if ( b->a_dn_at != NULL && op->o_ndn != NULL ) {
Attribute *at;
struct berval bv;
- int match;
+ int rc, match = 0;
const char *text;
const char *desc = b->a_dn_at->ad_cname->bv_val;
/* see if asker is listed in dnattr */
for( at = attrs_find( e->e_attrs, b->a_dn_at );
- at == NULL;
- at = attrs_find( e->e_attrs->a_next, b->a_dn_at ) )
+ at != NULL;
+ at = attrs_find( at->a_next, b->a_dn_at ) )
{
if( value_find( b->a_dn_at, at->a_vals, &bv ) == 0 ) {
/* found it */
}
if( match ) {
- if ( b->a_dn_self && (val == NULL
- || value_match( &match, b->a_dn_at,
- b->a_dn_at->ad_type->sat_equality, val, &bv, &text ) )
- != LDAP_SUCCESS
- || match )
- {
- continue;
+ /* have a dnattr match. if this is a self clause then
+ * the target must also match the op dn.
+ */
+ if ( b->a_dn_self ) {
+ /* check if the target is an attribute. */
+ if ( val == NULL )
+ continue;
+ /* target is attribute, check if the attribute value
+ * is the op dn.
+ */
+ rc = value_match( &match, b->a_dn_at,
+ b->a_dn_at->ad_type->sat_equality,
+ val, &bv, &text );
+ /* on match error or no match, fail the ACL clause */
+ if (rc != LDAP_SUCCESS || match != 0 )
+ continue;
}
- } else if ( ! b->a_dn_self || val == NULL
- || value_match( &match, b->a_dn_at,
- b->a_dn_at->ad_type->sat_equality, val, &bv, &text )
- != LDAP_SUCCESS
- || match )
- {
- continue;
+ } else {
+ /* no dnattr match, check if this is a self clause */
+ if ( ! b->a_dn_self )
+ continue;
+ /* this is a self clause, check if the target is an
+ * attribute.
+ */
+ if ( val == NULL )
+ continue;
+ /* target is attribute, check if the attribute value
+ * is the op dn.
+ */
+ rc = value_match( &match, b->a_dn_at,
+ b->a_dn_at->ad_type->sat_equality,
+ val, &bv, &text );
+ /* on match error or no match, fail the ACL clause */
+ if (rc != LDAP_SUCCESS || match != 0 )
+ continue;
}
}
* the values in the attribute group
*/
/* see if asker is listed in dnattr */
- if ( b->a_group_style != ACL_STYLE_REGEX ) {
+ if ( b->a_group_style == ACL_STYLE_REGEX ) {
string_expand(buf, sizeof(buf), b->a_group_pat, e->e_ndn, matches);
if ( dn_normalize(buf) == NULL ) {
/* did not expand to a valid dn */
}
rc = 0;
+ grp_oc = oc_find( grpoc );
grpdn = (char *)ch_malloc(1024);
if (grp_oc != NULL && grp_ad != NULL && grpdn != NULL) {
} else if (aci_strbvcmp( "role", &bv ) == 0) {
if (aci_group_member(&sdn, SLAPD_ROLE_CLASS, SLAPD_ROLE_ATTR, be, e, op, matches))
return(1);
+
}
return(0);