)
{
int rc;
- struct acl *a;
+ AccessControl *a;
char *edn;
regmatch_t matches[MAXREMATCHES];
e->e_dn, attr, 0 );
/* the lastmod attributes are ignored by ACL checking */
- if ( strcasecmp( attr, "modifiersname" ) == 0 ||
- strcasecmp( attr, "modifytimestamp" ) == 0 ||
- strcasecmp( attr, "creatorsname" ) == 0 ||
- strcasecmp( attr, "createtimestamp" ) == 0 )
- {
- Debug( LDAP_DEBUG_ACL, "LASTMOD attribute: %s access allowed\n",
+ if ( oc_check_no_usermod_attr( attr ) ) {
+ Debug( LDAP_DEBUG_ACL, "Operational attribute: %s access allowed\n",
attr, 0, 0 );
return(1);
}
* acl_access_allowed().
*/
-struct acl *
+AccessControl *
acl_get_applicable(
Backend *be,
Operation *op,
regmatch_t *matches
)
{
- int i, j;
- struct acl *a;
+ int i;
+ AccessControl *a;
char *edn;
Debug( LDAP_DEBUG_ACL, "\n=> acl_get: entry (%s) attr (%s)\n",
int
acl_access_allowed(
- struct acl *a,
+ AccessControl *a,
Backend *be,
Connection *conn,
Entry *e,
)
{
int i;
- char *odn;
- struct access *b;
+ Access *b;
Attribute *at;
struct berval bv;
int default_access;
return( default_access >= access );
}
- odn = op->o_ndn;
-
- if ( odn != NULL ) {
- bv.bv_val = odn;
- bv.bv_len = strlen( odn );
+ if ( op->o_ndn != NULL ) {
+ bv.bv_val = op->o_ndn;
+ bv.bv_len = strlen( bv.bv_val );
}
for ( i = 1, b = a->acl_access; b != NULL; b = b->a_next, i++ ) {
* user is bound as somebody in the same namespace as
* the entry, OR the given dn matches the dn pattern
*/
- if ( strcasecmp( b->a_dnpat, "self" ) == 0 &&
+ if ( strcasecmp( b->a_dnpat, "anonymous" ) == 0 &&
+ (op->o_ndn == NULL || *(op->o_ndn) == '\0' ) )
+ {
+ Debug( LDAP_DEBUG_ACL,
+ "<= acl_access_allowed: matched by clause #%d access %s\n",
+ i, ACL_GRANT(b->a_access, access)
+ ? "granted" : "denied", 0 );
+
+ return ACL_GRANT(b->a_access, access );
+
+ } else if ( strcasecmp( b->a_dnpat, "self" ) == 0 &&
op->o_ndn != NULL && *(op->o_ndn) && e->e_dn != NULL )
{
if ( strcmp( edn, op->o_ndn ) == 0 ) {
Debug( LDAP_DEBUG_ACL,
"<= acl_access_allowed: matched by clause #%d access %s\n",
- i, (b->a_access & ~ACL_SELF) >=
- access ? "granted" : "denied", 0 );
+ i, ACL_GRANT(b->a_access, access)
+ ? "granted" : "denied", 0 );
- return( (b->a_access & ~ACL_SELF) >= access );
+ return ACL_GRANT(b->a_access, access );
}
} else {
- if ( regex_matches( b->a_dnpat, odn, edn, matches ) ) {
+ if ( regex_matches( b->a_dnpat, op->o_ndn, edn, matches ) ) {
Debug( LDAP_DEBUG_ACL,
"<= acl_access_allowed: matched by clause #%d access %s\n",
- i, (b->a_access & ~ACL_SELF) >= access ?
- "granted" : "denied", 0 );
+ i, ACL_GRANT(b->a_access, access)
+ ? "granted" : "denied", 0 );
- return( (b->a_access & ~ACL_SELF) >= access );
+ return ACL_GRANT(b->a_access, access );
}
}
}
if ( b->a_addrpat != NULL ) {
- if ( regex_matches( b->a_addrpat, conn->c_addr, edn, matches ) ) {
+ if ( regex_matches( b->a_addrpat, conn->c_client_addr,
+ edn, matches ) )
+ {
Debug( LDAP_DEBUG_ACL,
"<= acl_access_allowed: matched by clause #%d access %s\n",
- i, (b->a_access & ~ACL_SELF) >= access ?
- "granted" : "denied", 0 );
+ i, ACL_GRANT(b->a_access, access)
+ ? "granted" : "denied", 0 );
- return( (b->a_access & ~ACL_SELF) >= access );
+ return ACL_GRANT(b->a_access, access );
}
}
if ( b->a_domainpat != NULL ) {
Debug( LDAP_DEBUG_ARGS, "<= check a_domainpath: %s\n",
b->a_domainpat, 0, 0 );
- if ( regex_matches( b->a_domainpat, conn->c_domain, edn, matches ) )
+ if ( regex_matches( b->a_domainpat, conn->c_client_name,
+ edn, matches ) )
{
Debug( LDAP_DEBUG_ACL,
"<= acl_access_allowed: matched by clause #%d access %s\n",
- i, (b->a_access & ~ACL_SELF) >= access ?
- "granted" : "denied", 0 );
+ i, ACL_GRANT(b->a_access, access)
+ ? "granted" : "denied", 0 );
- return( (b->a_access & ~ACL_SELF) >= access );
+ return ACL_GRANT(b->a_access, access );
}
}
if ( b->a_dnattr != NULL && op->o_ndn != NULL ) {
if ( (at = attr_find( e->e_attrs, b->a_dnattr )) != NULL &&
value_find( at->a_vals, &bv, at->a_syntax, 3 ) == 0 )
{
- if ( (b->a_access & ACL_SELF) &&
+ if ( ACL_IS_SELF(b->a_access) &&
(val == NULL || value_cmp( &bv, val, at->a_syntax, 2 )) )
{
continue;
Debug( LDAP_DEBUG_ACL,
"<= acl_acces_allowed: matched by clause #%d access %s\n",
- i, (b->a_access & ~ACL_SELF) >= access ?
- "granted" : "denied", 0 );
+ i, ACL_GRANT(b->a_access, access)
+ ? "granted" : "denied", 0 );
- return( (b->a_access & ~ACL_SELF) >= access );
+ return ACL_GRANT(b->a_access, access );
}
/* asker not listed in dnattr - check for self access */
- if ( ! (b->a_access & ACL_SELF) || val == NULL ||
+ if ( ! ACL_IS_SELF(b->a_access) || val == NULL ||
value_cmp( &bv, val, at->a_syntax, 2 ) != 0 )
{
continue;
Debug( LDAP_DEBUG_ACL,
"<= acl_access_allowed: matched by clause #%d (self) access %s\n",
- i, (b->a_access & ~ACL_SELF) >= access ? "granted"
- : "denied", 0 );
+ i, ACL_GRANT(b->a_access, access)
+ ? "granted" : "denied", 0 );
- return( (b->a_access & ~ACL_SELF) >= access );
+ return ACL_GRANT(b->a_access, access );
}
-#ifdef SLAPD_ACLGROUPS
+
if ( b->a_group != NULL && op->o_ndn != NULL ) {
char buf[1024];
string_expand(buf, sizeof(buf), b->a_group, edn, matches);
(void) dn_normalize_case(buf);
- if (backend_group(be, e, buf, odn,
- b->a_objectclassvalue, b->a_groupattrname) == 0)
+ if (backend_group(be, e, buf, op->o_ndn,
+ b->a_group_oc, b->a_group_at) == 0)
{
Debug( LDAP_DEBUG_ACL,
"<= acl_access_allowed: matched by clause #%d (group) access granted\n",
i, 0, 0 );
- return( (b->a_access & ~ACL_SELF) >= access );
+ return ACL_GRANT(b->a_access, access );
}
}
-#endif /* SLAPD_ACLGROUPS */
}
Debug( LDAP_DEBUG_ACL,
)
{
int i;
- struct acl *a;
+ AccessControl *a;
char *edn = e->e_ndn;
for ( ; mlist != NULL; mlist = mlist->ml_next ) {
regmatch_t matches[MAXREMATCHES];
/* the lastmod attributes are ignored by ACL checking */
- if ( strcasecmp( mlist->ml_type, "modifiersname" ) == 0 ||
- strcasecmp( mlist->ml_type, "modifytimestamp" ) == 0 ||
- strcasecmp( mlist->ml_type, "creatorsname" ) == 0 ||
- strcasecmp( mlist->ml_type, "createtimestamp" ) == 0 )
- {
- Debug( LDAP_DEBUG_ACL, "LASTMOD attribute: %s access allowed\n",
+ if ( oc_check_no_usermod_attr( mlist->ml_type ) ) {
+ Debug( LDAP_DEBUG_ACL, "Operational attribute: %s access allowed\n",
mlist->ml_type, 0, 0 );
continue;
}
} else if (*sp >= '0' && *sp <= '9' ) {
int n;
int i;
- char *ep;
int l;
n = *sp - '0';
char newbuf[512];
int rc;
+ if(str == NULL) str = "";
+
string_expand(newbuf, sizeof(newbuf), pat, buf, matches);
if (( rc = regcomp(&re, newbuf, REG_EXTENDED|REG_ICASE))) {
char error[512];
projects / openldap / blobdiff