"users",
"self",
"ip",
+ "ipv6",
"path",
NULL
};
Debug( LDAP_DEBUG_ANY, "%s: line %d: "
"only one to clause allowed in access line\n",
fname, lineno, 0 );
- return acl_usage();
+ goto fail;
}
a = (AccessControl *) ch_calloc( 1, sizeof(AccessControl) );
for ( ++i; i < argc; i++ ) {
"%s: line %d: empty level "
"in \"level{n}\"\n",
fname, lineno, 0 );
- return acl_usage();
+ goto fail;
}
p[0] = '\0';
}
} else if ( strcasecmp( style, "ip" ) == 0 ) {
sty = ACL_STYLE_IP;
+ } else if ( strcasecmp( style, "ipv6" ) == 0 ) {
+#ifndef LDAP_PF_INET6
+ Debug( LDAP_DEBUG_ANY,
+ "%s: line %d: IPv6 not supported\n",
+ fname, lineno, 0 );
+#endif /* ! LDAP_PF_INET6 */
+ sty = ACL_STYLE_IPV6;
+
} else if ( strcasecmp( style, "path" ) == 0 ) {
sty = ACL_STYLE_PATH;
#ifndef LDAP_PF_LOCAL
{
int rc;
- struct berval vals[2];
+ ObjectClass *ocs[2];
- ber_str2bv( b->a_group_oc->soc_oid, 0, 0, &vals[0] );
- BER_BVZERO( &vals[1] );
+ ocs[0] = b->a_group_oc;
+ ocs[1] = NULL;
rc = oc_check_allowed( b->a_group_at->ad_type,
- vals, NULL );
+ ocs, NULL );
if( rc != 0 ) {
char buf[ SLAP_TEXT_BUFLEN ];
case ACL_STYLE_EXPAND:
/* cheap replacement to regex for simple expansion */
case ACL_STYLE_IP:
+ case ACL_STYLE_IPV6:
case ACL_STYLE_PATH:
/* legal, peername specific */
break;
goto fail;
}
}
+
+#ifdef LDAP_PF_INET6
+ } else if ( sty == ACL_STYLE_IPV6 ) {
+ char *addr = NULL,
+ *mask = NULL,
+ *port = NULL;
+
+ split( right, '{', &addr, &port );
+ split( addr, '%', &addr, &mask );
+
+ if ( inet_pton( AF_INET6, addr, &b->a_peername_addr6 ) != 1 ) {
+ /* illegal address */
+ Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+ "illegal peername address \"%s\".\n",
+ fname, lineno, addr );
+ goto fail;
+ }
+
+ if ( mask == NULL ) {
+ mask = "FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF";
+ }
+
+ if ( inet_pton( AF_INET6, mask, &b->a_peername_mask6 ) != 1 ) {
+ /* illegal mask */
+ Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+ "illegal peername address mask "
+ "\"%s\".\n",
+ fname, lineno, mask );
+ goto fail;
+ }
+
+ b->a_peername_port = -1;
+ if ( port ) {
+ char *end = NULL;
+
+ b->a_peername_port = strtol( port, &end, 10 );
+ if ( end == port || end[0] != '}' ) {
+ /* illegal port */
+ Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+ "illegal peername port specification "
+ "\"{%s}\".\n",
+ fname, lineno, port );
+ goto fail;
+ }
+ }
+#endif /* LDAP_PF_INET6 */
}
}
continue;
/* out of arguments or plain stop */
ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
+ ACL_PRIV_SET( b->a_access_mask, ACL_PRIV_NONE);
b->a_type = ACL_STOP;
access_append( &a->acl_access, b );
/* plain continue */
ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
+ ACL_PRIV_SET( b->a_access_mask, ACL_PRIV_NONE);
b->a_type = ACL_CONTINUE;
access_append( &a->acl_access, b );
/* plain continue */
ACL_PRIV_ASSIGN(b->a_access_mask, ACL_PRIV_ADDITIVE);
+ ACL_PRIV_SET( b->a_access_mask, ACL_PRIV_NONE);
b->a_type = ACL_BREAK;
access_append( &a->acl_access, b );
/* we've gone too far */
--i;
ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
+ ACL_PRIV_SET( b->a_access_mask, ACL_PRIV_NONE);
b->a_type = ACL_STOP;
access_append( &a->acl_access, b );
}
/* get <access> */
- if ( strncasecmp( left, "self", STRLENOF( "self" ) ) == 0 ) {
- b->a_dn_self = 1;
- ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( &left[ STRLENOF( "self" ) ] ) );
+ {
+ char *lleft = left;
- } else if ( strncasecmp( left, "realself", STRLENOF( "realself" ) ) == 0 ) {
- b->a_realdn_self = 1;
- ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( &left[ STRLENOF( "realself" ) ] ) );
+ if ( strncasecmp( left, "self", STRLENOF( "self" ) ) == 0 ) {
+ b->a_dn_self = 1;
+ lleft = &left[ STRLENOF( "self" ) ];
- } else {
- ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( left ) );
+ } else if ( strncasecmp( left, "realself", STRLENOF( "realself" ) ) == 0 ) {
+ b->a_realdn_self = 1;
+ lleft = &left[ STRLENOF( "realself" ) ];
+ }
+
+ ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( lleft ) );
}
if ( ACL_IS_INVALID( b->a_access_mask ) ) {
} else if( TOLOWER((unsigned char) str[i]) == 'd' ) {
ACL_PRIV_SET(mask, ACL_PRIV_DISCLOSE);
- } else if( str[i] != '0' ) {
+ } else if( str[i] == '0' ) {
+ ACL_PRIV_SET(mask, ACL_PRIV_NONE);
+
+ } else {
ACL_INVALIDATE(mask);
return mask;
}
{
char *access =
"<access clause> ::= access to <what> "
- "[ by <who> <access> [ <control> ] ]+ \n";
+ "[ by <who> [ <access> ] [ <control> ] ]+ \n";
char *what =
- "<what> ::= * |
[dn[.<dnstyle>]=<DN>] [filter=<filter>] [attrs=<attrspec>]\n"
+ "<what> ::= * |
dn[.<dnstyle>=<DN>] [filter=<filter>] [attrs=<attrspec>]\n"
"<attrspec> ::= <attrname> [val[/<matchingRule>][.<attrstyle>]=<value>] | <attrlist>\n"
"<attrlist> ::= <attr> [ , <attrlist> ]\n"
"<attr> ::= <attrname> | @<objectClass> | !<objectClass> | entry | children\n";
"exact | regex\n"
"<attrstyle> ::= exact | regex | base(Object) | one(level) | "
"sub(tree) | children\n"
- "<peernamestyle> ::= exact | regex | ip | path\n"
+ "<peernamestyle> ::= exact | regex | ip | ipv6 | path\n"
"<domainstyle> ::= exact | regex | base(Object) | sub(tree)\n"
"<access> ::= [[real]self]{<level>|<priv>}\n"
"<level> ::= none|disclose|auth|compare|search|read|{write|add|delete}|manage\n"
return ACL_NONE;
} else if ( strcasecmp( str, "disclose" ) == 0 ) {
-#ifndef SLAP_ACL_HONOR_DISCLOSE
- Debug( LDAP_DEBUG_ACL, "str2access: warning, "
- "\"disclose\" privilege disabled.\n",
- 0, 0, 0 );
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
return ACL_DISCLOSE;
} else if ( strcasecmp( str, "auth" ) == 0 ) {
projects / openldap / blobdiff