/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2004 The OpenLDAP Foundation.
+ * Copyright 1998-2005 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
"<= root access granted\n",
0, 0, 0 );
if ( maskp ) {
- mask = ACL_LVL_WRITE;
+ mask = ACL_LVL_MANAGE;
}
goto done;
Debug( LDAP_DEBUG_ACL,
"acl_get: valpat %s\n",
a->acl_attrval.bv_val, 0, 0 );
- if (regexec(&a->acl_attrval_re, val->bv_val, 0, NULL, 0))
+ if ( regexec( &a->acl_attrval_re, val->bv_val, 0, NULL, 0 ) )
+ {
continue;
+ }
+
} else {
int match = 0;
const char *text;
*/
/*
* NOTE: styles "anonymous", "users" and "self"
- * have been moved to an enumeration, * whose value
- * is set in a_dn_style; however, the string
+ * have been moved to enum slap_style_t, whose
+ * value is set in a_dn_style; however, the string
* is maintaned in a_dn_pat.
*/
- if ( b->a_dn_style == ACL_STYLE_ANONYMOUS /* bvmatch( &b->a_dn_pat, &aci_bv_anonymous ) */ ) {
+ if ( b->a_dn_style == ACL_STYLE_ANONYMOUS ) {
if ( op->o_ndn.bv_len != 0 ) {
continue;
}
- } else if ( b->a_dn_style == ACL_STYLE_USERS /* bvmatch( &b->a_dn_pat, &aci_bv_users ) */ ) {
+ } else if ( b->a_dn_style == ACL_STYLE_USERS ) {
if ( op->o_ndn.bv_len == 0 ) {
continue;
}
- } else if ( b->a_dn_style == ACL_STYLE_SELF /* bvmatch( &b->a_dn_pat, &aci_bv_self ) */ ) {
+ } else if ( b->a_dn_style == ACL_STYLE_SELF ) {
if ( op->o_ndn.bv_len == 0 ) {
continue;
}
Debug( LDAP_DEBUG_ACL,
"=> access_allowed: backend default %s access %s to \"%s\"\n",
access2str( ACL_WRITE ),
- op->o_bd->be_dfltaccess >= ACL_WRITE ? "granted" : "denied", op->o_dn.bv_val );
+ op->o_bd->be_dfltaccess >= ACL_WRITE
+ ? "granted" : "denied",
+ op->o_dn.bv_val );
ret = (op->o_bd->be_dfltaccess >= ACL_WRITE);
goto done;
}
p.cookie = cookie;
+ op2.o_hdr = cp->op->o_hdr;
op2.o_tag = LDAP_REQ_SEARCH;
- op2.o_protocol = LDAP_VERSION3;
op2.o_ndn = op2.o_bd->be_rootndn;
op2.o_callback = &cb;
op2.o_time = slap_get_time();
op2.o_do_not_cache = 1;
op2.o_is_auth_check = 0;
- op2.o_threadctx = cp->op->o_threadctx;
- op2.o_tmpmemctx = cp->op->o_tmpmemctx;
- op2.o_tmpmfuncs = cp->op->o_tmpmfuncs;
-#ifdef LDAP_SLAPI
- op2.o_pb = cp->op->o_pb;
-#endif
- op2.o_conn = cp->op->o_conn;
- op2.o_connid = cp->op->o_connid;
ber_dupbv_x( &op2.o_req_dn, &op2.o_req_ndn, cp->op->o_tmpmemctx );
op2.ors_slimit = SLAP_NO_LIMIT;
op2.ors_tlimit = SLAP_NO_LIMIT;
op2.ors_attrs = anlistp;
op2.ors_attrsonly = 0;
- op2.o_sync_slog_size = -1;
cb.sc_private = &p;
int rc = 0;
AciSetCookie cookie;
- if (setref == 0) {
+ if ( setref == 0 ) {
ber_dupbv_x( &set, subj, op->o_tmpmemctx );
+
} else {
struct berval subjdn, ndn = BER_BVNULL;
struct berval setat;
/* format of string is "entry/setAttrName" */
if ( aci_get_part( subj, 0, '/', &subjdn ) < 0 ) {
- return(0);
+ return 0;
}
if ( aci_get_part( subj, 1, '/', &setat ) < 0 ) {
oid # scope # action;rights;attr;rights;attr
$ action;rights;attr;rights;attr # type # subject
+ [NOTE: the following comment is very outdated,
+ as the draft version it refers to (Ando, 2004-11-20)].
+
See draft-ietf-ldapext-aci-model-04.txt section 9.1 for
a full description of the format for this attribute.
Differences: "this" in the draft is "self" here, and
"self" and "public" is in the position of type.
+ <scope> = {entry|children|subtree}
+ <type> = {public|users|access-id|subtree|onelevel|children|
+ self|dnattr|group|role|set|set-ref}
+
This routine now supports scope={ENTRY,CHILDREN}
with the semantics:
- ENTRY applies to "entry" and "subtree";
/* see if we have a public (i.e. anonymous) access */
if ( ber_bvstrcasecmp( &aci_bv_public, &type ) == 0 ) {
return 1;
-
}
/* otherwise require an identity */
return 0;
}
- /* note: this may fail if a DN contains a valid '#' (unescaped) */
+ /* see if we have a users access */
+ if ( ber_bvstrcasecmp( &aci_bv_users, &type ) == 0 ) {
+ return 1;
+ }
+
+ /* NOTE: this may fail if a DN contains a valid '#' (unescaped);
+ * just grab all the berval up to its end (ITS#3303).
+ * NOTE: the problem could be solved by providing the DN with
+ * the embedded '#' encoded as hexpairs: "cn=Foo#Bar" would
+ * become "cn=Foo\23Bar" and be safely used by aci_mask(). */
#if 0
if ( aci_get_part( aci, 4, '#', &sdn ) < 0 ) {
return 0;
return 0;
}
-#endif /* SLAPD_ACI_ENABLED */
-
#ifdef SLAP_DYNACL
static int
dynacl_aci_parse( const char *fname, int lineno, slap_style_t sty, const char *right, void **privp )
NULL
};
-int
-aci_init( void )
-{
- return slap_dynacl_register( &dynacl_aci );
-}
+#endif /* SLAP_DYNACL */
+
+#endif /* SLAPD_ACI_ENABLED */
+
+#ifdef SLAP_DYNACL
/*
* dynamic ACL infrastructure
int
acl_init( void )
{
+ int i, rc;
#ifdef SLAP_DYNACL
- int rc;
-
- da_list = NULL;
-
+ slap_dynacl_t *known_dynacl[] = {
#ifdef SLAPD_ACI_ENABLED
- rc = aci_init();
- if ( rc ) {
- return rc;
+ &dynacl_aci,
+#endif /* SLAPD_ACI_ENABLED */
+ NULL
+ };
+
+ for ( i = 0; known_dynacl[ i ]; i++ ) {
+ rc = slap_dynacl_register( known_dynacl[ i ] );
+ if ( rc ) {
+ return rc;
+ }
}
-#endif /* SLAPD_ACI_ENABLED */
#endif /* SLAP_DYNACL */
return 0;
}
-
static int
string_expand(
struct berval *bv,