]> git.sur5r.net Git - openldap/blobdiff - servers/slapd/acl.c
projects / openldap / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
switch to openldap-data directory
[openldap] / servers / slapd / acl.c
diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c
index 5895ad1b75422766356e6a195cb4c125a2096bbc..5f62a291296e6472e514f23b0b9b5204c888ced6 100644 (file)
--- a/servers/slapd/acl.c
+++ b/servers/slapd/acl.c
@@ -15,6 +15,27 @@
 
 #include "slap.h"
 #include "sets.h"
+#include "lber_pvt.h"
+
+
+/*
+ * speed up compares
+ */
+static struct berval 
+       aci_bv_entry            = { sizeof("entry") - 1,        "entry" },
+       aci_bv_br_entry         = { sizeof("[entry]") - 1,      "[entry]" },
+       aci_bv_br_all           = { sizeof("[all]") - 1,        "[all]" },
+       aci_bv_access_id        = { sizeof("access-id") - 1,    "access-id" },
+       aci_bv_anonymous        = { sizeof("anonymous") - 1,    "anonymous" },
+       aci_bv_users            = { sizeof("users") - 1,        "users" },
+       aci_bv_self             = { sizeof("self") - 1,         "self" },
+       aci_bv_dnattr           = { sizeof("dnattr") - 1,       "dnattr" },
+       aci_bv_group            = { sizeof("group") - 1,        "group" },
+       aci_bv_role             = { sizeof("role") - 1,         "role" },
+       aci_bv_set              = { sizeof("set") - 1,          "set" },
+       aci_bv_set_ref          = { sizeof("set-ref") - 1,      "set-ref"},
+       aci_bv_grant            = { sizeof("grant") - 1,        "grant" },
+       aci_bv_deny             = { sizeof("deny") - 1,         "deny" };
 
 static AccessControl * acl_get(
        AccessControl *ac, int *count,
@@ -46,9 +67,9 @@ static int aci_mask(
 #endif
 
 static int     regex_matches(
-       char *pat, char *str, char *buf, regmatch_t *matches);
+       struct berval *pat, char *str, char *buf, regmatch_t *matches);
 static void    string_expand(
-       struct berval *newbuf, char *pattern,
+       struct berval *newbuf, struct berval *pattern,
        char *match, regmatch_t *matches);
 
 typedef        struct AciSetCookie {
@@ -58,7 +79,7 @@ typedef       struct AciSetCookie {
        Operation *op;
 } AciSetCookie;
 
-BerVarray aci_set_gather (void *cookie, char *name, struct berval *attr);
+SLAP_SET_GATHER aci_set_gather;
 static int aci_match_set ( struct berval *subj, Backend *be,
     Entry *e, Connection *conn, Operation *op, int setref );
 
@@ -358,7 +379,7 @@ acl_get(
                                        if ( dnlen <= patlen )
                                                continue;
 
-                                       if ( !DN_SEPARATOR( e->e_ndn[dnlen - patlen - 1] ) || DN_ESCAPE( e->e_ndn[dnlen - patlen - 2] ) )
+                                       if ( !DN_SEPARATOR( e->e_ndn[dnlen - patlen - 1] ) )
                                                continue;
 
                                        rdnlen = dn_rdnlen( NULL, &e->e_nname );
@@ -366,13 +387,13 @@ acl_get(
                                                continue;
 
                                } else if ( a->acl_dn_style == ACL_STYLE_SUBTREE ) {
-                                       if ( dnlen > patlen && ( !DN_SEPARATOR( e->e_ndn[dnlen - patlen - 1] ) || DN_ESCAPE( e->e_ndn[dnlen - patlen - 2] ) ) )
+                                       if ( dnlen > patlen && !DN_SEPARATOR( e->e_ndn[dnlen - patlen - 1] ) )
                                                continue;
 
                                } else if ( a->acl_dn_style == ACL_STYLE_CHILDREN ) {
                                        if ( dnlen <= patlen )
                                                continue;
-                                       if ( !DN_SEPARATOR( e->e_ndn[dnlen - patlen - 1] ) || DN_ESCAPE( e->e_ndn[dnlen - patlen - 2] ) )
+                                       if ( !DN_SEPARATOR( e->e_ndn[dnlen - patlen - 1] ) )
                                                continue;
                                }
 
@@ -511,32 +532,28 @@ acl_mask(
                         * user is bound as somebody in the same namespace as
                         * the entry, OR the given dn matches the dn pattern
                         */
-                       if ( b->a_dn_pat.bv_len == sizeof("anonymous") -1 &&
-                           strcmp( b->a_dn_pat.bv_val, "anonymous" ) == 0 ) {
-                               if (op->o_ndn.bv_len != 0 ) {
+                       if ( ber_bvcmp( &b->a_dn_pat, &aci_bv_anonymous ) == 0 ) {
+                               if ( op->o_ndn.bv_len != 0 ) {
                                        continue;
                                }
 
-                       } else if ( b->a_dn_pat.bv_len == sizeof("users") - 1 &&
-                           strcmp( b->a_dn_pat.bv_val, "users" ) == 0 ) {
-                               if (op->o_ndn.bv_len == 0 ) {
+                       } else if ( ber_bvcmp( &b->a_dn_pat, &aci_bv_users ) == 0 ) {
+                               if ( op->o_ndn.bv_len == 0 ) {
                                        continue;
                                }
 
-                       } else if ( b->a_dn_pat.bv_len == sizeof("self") - 1 &&
-                           strcmp( b->a_dn_pat.bv_val, "self" ) == 0 ) {
-                               if( op->o_ndn.bv_len == 0 ) {
+                       } else if ( ber_bvcmp( &b->a_dn_pat, &aci_bv_self ) == 0 ) {
+                               if ( op->o_ndn.bv_len == 0 ) {
                                        continue;
                                }
                                
-                               if ( e->e_dn == NULL || strcmp( e->e_ndn, op->o_ndn.bv_val ) != 0 ) {
+                               if ( e->e_dn == NULL || !dn_match( &e->e_nname, &op->o_ndn ) ) {
                                        continue;
                                }
 
                        } else if ( b->a_dn_style == ACL_STYLE_REGEX ) {
-                               if ( b->a_dn_pat.bv_len != 1 || 
-                                   strcmp( b->a_dn_pat.bv_val, "*" ) != 0 ) {
-                                       int ret = regex_matches( b->a_dn_pat.bv_val,
+                               if ( ber_bvccmp( &b->a_dn_pat, '*' ) == 0 ) {
+                                       int ret = regex_matches( &b->a_dn_pat,
                                                op->o_ndn.bv_val, e->e_ndn, matches );
 
                                        if( ret == 0 ) {
@@ -564,7 +581,7 @@ acl_mask(
                                        if ( odnlen <= patlen )
                                                continue;
 
-                                       if ( !DN_SEPARATOR( op->o_ndn.bv_val[odnlen - patlen - 1] ) || DN_ESCAPE( op->o_ndn.bv_val[odnlen - patlen - 2] ) )
+                                       if ( !DN_SEPARATOR( op->o_ndn.bv_val[odnlen - patlen - 1] ) )
                                                continue;
 
                                        rdnlen = dn_rdnlen( NULL, &op->o_ndn );
@@ -572,110 +589,109 @@ acl_mask(
                                                continue;
 
                                } else if ( b->a_dn_style == ACL_STYLE_SUBTREE ) {
-                                       if ( odnlen > patlen && ( !DN_SEPARATOR( op->o_ndn.bv_val[odnlen - patlen - 1] ) || DN_ESCAPE( op->o_ndn.bv_val[odnlen - patlen - 2] ) ) )
+                                       if ( odnlen > patlen && !DN_SEPARATOR( op->o_ndn.bv_val[odnlen - patlen - 1] ) )
                                                continue;
 
                                } else if ( b->a_dn_style == ACL_STYLE_CHILDREN ) {
                                        if ( odnlen <= patlen )
                                                continue;
-                                       if ( !DN_SEPARATOR( op->o_ndn.bv_val[odnlen - patlen - 1] ) || DN_ESCAPE( op->o_ndn.bv_val[odnlen - patlen - 2] ) )
+                                       if ( !DN_SEPARATOR( op->o_ndn.bv_val[odnlen - patlen - 1] ) )
                                                continue;
                                }
 
                                if ( strcmp( b->a_dn_pat.bv_val, op->o_ndn.bv_val + odnlen - patlen ) != 0 )
                                        continue;
-
                        }
                }
 
-               if ( b->a_sockurl_pat != NULL ) {
+               if ( b->a_sockurl_pat.bv_len ) {
 #ifdef NEW_LOGGING
                        LDAP_LOG(( "acl", LDAP_LEVEL_DETAIL1,
                                   "acl_mask: conn %d  check a_sockurl_pat: %s\n",
-                                  conn->c_connid, b->a_sockurl_pat ));
+                                  conn->c_connid, b->a_sockurl_pat.bv_val ));
 #else
                        Debug( LDAP_DEBUG_ACL, "<= check a_sockurl_pat: %s\n",
-                               b->a_sockurl_pat, 0, 0 );
+                               b->a_sockurl_pat.bv_val, 0, 0 );
 #endif
 
-                       if ( strcmp( b->a_sockurl_pat, "*" ) != 0) {
+                       if ( ber_bvccmp( &b->a_sockurl_pat, '*' ) != 0) {
                                if ( b->a_sockurl_style == ACL_STYLE_REGEX) {
-                                       if (!regex_matches( b->a_sockurl_pat, conn->c_listener_url,
+                                       if (!regex_matches( &b->a_sockurl_pat, conn->c_listener_url.bv_val,
                                                        e->e_ndn, matches ) ) 
                                        {
                                                continue;
                                        }
                                } else {
-                                       if ( strcasecmp( b->a_sockurl_pat, conn->c_listener_url ) != 0 )
+                                       if ( ber_bvstrcasecmp( &b->a_sockurl_pat, &conn->c_listener_url ) != 0 )
                                                continue;
                                }
                        }
                }
 
-               if ( b->a_domain_pat != NULL ) {
+               if ( b->a_domain_pat.bv_len ) {
 #ifdef NEW_LOGGING
                        LDAP_LOG(( "acl", LDAP_LEVEL_DETAIL1,
                                   "acl_mask: conn %d  check a_domain_pat: %s\n",
-                                  conn->c_connid, b->a_domain_pat ));
+                                  conn->c_connid, b->a_domain_pat.bv_val ));
 #else
                        Debug( LDAP_DEBUG_ACL, "<= check a_domain_pat: %s\n",
-                               b->a_domain_pat, 0, 0 );
+                               b->a_domain_pat.bv_val, 0, 0 );
 #endif
-                       if ( strcmp( b->a_domain_pat, "*" ) != 0) {
+                       if ( ber_bvccmp( &b->a_domain_pat, '*' ) != 0) {
                                if ( b->a_domain_style == ACL_STYLE_REGEX) {
-                                       if (!regex_matches( b->a_domain_pat, conn->c_peer_domain,
+                                       if (!regex_matches( &b->a_domain_pat, conn->c_peer_domain.bv_val,
                                                        e->e_ndn, matches ) ) 
                                        {
                                                continue;
                                        }
                                } else {
-                                       if ( strcasecmp( b->a_domain_pat, conn->c_peer_domain ) != 0 )
+                                       if ( ber_bvstrcasecmp( &b->a_domain_pat, &conn->c_peer_domain ) != 0 )
                                                continue;
                                }
                        }
                }
 
-               if ( b->a_peername_pat != NULL ) {
+               if ( b->a_peername_pat.bv_len ) {
 #ifdef NEW_LOGGING
                        LDAP_LOG(( "acl", LDAP_LEVEL_DETAIL1,
                                   "acl_mask: conn %d  check a_perrname_path: %s\n",
-                                  conn->c_connid, b->a_peername_pat ));
+                                  conn->c_connid, b->a_peername_pat.bv_val ));
 #else
                        Debug( LDAP_DEBUG_ACL, "<= check a_peername_path: %s\n",
-                               b->a_peername_pat, 0, 0 );
+                               b->a_peername_pat.bv_val, 0, 0 );
 #endif
-                       if ( strcmp( b->a_peername_pat, "*" ) != 0) {
+                       if ( ber_bvccmp( &b->a_peername_pat, '*' ) != 0) {
                                if ( b->a_peername_style == ACL_STYLE_REGEX) {
-                                       if (!regex_matches( b->a_peername_pat, conn->c_peer_name,
+                                       if (!regex_matches( &b->a_peername_pat, conn->c_peer_name.bv_val,
                                                        e->e_ndn, matches ) ) 
                                        {
                                                continue;
                                        }
                                } else {
-                                       if ( strcasecmp( b->a_peername_pat, conn->c_peer_name ) != 0 )
+                                       if ( ber_bvstrcasecmp( &b->a_peername_pat, &conn->c_peer_name ) != 0 )
                                                continue;
                                }
                        }
                }
 
-               if ( b->a_sockname_pat != NULL ) {
+               if ( b->a_sockname_pat.bv_len ) {
 #ifdef NEW_LOGGING
                        LDAP_LOG(( "acl", LDAP_LEVEL_DETAIL1,
                                   "acl_mask: conn %d  check a_sockname_path: %s\n",
-                                  conn->c_connid, b->a_sockname_pat ));
+                                  conn->c_connid, b->a_sockname_pat.bv_val ));
 #else
                        Debug( LDAP_DEBUG_ACL, "<= check a_sockname_path: %s\n",
-                               b->a_sockname_pat, 0, 0 );
+                               b->a_sockname_pat.bv_val, 0, 0 );
 #endif
-                       if ( strcmp( b->a_sockname_pat, "*" ) != 0) {
+                       if ( ber_bvccmp( &b->a_sockname_pat, '*' ) != 0) {
                                if ( b->a_sockname_style == ACL_STYLE_REGEX) {
-                                       if (!regex_matches( b->a_sockname_pat, conn->c_sock_name,
+                                       if (!regex_matches( &b->a_sockname_pat, conn->c_sock_name.bv_val,
                                                        e->e_ndn, matches ) ) 
                                        {
                                                continue;
                                        }
                                } else {
-                                       if ( strcasecmp( b->a_sockname_pat, conn->c_sock_name ) != 0 )
+                                       if ( ber_bvstrcasecmp( &b->a_sockname_pat, &conn->c_sock_name ) != 0 )
                                                continue;
                                }
                        }
@@ -764,7 +780,7 @@ acl_mask(
                         */
                        /* see if asker is listed in dnattr */
                        if ( b->a_group_style == ACL_STYLE_REGEX ) {
-                               string_expand(&bv, b->a_group_pat.bv_val, e->e_ndn, matches);
+                               string_expand(&bv, &b->a_group_pat, e->e_ndn, matches);
                                if ( dnNormalize2(NULL, &bv, &ndn) != LDAP_SUCCESS ) {
                                        /* did not expand to a valid dn */
                                        continue;
@@ -778,8 +794,7 @@ acl_mask(
                                b->a_group_oc, b->a_group_at);
                        if ( ndn.bv_val )
                                free( ndn.bv_val );
-                       if ( rc != 0 )
-                       {
+                       if ( rc != 0 ) {
                                continue;
                        }
                }
@@ -1158,26 +1173,6 @@ aci_bvstrdup( struct berval *bv )
        return(s);
 }
 
-#ifdef SLAPD_ACI_ENABLED
-static int
-aci_strbvcmp(
-       const char *s,
-       struct berval *bv )
-{
-       int res, len;
-
-       res = strncasecmp( s, bv->bv_val, bv->bv_len );
-       if (res)
-               return(res);
-       len = strlen(s);
-       if (len > (int)bv->bv_len)
-               return(1);
-       if (len < (int)bv->bv_len)
-               return(-1);
-       return(0);
-}
-#endif
-
 static int
 aci_get_part(
        struct berval *list,
@@ -1218,20 +1213,18 @@ aci_get_part(
 }
 
 BerVarray
-aci_set_gather (void *cookie, char *name, struct berval *attr)
+aci_set_gather (void *cookie, struct berval *name, struct berval *attr)
 {
        AciSetCookie *cp = cookie;
        BerVarray bvals = NULL;
-       struct berval bv, ndn;
+       struct berval ndn;
 
        /* this routine needs to return the bervals instead of
         * plain strings, since syntax is not known.  It should
         * also return the syntax or some "comparison cookie".
         */
 
-       bv.bv_val = name;
-       bv.bv_len = strlen( name );
-       if (dnNormalize2(NULL, &bv, &ndn) == LDAP_SUCCESS) {
+       if (dnNormalize2(NULL, name, &ndn) == LDAP_SUCCESS) {
                const char *text;
                AttributeDescription *desc = NULL;
                if (slap_bv2ad(attr, &desc, &text) == LDAP_SUCCESS) {
@@ -1314,7 +1307,7 @@ aci_match_set (
                cookie.conn = conn;
                cookie.op = op;
                rc = (slap_set_filter(aci_set_gather, &cookie, &set,
-                       op->o_ndn.bv_val, e->e_ndn, NULL) > 0);
+                       &op->o_ndn, &e->e_nname, NULL) > 0);
                ch_free(set.bv_val);
        }
        return(rc);
@@ -1369,7 +1362,7 @@ aci_list_map_rights(
 static int
 aci_list_has_attr(
        struct berval *list,
-       const char *attr,
+       const struct berval *attr,
        struct berval *val )
 {
        struct berval bv, left, right;
@@ -1379,13 +1372,13 @@ aci_list_has_attr(
                if (aci_get_part(&bv, 0, '=', &left) < 0
                        || aci_get_part(&bv, 1, '=', &right) < 0)
                {
-                       if (aci_strbvcmp(attr, &bv) == 0)
+                       if (ber_bvstrcasecmp(attr, &bv) == 0)
                                return(1);
                } else if (val == NULL) {
-                       if (aci_strbvcmp(attr, &left) == 0)
+                       if (ber_bvstrcasecmp(attr, &left) == 0)
                                return(1);
                } else {
-                       if (aci_strbvcmp(attr, &left) == 0) {
+                       if (ber_bvstrcasecmp(attr, &left) == 0) {
                                /* this is experimental code that implements a
                                 * simple (prefix) match of the attribute value.
                                 * the ACI draft does not provide for aci's that
@@ -1403,7 +1396,7 @@ aci_list_has_attr(
                                if (aci_get_part(&right, 0, '*', &left) < 0
                                        || right.bv_len <= left.bv_len)
                                {
-                                       if (aci_strbvcmp(val->bv_val, &right) == 0)
+                                       if (ber_bvstrcasecmp(val, &right) == 0)
                                                return(1);
                                } else if (val->bv_len >= left.bv_len) {
                                        if (strncasecmp( val->bv_val, left.bv_val, left.bv_len ) == 0)
@@ -1418,7 +1411,7 @@ aci_list_has_attr(
 static slap_access_t
 aci_list_get_attr_rights(
        struct berval *list,
-       const char *attr,
+       const struct berval *attr,
        struct berval *val )
 {
     struct berval bv;
@@ -1440,7 +1433,7 @@ aci_list_get_attr_rights(
 static int
 aci_list_get_rights(
        struct berval *list,
-       const char *attr,
+       const struct berval *attr,
        struct berval *val,
        slap_access_t *grant,
        slap_access_t *deny )
@@ -1449,8 +1442,9 @@ aci_list_get_rights(
     slap_access_t *mask;
     int i, found;
 
-       if (attr == NULL || *attr == 0 || strcasecmp(attr, "entry") == 0) {
-               attr = "[entry]";
+       if (attr == NULL || attr->bv_len == 0 
+                       || ber_bvstrcasecmp( attr, &aci_bv_entry ) == 0) {
+               attr = &aci_bv_br_entry;
        }
 
        found = 0;
@@ -1460,9 +1454,9 @@ aci_list_get_rights(
        for (i = 0; aci_get_part(list, i, '$', &perm) >= 0; i++) {
                if (aci_get_part(&perm, 0, ';', &actn) < 0)
                        continue;
-               if (aci_strbvcmp( "grant", &actn ) == 0) {
+               if (ber_bvstrcasecmp( &aci_bv_grant, &actn ) == 0) {
                        mask = grant;
-               } else if (aci_strbvcmp( "deny", &actn ) == 0) {
+               } else if (ber_bvstrcasecmp( &aci_bv_deny, &actn ) == 0) {
                        mask = deny;
                } else {
                        continue;
@@ -1470,7 +1464,7 @@ aci_list_get_rights(
 
                found = 1;
                *mask |= aci_list_get_attr_rights(&perm, attr, val);
-               *mask |= aci_list_get_attr_rights(&perm, "[all]", NULL);
+               *mask |= aci_list_get_attr_rights(&perm, &aci_bv_br_all, NULL);
        }
        return(found);
 }
@@ -1488,7 +1482,7 @@ aci_group_member (
 )
 {
        struct berval bv;
-       char *subjdn;
+       struct berval subjdn;
        struct berval grpoc;
        struct berval grpat;
        ObjectClass *grp_oc = NULL;
@@ -1497,12 +1491,7 @@ aci_group_member (
        int rc;
 
        /* format of string is "group/objectClassValue/groupAttrName" */
-       if (aci_get_part(subj, 0, '/', &bv) < 0) {
-               return(0);
-       }
-
-       subjdn = aci_bvstrdup(&bv);
-       if (subjdn == NULL) {
+       if (aci_get_part(subj, 0, '/', &subjdn) < 0) {
                return(0);
        }
 
@@ -1527,7 +1516,7 @@ aci_group_member (
                struct berval ndn;
                bv.bv_val = (char *)ch_malloc(1024);
                bv.bv_len = 1024;
-               string_expand(&bv, subjdn, e->e_ndn, matches);
+               string_expand(&bv, &subjdn, e->e_ndn, matches);
                if ( dnNormalize2(NULL, &bv, &ndn) == LDAP_SUCCESS ) {
                        rc = (backend_group(be, conn, op, e, &ndn, &op->o_ndn, grp_oc, grp_ad) == 0);
                        free( ndn.bv_val );
@@ -1536,7 +1525,6 @@ aci_group_member (
        }
 
 done:
-       ch_free(subjdn);
        return(rc);
 }
 
@@ -1565,9 +1553,9 @@ aci_mask(
 {
     struct berval bv, perms, sdn;
        int rc;
-       char *attr = desc->ad_cname.bv_val;
+               
 
-       assert( attr != NULL );
+       assert( desc->ad_cname.bv_val != NULL );
 
        /* parse an aci of the form:
                oid#scope#action;rights;attr;rights;attr$action;rights;attr;rights;attr#dnType#subjectDN
@@ -1588,7 +1576,7 @@ aci_mask(
 
        /* check that the scope is "entry" */
        if (aci_get_part(aci, 1, '#', &bv) < 0
-               || aci_strbvcmp( "entry", &bv ) != 0)
+               || ber_bvstrcasecmp( &aci_bv_entry, &bv ) != 0)
        {
                return(0);
        }
@@ -1598,7 +1586,7 @@ aci_mask(
                return(0);
 
        /* check if any permissions allow desired access */
-       if (aci_list_get_rights(&perms, attr, val, grant, deny) == 0)
+       if (aci_list_get_rights(&perms, &desc->ad_cname, val, grant, deny) == 0)
                return(0);
 
        /* see if we have a DN match */
@@ -1608,29 +1596,27 @@ aci_mask(
        if (aci_get_part(aci, 4, '#', &sdn) < 0)
                return(0);
 
-       if (aci_strbvcmp( "access-id", &bv ) == 0) {
+       if (ber_bvstrcasecmp( &aci_bv_access_id, &bv ) == 0) {
                struct berval ndn;
                rc = 1;
                if ( dnNormalize2(NULL, &sdn, &ndn) == LDAP_SUCCESS ) {
-                       if (strcasecmp(op->o_ndn.bv_val, ndn.bv_val) != 0)
+                       if (!dn_match( &op->o_ndn, &ndn))
                                rc = 0;
                        free(ndn.bv_val);
                }
                return(rc);
        }
 
-       if (aci_strbvcmp( "self", &bv ) == 0) {
+       if (ber_bvstrcasecmp( &aci_bv_self, &bv ) == 0) {
                if (dn_match(&op->o_ndn, &e->e_nname))
                        return(1);
 
-       } else if (aci_strbvcmp( "dnattr", &bv ) == 0) {
-               char *dnattr = aci_bvstrdup(&sdn);
+       } else if (ber_bvstrcasecmp( &aci_bv_dnattr, &bv ) == 0) {
                Attribute *at;
                AttributeDescription *ad = NULL;
                const char *text;
 
-               rc = slap_str2ad( dnattr, &ad, &text );
-               ch_free( dnattr );
+               rc = slap_bv2ad( &sdn, &ad, &text );
 
                if( rc != LDAP_SUCCESS ) {
                        return 0;
@@ -1653,19 +1639,19 @@ aci_mask(
                return rc;
 
 
-       } else if (aci_strbvcmp( "group", &bv ) == 0) {
+       } else if (ber_bvstrcasecmp( &aci_bv_group, &bv ) == 0) {
                if (aci_group_member(&sdn, &GroupClass, &GroupAttr, be, e, conn, op, matches))
                        return(1);
 
-       } else if (aci_strbvcmp( "role", &bv ) == 0) {
+       } else if (ber_bvstrcasecmp( &aci_bv_role, &bv ) == 0) {
                if (aci_group_member(&sdn, &RoleClass, &RoleAttr, be, e, conn, op, matches))
                        return(1);
 
-       } else if (aci_strbvcmp( "set", &bv ) == 0) {
+       } else if (ber_bvstrcasecmp( &aci_bv_set, &bv ) == 0) {
                if (aci_match_set(&sdn, be, e, conn, op, 0))
                        return(1);
 
-       } else if (aci_strbvcmp( "set-ref", &bv ) == 0) {
+       } else if (ber_bvstrcasecmp( &aci_bv_set_ref, &bv ) == 0) {
                if (aci_match_set(&sdn, be, e, conn, op, 1))
                        return(1);
 
@@ -1679,7 +1665,7 @@ aci_mask(
 static void
 string_expand(
        struct berval *bv,
-       char *pat,
+       struct berval *pat,
        char *match,
        regmatch_t *matches)
 {
@@ -1693,7 +1679,8 @@ string_expand(
        bv->bv_len--; /* leave space for lone $ */
 
        flag = 0;
-       for ( dp = bv->bv_val, sp = pat; size < bv->bv_len && *sp ; sp++) {
+       for ( dp = bv->bv_val, sp = pat->bv_val; size < bv->bv_len &&
+               sp < pat->bv_val + pat->bv_len ; sp++) {
                /* did we previously see a $ */
                if (flag) {
                        if (*sp == '$') {
@@ -1736,18 +1723,18 @@ string_expand(
 
 #ifdef NEW_LOGGING
        LDAP_LOG(( "aci", LDAP_LEVEL_DETAIL1,
-                  "string_expand:  pattern = %s\n", pat ));
+                  "string_expand:  pattern = %.*s\n", pat->bv_len, pat->bv_val ));
        LDAP_LOG(( "aci", LDAP_LEVEL_DETAIL1,
                   "string_expand:  expanded = %s\n", bv->bv_val ));
 #else
-       Debug( LDAP_DEBUG_TRACE, "=> string_expand: pattern:  %s\n", pat, 0, 0 );
+       Debug( LDAP_DEBUG_TRACE, "=> string_expand: pattern:  %.*s\n", pat->bv_len, pat->bv_val, 0 );
        Debug( LDAP_DEBUG_TRACE, "=> string_expand: expanded: %s\n", bv->bv_val, 0, 0 );
 #endif
 }
 
 static int
 regex_matches(
-       char *pat,                              /* pattern to expand and match against */
+       struct berval *pat,                     /* pattern to expand and match against */
        char *str,                              /* string to match against pattern */
        char *buf,                              /* buffer with $N expansion variables */
        regmatch_t *matches             /* offsets in buffer for $N expansion variables */
@@ -1768,11 +1755,11 @@ regex_matches(
 #ifdef NEW_LOGGING
                LDAP_LOG(( "aci", LDAP_LEVEL_ERR,
                           "regex_matches: compile( \"%s\", \"%s\") failed %s\n",
-                          pat, str, error ));
+                          pat->bv_val, str, error ));
 #else
                Debug( LDAP_DEBUG_TRACE,
                    "compile( \"%s\", \"%s\") failed %s\n",
-                       pat, str, error );
+                       pat->bv_val, str, error );
 #endif
                return( 0 );
        }
Cloned from git://git.openldap.org/openldap.git