ BER_BVZERO( out );
+
if ( BER_BVISEMPTY( val ) ) {
Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: value is empty\n", 0, 0, 0 );
return LDAP_INVALID_SYNTAX;
}
nsubject = ad->ad_cname;
+
+ } else if ( OpenLDAPacitypes[ idx ] == &aci_bv[ ACI_BV_SET ]
+ || OpenLDAPacitypes[ idx ] == &aci_bv[ ACI_BV_SET_REF ] )
+ {
+ /* NOTE: dunno how to normalize it... */
+ nsubject = subject;
}