/* aclparse.c - routines to parse and check acl's */
/* $OpenLDAP$ */
/*
- * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved.
+ * Copyright 1998-2003 The OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
*/
#include "slap.h"
#include "lber_pvt.h"
+#include "lutil.h"
static void split(char *line, int splitchar, char **left, char **right);
static void access_append(Access **l, Access *a);
} else if ( strcasecmp( style, "one" ) == 0 ) {
a->acl_dn_style = ACL_STYLE_ONE;
ber_str2bv( right, 0, 1, &a->acl_dn_pat );
- } else if ( strcasecmp( style, "subtree" ) == 0 ) {
+ } else if ( strcasecmp( style, "subtree" ) == 0 || strcasecmp( style, "sub" ) == 0 ) {
a->acl_dn_style = ACL_STYLE_SUBTREE;
ber_str2bv( right, 0, 1, &a->acl_dn_pat );
} else if ( strcasecmp( style, "children" ) == 0 ) {
{
if ( a->acl_dn_style != ACL_STYLE_REGEX ) {
struct berval bv;
- rc = dnNormalize2( NULL, &a->acl_dn_pat, &bv);
+ rc = dnNormalize2( NULL, &a->acl_dn_pat, &bv, NULL);
if ( rc != LDAP_SUCCESS ) {
fprintf( stderr,
"%s: line %d: bad DN \"%s\"\n",
sty = ACL_STYLE_BASE;
} else if ( strcasecmp( style, "one" ) == 0 ) {
sty = ACL_STYLE_ONE;
- } else if ( strcasecmp( style, "subtree" ) == 0 ) {
+ } else if ( strcasecmp( style, "subtree" ) == 0 || strcasecmp( style, "sub" ) == 0 ) {
sty = ACL_STYLE_SUBTREE;
} else if ( strcasecmp( style, "children" ) == 0 ) {
sty = ACL_STYLE_CHILDREN;
}
if ( sty != ACL_STYLE_REGEX && expand == 0 ) {
- rc = dnNormalize2(NULL, &bv, &b->a_dn_pat);
+ rc = dnNormalize2(NULL, &bv, &b->a_dn_pat, NULL);
if ( rc != LDAP_SUCCESS ) {
fprintf( stderr,
"%s: line %d: bad DN \"%s\"\n",
acl_usage();
}
+ if( b->a_dn_at->ad_type->sat_equality == NULL )
+ {
+ fprintf( stderr,
+ "%s: line %d: dnattr \"%s\": "
+ "inappropriate matching (no EQUALITY)\n",
+ fname, lineno, right );
+ acl_usage();
+ }
+
continue;
}
b->a_group_pat = bv;
} else {
ber_str2bv( right, 0, 0, &bv );
- rc = dnNormalize2( NULL, &bv, &b->a_group_pat );
+ rc = dnNormalize2( NULL, &bv, &b->a_group_pat, NULL );
if ( rc != LDAP_SUCCESS ) {
fprintf( stderr,
"%s: line %d: bad DN \"%s\"\n",
if ( ACL_IS_LEVEL( mask ) ) {
if ( ACL_LVL_IS_NONE(mask) ) {
- ptr = slap_strcopy( ptr, "none" );
+ ptr = lutil_strcopy( ptr, "none" );
} else if ( ACL_LVL_IS_AUTH(mask) ) {
- ptr = slap_strcopy( ptr, "auth" );
+ ptr = lutil_strcopy( ptr, "auth" );
} else if ( ACL_LVL_IS_COMPARE(mask) ) {
- ptr = slap_strcopy( ptr, "compare" );
+ ptr = lutil_strcopy( ptr, "compare" );
} else if ( ACL_LVL_IS_SEARCH(mask) ) {
- ptr = slap_strcopy( ptr, "search" );
+ ptr = lutil_strcopy( ptr, "search" );
} else if ( ACL_LVL_IS_READ(mask) ) {
- ptr = slap_strcopy( ptr, "read" );
+ ptr = lutil_strcopy( ptr, "read" );
} else if ( ACL_LVL_IS_WRITE(mask) ) {
- ptr = slap_strcopy( ptr, "write" );
+ ptr = lutil_strcopy( ptr, "write" );
} else {
- ptr = slap_strcopy( ptr, "unknown" );
+ ptr = lutil_strcopy( ptr, "unknown" );
}
*ptr++ = '(';
"\t[aci=<attrname>]\n"
#endif
"\t[ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]\n"
- "<dnstyle> ::= regex | base | exact (alias of base) | one | sub | children\n"
+ "<dnstyle> ::= regex | base | exact (alias of base) | one | subtree | children\n"
"<style> ::= regex | base | exact (alias of base)\n"
"<groupflags> ::= R\n"
"<access> ::= [self]{<level>|<priv>}\n"