*/
/*
* NOTE: styles "anonymous", "users" and "self"
- * have been moved to an enumeration, * whose value
- * is set in a_dn_style; however, the string
+ * have been moved to enum slap_style_t, whose
+ * value is set in a_dn_style; however, the string
* is maintaned in a_dn_pat.
*/
- if ( b->a_dn_style == ACL_STYLE_ANONYMOUS /* bvmatch( &b->a_dn_pat, &aci_bv_anonymous ) */ ) {
+ if ( b->a_dn_style == ACL_STYLE_ANONYMOUS ) {
if ( op->o_ndn.bv_len != 0 ) {
continue;
}
- } else if ( b->a_dn_style == ACL_STYLE_USERS /* bvmatch( &b->a_dn_pat, &aci_bv_users ) */ ) {
+ } else if ( b->a_dn_style == ACL_STYLE_USERS ) {
if ( op->o_ndn.bv_len == 0 ) {
continue;
}
- } else if ( b->a_dn_style == ACL_STYLE_SELF /* bvmatch( &b->a_dn_pat, &aci_bv_self ) */ ) {
+ } else if ( b->a_dn_style == ACL_STYLE_SELF ) {
if ( op->o_ndn.bv_len == 0 ) {
continue;
}
p.cookie = cookie;
+ op2.o_hdr = cp->op->o_hdr;
op2.o_tag = LDAP_REQ_SEARCH;
- op2.o_protocol = LDAP_VERSION3;
op2.o_ndn = op2.o_bd->be_rootndn;
op2.o_callback = &cb;
op2.o_time = slap_get_time();
op2.o_do_not_cache = 1;
op2.o_is_auth_check = 0;
- op2.o_threadctx = cp->op->o_threadctx;
- op2.o_tmpmemctx = cp->op->o_tmpmemctx;
- op2.o_tmpmfuncs = cp->op->o_tmpmfuncs;
-#ifdef LDAP_SLAPI
- op2.o_pb = cp->op->o_pb;
-#endif
- op2.o_conn = cp->op->o_conn;
- op2.o_connid = cp->op->o_connid;
ber_dupbv_x( &op2.o_req_dn, &op2.o_req_ndn, cp->op->o_tmpmemctx );
op2.ors_slimit = SLAP_NO_LIMIT;
op2.ors_tlimit = SLAP_NO_LIMIT;
op2.ors_attrs = anlistp;
op2.ors_attrsonly = 0;
- op2.o_sync_slog_size = -1;
cb.sc_private = &p;
oid # scope # action;rights;attr;rights;attr
$ action;rights;attr;rights;attr # type # subject
+ [NOTE: the following comment is very outdated,
+ as the draft version it refers to (Ando, 2004-11-20)].
+
See draft-ietf-ldapext-aci-model-04.txt section 9.1 for
a full description of the format for this attribute.
Differences: "this" in the draft is "self" here, and
"self" and "public" is in the position of type.
+ <scope> = {entry|children|subtree}
+ <type> = {public|users|access-id|subtree|onelevel|children|
+ self|dnattr|group|role|set|set-ref}
+
This routine now supports scope={ENTRY,CHILDREN}
with the semantics:
- ENTRY applies to "entry" and "subtree";
/* see if we have a public (i.e. anonymous) access */
if ( ber_bvstrcasecmp( &aci_bv_public, &type ) == 0 ) {
return 1;
-
}
/* otherwise require an identity */
return 0;
}
- /* note: this may fail if a DN contains a valid '#' (unescaped) */
+ /* see if we have a users access */
+ if ( ber_bvstrcasecmp( &aci_bv_users, &type ) == 0 ) {
+ return 1;
+ }
+
+ /* NOTE: this may fail if a DN contains a valid '#' (unescaped);
+ * just grab all the berval up to its end (ITS#3303).
+ * NOTE: the problem could be solved by providing the DN with
+ * the embedded '#' encoded as hexpairs: "cn=Foo#Bar" would
+ * become "cn=Foo\23Bar" and be safely used by aci_mask(). */
#if 0
if ( aci_get_part( aci, 4, '#', &sdn ) < 0 ) {
return 0;
return 0;
}
-#endif /* SLAPD_ACI_ENABLED */
-
#ifdef SLAP_DYNACL
static int
dynacl_aci_parse( const char *fname, int lineno, slap_style_t sty, const char *right, void **privp )
NULL
};
-int
-aci_init( void )
-{
- return slap_dynacl_register( &dynacl_aci );
-}
+#endif /* SLAP_DYNACL */
+
+#endif /* SLAPD_ACI_ENABLED */
+
+#ifdef SLAP_DYNACL
/*
* dynamic ACL infrastructure
int
acl_init( void )
{
+ int i, rc;
#ifdef SLAP_DYNACL
- int rc;
-
- da_list = NULL;
-
+ slap_dynacl_t *known_dynacl[] = {
#ifdef SLAPD_ACI_ENABLED
- rc = aci_init();
- if ( rc ) {
- return rc;
+ &dynacl_aci,
+#endif /* SLAPD_ACI_ENABLED */
+ NULL
+ };
+
+ for ( i = 0; known_dynacl[ i ]; i++ ) {
+ rc = slap_dynacl_register( known_dynacl[ i ] );
+ if ( rc ) {
+ return rc;
+ }
}
-#endif /* SLAPD_ACI_ENABLED */
#endif /* SLAP_DYNACL */
return 0;
}
-
static int
string_expand(
struct berval *bv,
projects / openldap / blobdiff