DirectoryString syntaxes must have one or more octets to be valid.

[openldap] / servers / slapd / acl.c

diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c
index d93d1c3ef48353a795c210b6118ce83ec9ebd293..fd40a97687db31fbd97d856b4ca4c7d642607ac3 100644 (file)
--- a/servers/slapd/acl.c
+++ b/servers/slapd/acl.c
@@ -532,7 +532,7 @@ acl_mask(
                if ( b->a_dn_at != NULL && op->o_ndn != NULL ) {
                        Attribute       *at;
                        struct berval   bv;
-                       int match;
+                       int rc, match = 0;
                        const char *text;
                        const char *desc = b->a_dn_at->ad_cname->bv_val;
 
@@ -544,8 +544,8 @@ acl_mask(
 
                        /* see if asker is listed in dnattr */
                        for( at = attrs_find( e->e_attrs, b->a_dn_at );
-                               at == NULL;
-                               at = attrs_find( e->e_attrs->a_next, b->a_dn_at ) )
+                               at != NULL;
+                               at = attrs_find( at->a_next, b->a_dn_at ) )
                        {
                                if( value_find( b->a_dn_at, at->a_vals, &bv ) == 0 ) {
                                        /* found it */
@@ -555,21 +555,41 @@ acl_mask(
                        }
 
                        if( match ) {
-                               if ( b->a_dn_self && (val == NULL
-                                       || value_match( &match, b->a_dn_at,
-                                               b->a_dn_at->ad_type->sat_equality, val, &bv, &text ) )
-                                               != LDAP_SUCCESS
-                                       || match )
-                               {
-                                       continue;
+                               /* have a dnattr match. if this is a self clause then
+                                * the target must also match the op dn.
+                                */
+                               if ( b->a_dn_self ) {
+                                       /* check if the target is an attribute. */
+                                       if ( val == NULL )
+                                               continue;
+                                       /* target is attribute, check if the attribute value
+                                        * is the op dn.
+                                        */
+                                       rc = value_match(       &match, b->a_dn_at,
+                                                                               b->a_dn_at->ad_type->sat_equality,
+                                                                               val, &bv, &text );
+                                       /* on match error or no match, fail the ACL clause */
+                                       if (rc != LDAP_SUCCESS || match != 0 )
+                                               continue;
                                }
-                       } else if ( ! b->a_dn_self || val == NULL
-                               || value_match( &match, b->a_dn_at,
-                                       b->a_dn_at->ad_type->sat_equality, val, &bv, &text )
-                                       != LDAP_SUCCESS
-                               || match )
-                       {
-                               continue;
+                       } else {
+                               /* no dnattr match, check if this is a self clause */
+                               if ( ! b->a_dn_self )
+                                       continue;
+                               /* this is a self clause, check if the target is an
+                                * attribute.
+                                */
+                               if ( val == NULL )
+                                       continue;
+                               /* target is attribute, check if the attribute value
+                                * is the op dn.
+                                */
+                               rc = value_match(       &match, b->a_dn_at,
+                                                                       b->a_dn_at->ad_type->sat_equality,
+                                                                       val, &bv, &text );
+                               /* on match error or no match, fail the ACL clause */
+                               if (rc != LDAP_SUCCESS || match != 0 )
+                                       continue;
                        }
                }
 
@@ -581,7 +601,7 @@ acl_mask(
                         * the values in the attribute group
                         */
                        /* see if asker is listed in dnattr */
-                       if ( b->a_group_style != ACL_STYLE_REGEX ) {
+                       if ( b->a_group_style == ACL_STYLE_REGEX ) {
                                string_expand(buf, sizeof(buf), b->a_group_pat, e->e_ndn, matches);
                                if ( dn_normalize(buf) == NULL ) {
                                        /* did not expand to a valid dn */
@@ -1109,6 +1129,7 @@ aci_group_member (
        }
        rc = 0;
 
+       grp_oc = oc_find( grpoc );
        grpdn = (char *)ch_malloc(1024);
 
        if (grp_oc != NULL && grp_ad != NULL && grpdn != NULL) {
@@ -1240,6 +1261,7 @@ aci_mask(
        } else if (aci_strbvcmp( "role", &bv ) == 0) {
                if (aci_group_member(&sdn, SLAPD_ROLE_CLASS, SLAPD_ROLE_ATTR, be, e, op, matches))
                        return(1);
+
        }
 
        return(0);