)
{
int rc;
- struct acl *a;
+ AccessControl *a;
char *edn;
regmatch_t matches[MAXREMATCHES];
e->e_dn, attr, 0 );
/* the lastmod attributes are ignored by ACL checking */
- if ( oc_check_operational( attr ) ) {
+ if ( oc_check_no_usermod_attr( attr ) ) {
Debug( LDAP_DEBUG_ACL, "Operational attribute: %s access allowed\n",
attr, 0, 0 );
return(1);
* acl_access_allowed().
*/
-struct acl *
+AccessControl *
acl_get_applicable(
Backend *be,
Operation *op,
)
{
int i;
- struct acl *a;
+ AccessControl *a;
char *edn;
Debug( LDAP_DEBUG_ACL, "\n=> acl_get: entry (%s) attr (%s)\n",
/* check for a backend-specific acl that matches the entry */
for ( i = 1, a = be->be_acl; a != NULL; a = a->acl_next, i++ ) {
- if (a->acl_dnpat != NULL) {
+ if (a->acl_dn_pat != NULL) {
Debug( LDAP_DEBUG_TRACE, "=> dnpat: [%d] %s nsub: %d\n",
- i, a->acl_dnpat, (int) a->acl_dnre.re_nsub);
+ i, a->acl_dn_pat, (int) a->acl_dn_re.re_nsub);
- if (regexec(&a->acl_dnre, edn, nmatch, matches, 0))
+ if (regexec(&a->acl_dn_re, edn, nmatch, matches, 0)) {
continue;
- else
+
+ } else {
Debug( LDAP_DEBUG_TRACE, "=> acl_get:[%d] backend ACL match\n",
i, 0, 0);
+ }
}
if ( a->acl_filter != NULL ) {
/* check for a global acl that matches the entry */
for ( i = 1, a = global_acl; a != NULL; a = a->acl_next, i++ ) {
- if (a->acl_dnpat != NULL) {
- Debug( LDAP_DEBUG_TRACE, "=> dnpat: [%d] %s nsub: %d\n",
- i, a->acl_dnpat, (int) a->acl_dnre.re_nsub);
+ if (a->acl_dn_pat != NULL) {
+ Debug( LDAP_DEBUG_TRACE, "=> dn pat: [%d] %s nsub: %d\n",
+ i, a->acl_dn_pat, (int) a->acl_dn_re.re_nsub);
- if (regexec(&a->acl_dnre, edn, nmatch, matches, 0)) {
+ if (regexec(&a->acl_dn_re, edn, nmatch, matches, 0)) {
continue;
+
} else {
Debug( LDAP_DEBUG_TRACE, "=> acl_get: [%d] global ACL match\n",
i, 0, 0);
int
acl_access_allowed(
- struct acl *a,
+ AccessControl *a,
Backend *be,
Connection *conn,
Entry *e,
)
{
int i;
- char *odn;
- struct access *b;
- Attribute *at;
- struct berval bv;
+ Access *b;
int default_access;
Debug( LDAP_DEBUG_ACL,
return( default_access >= access );
}
- odn = op->o_ndn;
-
- if ( odn != NULL ) {
- bv.bv_val = odn;
- bv.bv_len = strlen( odn );
- }
-
for ( i = 1, b = a->acl_access; b != NULL; b = b->a_next, i++ ) {
- if ( b->a_dnpat != NULL ) {
- Debug( LDAP_DEBUG_TRACE, "<= check a_dnpat: %s\n",
- b->a_dnpat, 0, 0);
+ /* AND <who> clauses */
+ if ( b->a_dn_pat != NULL ) {
+ Debug( LDAP_DEBUG_TRACE, "<= check a_dn_pat: %s\n",
+ b->a_dn_pat, 0, 0);
/*
* if access applies to the entry itself, and the
* user is bound as somebody in the same namespace as
* the entry, OR the given dn matches the dn pattern
*/
- if ( strcasecmp( b->a_dnpat, "anonymous" ) == 0 &&
- (op->o_ndn == NULL || *(op->o_ndn) == '\0' ) )
+ if ( strcasecmp( b->a_dn_pat, "anonymous" ) == 0 ) {
+ if (op->o_ndn != NULL && op->o_ndn[0] != '\0' ) {
+ continue;
+ }
+
+ } else if ( strcasecmp( b->a_dn_pat, "self" ) == 0 ) {
+ if( op->o_ndn == NULL || op->o_ndn[0] == '\0' ) {
+ continue;
+ }
+
+ if ( e->e_dn == NULL || strcmp( edn, op->o_ndn ) != 0 ) {
+ continue;
+ }
+
+ } else if ( strcmp( b->a_dn_pat, ".*" ) != 0 &&
+ !regex_matches( b->a_dn_pat, op->o_ndn, edn, matches ) )
{
- Debug( LDAP_DEBUG_ACL,
- "<= acl_access_allowed: matched by clause #%d access %s\n",
- i, ACL_GRANT(b->a_access, access)
- ? "granted" : "denied", 0 );
+ continue;
+ }
+ }
- return ACL_GRANT(b->a_access, access );
+ if ( b->a_sockurl_pat != NULL ) {
+ Debug( LDAP_DEBUG_ARGS, "<= check a_sockurl_pat: %s\n",
+ b->a_sockurl_pat, 0, 0 );
- } else if ( strcasecmp( b->a_dnpat, "self" ) == 0 &&
- op->o_ndn != NULL && *(op->o_ndn) && e->e_dn != NULL )
+ if ( strcmp( b->a_sockurl_pat, ".*" ) != 0 &&
+ !regex_matches( b->a_sockurl_pat, conn->c_listener_url,
+ edn, matches ) )
{
- if ( strcmp( edn, op->o_ndn ) == 0 ) {
- Debug( LDAP_DEBUG_ACL,
- "<= acl_access_allowed: matched by clause #%d access %s\n",
- i, ACL_GRANT(b->a_access, access)
- ? "granted" : "denied", 0 );
+ continue;
+ }
+ }
- return ACL_GRANT(b->a_access, access );
- }
- } else {
- if ( regex_matches( b->a_dnpat, odn, edn, matches ) ) {
- Debug( LDAP_DEBUG_ACL,
- "<= acl_access_allowed: matched by clause #%d access %s\n",
- i, ACL_GRANT(b->a_access, access)
- ? "granted" : "denied", 0 );
+ if ( b->a_domain_pat != NULL ) {
+ Debug( LDAP_DEBUG_ARGS, "<= check a_domain_pat: %s\n",
+ b->a_domain_pat, 0, 0 );
- return ACL_GRANT(b->a_access, access );
- }
+ if ( strcmp( b->a_domain_pat, ".*" ) != 0 &&
+ !regex_matches( b->a_domain_pat, conn->c_peer_domain,
+ edn, matches ) )
+ {
+ continue;
}
}
- if ( b->a_addrpat != NULL ) {
- if ( regex_matches( b->a_addrpat, conn->c_client_addr,
+
+ if ( b->a_peername_pat != NULL ) {
+ Debug( LDAP_DEBUG_ARGS, "<= check a_peername_path: %s\n",
+ b->a_peername_pat, 0, 0 );
+
+ if ( strcmp( b->a_peername_pat, ".*" ) != 0 &&
+ !regex_matches( b->a_peername_pat, conn->c_peer_name,
edn, matches ) )
{
- Debug( LDAP_DEBUG_ACL,
- "<= acl_access_allowed: matched by clause #%d access %s\n",
- i, ACL_GRANT(b->a_access, access)
- ? "granted" : "denied", 0 );
-
- return ACL_GRANT(b->a_access, access );
+ continue;
}
}
- if ( b->a_domainpat != NULL ) {
- Debug( LDAP_DEBUG_ARGS, "<= check a_domainpath: %s\n",
- b->a_domainpat, 0, 0 );
- if ( regex_matches( b->a_domainpat, conn->c_client_name,
- edn, matches ) )
- {
- Debug( LDAP_DEBUG_ACL,
- "<= acl_access_allowed: matched by clause #%d access %s\n",
- i, ACL_GRANT(b->a_access, access)
- ? "granted" : "denied", 0 );
- return ACL_GRANT(b->a_access, access );
+ if ( b->a_sockname_pat != NULL ) {
+ Debug( LDAP_DEBUG_ARGS, "<= check a_sockname_path: %s\n",
+ b->a_sockname_pat, 0, 0 );
+
+ if ( strcmp( b->a_sockname_pat, ".*" ) != 0 &&
+ !regex_matches( b->a_sockname_pat, conn->c_sock_name,
+ edn, matches ) )
+ {
+ continue;
}
}
- if ( b->a_dnattr != NULL && op->o_ndn != NULL ) {
- Debug( LDAP_DEBUG_ARGS, "<= check a_dnattr: %s\n",
- b->a_dnattr, 0, 0);
- /* see if asker is listed in dnattr */
- if ( (at = attr_find( e->e_attrs, b->a_dnattr )) != NULL &&
+
+ if ( b->a_dn_at != NULL && op->o_ndn != NULL ) {
+ Attribute *at;
+ struct berval bv;
+
+ Debug( LDAP_DEBUG_ARGS, "<= check a_dn_at: %s\n",
+ b->a_dn_at, 0, 0);
+
+ bv.bv_val = op->o_ndn;
+ bv.bv_len = strlen( bv.bv_val );
+
+ /* see if asker is listed in dnattr */
+ if ( (at = attr_find( e->e_attrs, b->a_dn_at )) != NULL &&
value_find( at->a_vals, &bv, at->a_syntax, 3 ) == 0 )
{
if ( ACL_IS_SELF(b->a_access) &&
continue;
}
- Debug( LDAP_DEBUG_ACL,
- "<= acl_acces_allowed: matched by clause #%d access %s\n",
- i, ACL_GRANT(b->a_access, access)
- ? "granted" : "denied", 0 );
-
- return ACL_GRANT(b->a_access, access );
- }
-
/* asker not listed in dnattr - check for self access */
- if ( ! ACL_IS_SELF(b->a_access) || val == NULL ||
+ } else if ( ! ACL_IS_SELF(b->a_access) || val == NULL ||
value_cmp( &bv, val, at->a_syntax, 2 ) != 0 )
{
continue;
}
-
- Debug( LDAP_DEBUG_ACL,
- "<= acl_access_allowed: matched by clause #%d (self) access %s\n",
- i, ACL_GRANT(b->a_access, access)
- ? "granted" : "denied", 0 );
-
- return ACL_GRANT(b->a_access, access );
}
- if ( b->a_group != NULL && op->o_ndn != NULL ) {
+ if ( b->a_group_pat != NULL && op->o_ndn != NULL ) {
char buf[1024];
/* b->a_group is an unexpanded entry name, expanded it should be an
* the values in the attribute group
*/
/* see if asker is listed in dnattr */
- string_expand(buf, sizeof(buf), b->a_group, edn, matches);
- (void) dn_normalize_case(buf);
+ string_expand(buf, sizeof(buf), b->a_group_pat, edn, matches);
+ if ( dn_normalize_case(buf) == NULL ) {
+ /* did not expand to a valid dn */
+ continue;
+ }
- if (backend_group(be, e, buf, odn,
- b->a_group_oc, b->a_group_at) == 0)
+ if (backend_group(be, e, buf, op->o_ndn,
+ b->a_group_oc, b->a_group_at) != 0)
{
- Debug( LDAP_DEBUG_ACL,
- "<= acl_access_allowed: matched by clause #%d (group) access granted\n",
- i, 0, 0 );
- return ACL_GRANT(b->a_access, access );
+ continue;
}
}
+
+ Debug( LDAP_DEBUG_ACL,
+ "<= acl_access_allowed: matched by clause #%d access %s\n",
+ i,
+ ACL_GRANT(b->a_access, access) ? "granted" : "denied",
+ 0 );
+
+ return ACL_GRANT(b->a_access, access );
}
Debug( LDAP_DEBUG_ACL,
)
{
int i;
- struct acl *a;
+ AccessControl *a;
char *edn = e->e_ndn;
for ( ; mlist != NULL; mlist = mlist->ml_next ) {
regmatch_t matches[MAXREMATCHES];
/* the lastmod attributes are ignored by ACL checking */
- if ( oc_check_operational( mlist->ml_type ) ) {
+ if ( oc_check_no_usermod_attr( mlist->ml_type ) ) {
Debug( LDAP_DEBUG_ACL, "Operational attribute: %s access allowed\n",
mlist->ml_type, 0, 0 );
continue;