/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2004 The OpenLDAP Foundation.
+ * Copyright 1998-2005 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
"one",
"subtree",
"children",
+ "level",
"attrof",
+ "anonymous",
+ "users",
+ "self",
"ip",
"path",
NULL
static void print_access(Access *b);
#endif
-#ifdef LDAP_DEVEL
-static int
-check_scope( BackendDB *be, AccessControl *a );
-#endif /* LDAP_DEVEL */
+static int check_scope( BackendDB *be, AccessControl *a );
#ifdef SLAP_DYNACL
static int
regfree(&re);
}
-#ifdef LDAP_DEVEL
/*
* Experimental
*
dn = be->be_nsuffix[0];
+ if ( BER_BVISEMPTY( &dn ) ) {
+ return ACL_SCOPE_OK;
+ }
+
if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
a->acl_dn_style != ACL_STYLE_REGEX )
{
return ACL_SCOPE_UNKNOWN;
}
-#endif /* LDAP_DEVEL */
void
parse_acl(
const char *fname,
int lineno,
int argc,
- char **argv
-)
+ char **argv )
{
int i;
char *left, *right, *style, *next;
a->acl_attrs[0].an_desc->ad_cname.bv_val );
a->acl_attrval_style = ACL_STYLE_BASE;
}
-
+
} else {
fprintf( stderr,
"%s: line %d: unknown val.<style> \"%s\" "
/* get <who> */
for ( ; i < argc; i++ ) {
- slap_style_t sty = ACL_STYLE_REGEX;
- char *style_modifier = NULL;
- int expand = 0;
+ slap_style_t sty = ACL_STYLE_REGEX;
+ char *style_modifier = NULL;
+ char *style_level = NULL;
+ int level = 0;
+ int expand = 0;
+ slap_dn_access *bdn = &b->a_dn;
+ int is_realdn = 0;
split( argv[i], '=', &left, &right );
split( left, '.', &left, &style );
if ( style ) {
- split( style, ',', &style, &style_modifier);
+ split( style, ',', &style, &style_modifier );
+
+ if ( strncasecmp( style, "level", STRLENOF( "level" ) ) == 0 ) {
+ split( style, '{', &style, &style_level );
+ if ( style_level != NULL ) {
+ char *p = strchr( style_level, '}' );
+ if ( p == NULL ) {
+ fprintf( stderr,
+ "%s: line %d: premature eol: "
+ "expecting closing '}' in \"level{n}\"\n",
+ fname, lineno );
+ acl_usage();
+ } else if ( p == style_level ) {
+ fprintf( stderr,
+ "%s: line %d: empty level "
+ "in \"level{n}\"\n",
+ fname, lineno );
+ acl_usage();
+ }
+ p[0] = '\0';
+ }
+ }
}
if ( style == NULL || *style == '\0' ||
} else if ( strcasecmp( style, "children" ) == 0 ) {
sty = ACL_STYLE_CHILDREN;
+ } else if ( strcasecmp( style, "level" ) == 0 )
+ {
+ char *next;
+
+ level = strtol( style_level, &next, 10 );
+ if ( next[0] != '\0' ) {
+ fprintf( stderr,
+ "%s: line %d: unable to parse level "
+ "in \"level{n}\"\n",
+ fname, lineno );
+ acl_usage();
+ }
+
+ sty = ACL_STYLE_LEVEL;
+
} else if ( strcasecmp( style, "regex" ) == 0 ) {
sty = ACL_STYLE_REGEX;
fname, lineno );
}
- if ( strcasecmp( argv[i], "*" ) == 0 ) {
+ if ( strncasecmp( left, "real", STRLENOF( "real" ) ) == 0 ) {
+ is_realdn = 1;
+ bdn = &b->a_realdn;
+ left += STRLENOF( "real" );
+ }
+
+ if ( strcasecmp( left, "*" ) == 0 ) {
+ if ( is_realdn ) {
+ acl_usage();
+ }
+
ber_str2bv( "*", STRLENOF( "*" ), 1, &bv );
sty = ACL_STYLE_REGEX;
- } else if ( strcasecmp( argv[i], "anonymous" ) == 0 ) {
+ } else if ( strcasecmp( left, "anonymous" ) == 0 ) {
ber_str2bv("anonymous", STRLENOF( "anonymous" ), 1, &bv);
sty = ACL_STYLE_ANONYMOUS;
- } else if ( strcasecmp( argv[i], "users" ) == 0 ) {
+ } else if ( strcasecmp( left, "users" ) == 0 ) {
ber_str2bv("users", STRLENOF( "users" ), 1, &bv);
sty = ACL_STYLE_USERS;
- } else if ( strcasecmp( argv[i], "self" ) == 0 ) {
+ } else if ( strcasecmp( left, "self" ) == 0 ) {
ber_str2bv("self", STRLENOF( "self" ), 1, &bv);
sty = ACL_STYLE_SELF;
} else if ( strcasecmp( left, "dn" ) == 0 ) {
if ( sty == ACL_STYLE_REGEX ) {
- b->a_dn_style = ACL_STYLE_REGEX;
+ bdn->a_style = ACL_STYLE_REGEX;
if ( right == NULL ) {
/* no '=' */
ber_str2bv("users",
STRLENOF( "users" ),
1, &bv);
- b->a_dn_style = ACL_STYLE_USERS;
+ bdn->a_style = ACL_STYLE_USERS;
} else if (*right == '\0' ) {
/* dn="" */
ber_str2bv("anonymous",
STRLENOF( "anonymous" ),
1, &bv);
- b->a_dn_style = ACL_STYLE_ANONYMOUS;
+ bdn->a_style = ACL_STYLE_ANONYMOUS;
} else if ( strcmp( right, "*" ) == 0 ) {
/* dn=* */
ber_str2bv("users",
STRLENOF( "users" ),
1, &bv);
- b->a_dn_style = ACL_STYLE_USERS;
+ bdn->a_style = ACL_STYLE_USERS;
} else if ( strcmp( right, ".+" ) == 0
|| strcmp( right, "^.+" ) == 0
ber_str2bv("users",
STRLENOF( "users" ),
1, &bv);
- b->a_dn_style = ACL_STYLE_USERS;
+ bdn->a_style = ACL_STYLE_USERS;
} else if ( strcmp( right, ".*" ) == 0
|| strcmp( right, "^.*" ) == 0
}
if ( !BER_BVISNULL( &bv ) ) {
- if ( !BER_BVISEMPTY( &b->a_dn_pat ) ) {
+ if ( !BER_BVISEMPTY( &bdn->a_pat ) ) {
fprintf( stderr,
"%s: line %d: dn pattern already specified.\n",
fname, lineno );
expand == 0 )
{
rc = dnNormalize(0, NULL, NULL,
- &bv, &b->a_dn_pat, NULL);
+ &bv, &bdn->a_pat, NULL);
if ( rc != LDAP_SUCCESS ) {
fprintf( stderr,
"%s: line %d: bad DN \"%s\" in by DN clause\n",
free( bv.bv_val );
} else {
- b->a_dn_pat = bv;
+ bdn->a_pat = bv;
+ }
+ bdn->a_style = sty;
+ bdn->a_expand = expand;
+ if ( sty == ACL_STYLE_SELF ) {
+ bdn->a_self_level = level;
+
+ } else {
+ if ( level < 0 ) {
+ fprintf( stderr,
+ "%s: line %d: bad negative level \"%d\" "
+ "in by DN clause\n",
+ fname, lineno, level );
+ acl_usage();
+ } else if ( level == 1 ) {
+ fprintf( stderr,
+ "%s: line %d: \"onelevel\" should be used "
+ "instead of \"level{1}\" in by DN clause\n",
+ fname, lineno, 0 );
+ } else if ( level == 0 && sty == ACL_STYLE_LEVEL ) {
+ fprintf( stderr,
+ "%s: line %d: \"base\" should be used "
+ "instead of \"level{0}\" in by DN clause\n",
+ fname, lineno, 0 );
+ }
+
+ bdn->a_level = level;
}
- b->a_dn_style = sty;
- b->a_dn_expand = expand;
continue;
}
acl_usage();
}
- if( b->a_dn_at != NULL ) {
+ if( bdn->a_at != NULL ) {
fprintf( stderr,
"%s: line %d: dnattr already specified.\n",
fname, lineno );
acl_usage();
}
- rc = slap_str2ad( right, &b->a_dn_at, &text );
+ rc = slap_str2ad( right, &bdn->a_at, &text );
if( rc != LDAP_SUCCESS ) {
fprintf( stderr,
}
- if( !is_at_syntax( b->a_dn_at->ad_type,
+ if( !is_at_syntax( bdn->a_at->ad_type,
SLAPD_DN_SYNTAX ) &&
- !is_at_syntax( b->a_dn_at->ad_type,
+ !is_at_syntax( bdn->a_at->ad_type,
SLAPD_NAMEUID_SYNTAX ))
{
fprintf( stderr,
"%s: line %d: dnattr \"%s\": "
"inappropriate syntax: %s\n",
fname, lineno, right,
- b->a_dn_at->ad_type->sat_syntax_oid );
+ bdn->a_at->ad_type->sat_syntax_oid );
acl_usage();
}
- if( b->a_dn_at->ad_type->sat_equality == NULL ) {
+ if( bdn->a_at->ad_type->sat_equality == NULL ) {
fprintf( stderr,
"%s: line %d: dnattr \"%s\": "
"inappropriate matching (no EQUALITY)\n",
acl_usage();
}
- if ( BER_BVISEMPTY( &b->a_peername_pat ) ) {
+ if ( !BER_BVISEMPTY( &b->a_peername_pat ) ) {
fprintf( stderr, "%s: line %d: "
"peername pattern already specified.\n",
fname, lineno );
}
/* get <access> */
- if ( strncasecmp( left, "self", 4 ) == 0 ) {
+ if ( strncasecmp( left, "self", STRLENOF( "self" ) ) == 0 ) {
b->a_dn_self = 1;
- ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( &left[4] ) );
+ ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( &left[ STRLENOF( "self" ) ] ) );
+
+ } else if ( strncasecmp( left, "realself", STRLENOF( "realself" ) ) == 0 ) {
+ b->a_realdn_self = 1;
+ ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( &left[ STRLENOF( "realself" ) ] ) );
} else {
ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( left ) );
}
if ( be != NULL ) {
-#ifdef LDAP_DEVEL
if ( !BER_BVISNULL( &be->be_nsuffix[ 1 ] ) ) {
fprintf( stderr, "%s: line %d: warning: "
"scope checking only applies to single-valued "
default:
break;
}
-#endif /* LDAP_DEVEL */
acl_append( &be->be_acl, a );
} else {
}
char *
-accessmask2str( slap_mask_t mask, char *buf )
+accessmask2str( slap_mask_t mask, char *buf, int debug )
{
int none = 1;
char *ptr = buf;
if ( ACL_LVL_IS_NONE(mask) ) {
ptr = lutil_strcopy( ptr, "none" );
+ } else if ( ACL_LVL_IS_DISCLOSE(mask) ) {
+ ptr = lutil_strcopy( ptr, "disclose" );
+
} else if ( ACL_LVL_IS_AUTH(mask) ) {
ptr = lutil_strcopy( ptr, "auth" );
} else if ( ACL_LVL_IS_WRITE(mask) ) {
ptr = lutil_strcopy( ptr, "write" );
+
+ } else if ( ACL_LVL_IS_WADD(mask) ) {
+ ptr = lutil_strcopy( ptr, "add" );
+
+ } else if ( ACL_LVL_IS_WDEL(mask) ) {
+ ptr = lutil_strcopy( ptr, "delete" );
+
+ } else if ( ACL_LVL_IS_MANAGE(mask) ) {
+ ptr = lutil_strcopy( ptr, "manage" );
+
} else {
ptr = lutil_strcopy( ptr, "unknown" );
}
+ if ( !debug ) {
+ *ptr = '\0';
+ return buf;
+ }
*ptr++ = '(';
}
*ptr++ = '=';
}
+ if ( ACL_PRIV_ISSET(mask, ACL_PRIV_MANAGE) ) {
+ none = 0;
+ *ptr++ = 'm';
+ }
+
if ( ACL_PRIV_ISSET(mask, ACL_PRIV_WRITE) ) {
none = 0;
*ptr++ = 'w';
}
+ if ( ACL_PRIV_ISSET(mask, ACL_PRIV_WADD) ) {
+ none = 0;
+ *ptr++ = 'a';
+ }
+
+ if ( ACL_PRIV_ISSET(mask, ACL_PRIV_WDEL) ) {
+ none = 0;
+ *ptr++ = 'z';
+ }
+
if ( ACL_PRIV_ISSET(mask, ACL_PRIV_READ) ) {
none = 0;
*ptr++ = 'r';
*ptr++ = 'x';
}
+ if ( ACL_PRIV_ISSET(mask, ACL_PRIV_DISCLOSE) ) {
+ none = 0;
+ *ptr++ = 'd';
+ }
+
if ( none && ACL_PRIV_ISSET(mask, ACL_PRIV_NONE) ) {
none = 0;
- *ptr++ = 'n';
+ *ptr++ = '0';
}
if ( none ) {
- *ptr++ = '0';
+ ptr = buf;
}
if ( ACL_IS_LEVEL( mask ) ) {
}
for( i=1; str[i] != '\0'; i++ ) {
- if( TOLOWER((unsigned char) str[i]) == 'w' ) {
+ if( TOLOWER((unsigned char) str[i]) == 'm' ) {
+ ACL_PRIV_SET(mask, ACL_PRIV_MANAGE);
+
+ } else if( TOLOWER((unsigned char) str[i]) == 'w' ) {
ACL_PRIV_SET(mask, ACL_PRIV_WRITE);
+ } else if( TOLOWER((unsigned char) str[i]) == 'a' ) {
+ ACL_PRIV_SET(mask, ACL_PRIV_WADD);
+
+ } else if( TOLOWER((unsigned char) str[i]) == 'z' ) {
+ ACL_PRIV_SET(mask, ACL_PRIV_WDEL);
+
} else if( TOLOWER((unsigned char) str[i]) == 'r' ) {
ACL_PRIV_SET(mask, ACL_PRIV_READ);
} else if( TOLOWER((unsigned char) str[i]) == 'x' ) {
ACL_PRIV_SET(mask, ACL_PRIV_AUTH);
+ } else if( TOLOWER((unsigned char) str[i]) == 'd' ) {
+ ACL_PRIV_SET(mask, ACL_PRIV_DISCLOSE);
+
} else if( str[i] != '0' ) {
ACL_INVALIDATE(mask);
return mask;
if ( strcasecmp( str, "none" ) == 0 ) {
ACL_LVL_ASSIGN_NONE(mask);
+ } else if ( strcasecmp( str, "disclose" ) == 0 ) {
+ ACL_LVL_ASSIGN_DISCLOSE(mask);
+
} else if ( strcasecmp( str, "auth" ) == 0 ) {
ACL_LVL_ASSIGN_AUTH(mask);
} else if ( strcasecmp( str, "read" ) == 0 ) {
ACL_LVL_ASSIGN_READ(mask);
+ } else if ( strcasecmp( str, "add" ) == 0 ) {
+ ACL_LVL_ASSIGN_WADD(mask);
+
+ } else if ( strcasecmp( str, "delete" ) == 0 ) {
+ ACL_LVL_ASSIGN_WDEL(mask);
+
} else if ( strcasecmp( str, "write" ) == 0 ) {
ACL_LVL_ASSIGN_WRITE(mask);
+ } else if ( strcasecmp( str, "manage" ) == 0 ) {
+ ACL_LVL_ASSIGN_MANAGE(mask);
+
} else {
ACL_INVALIDATE( mask );
}
"<access clause> ::= access to <what> "
"[ by <who> <access> [ <control> ] ]+ \n"
"<what> ::= * | [dn[.<dnstyle>]=<DN>] [filter=<filter>] [attrs=<attrlist>]\n"
- "<attrlist> ::= <attr> [val[.<style>]=<value>] | <attr> , <attrlist>\n"
+ "<attrlist> ::= <attr> [val[.<attrstyle>]=<value>] | <attr> , <attrlist>\n"
"<attr> ::= <attrname> | entry | children\n",
"<who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ]\n"
+ "\t[ realanonymous | realusers | realself | realdn[.<dnstyle>]=<DN> ]\n"
"\t[dnattr=<attrname>]\n"
+ "\t[realdnattr=<attrname>]\n"
"\t[group[/<objectclass>[/<attrname>]][.<style>]=<group>]\n"
"\t[peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>]\n"
"\t[domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>]\n"
#ifdef SLAPD_ACI_ENABLED
- "\t[aci=<attrname>]\n"
+ "\t[aci=[<attrname>]]\n"
#endif
+#ifdef SLAP_DYNACL
+ "\t[dynacl/<name>[.<dynstyle>][=<pattern>]]\n"
+#endif /* SLAP_DYNACL */
"\t[ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]\n",
+ "<style> ::= exact | regex | base(Object)\n"
"<dnstyle> ::= base(Object) | one(level) | sub(tree) | children | "
"exact | regex\n"
- "<style> ::= exact | regex | base(Object)\n"
+ "<attrstyle> ::= exact | regex | base(Object) | one(level) | "
+ "sub(tree) | children\n"
"<peernamestyle> ::= exact | regex | ip | path\n"
"<domainstyle> ::= exact | regex | base(Object) | sub(tree)\n"
- "<access> ::= [self]{<level>|<priv>}\n"
- "<level> ::= none | auth | compare | search | read | write\n"
- "<priv> ::= {=|+|-}{w|r|s|c|x|0}+\n"
+ "<access> ::= [[real]self]{<level>|<priv>}\n"
+ "<level> ::= none|disclose|auth|compare|search|read|{write|add|delete}|manage\n"
+ "<priv> ::= {=|+|-}{0|d|x|c|s|r|{w|a|z}|m}+\n"
"<control> ::= [ stop | continue | break ]\n"
);
exit( EXIT_FAILURE );
if ( !BER_BVISNULL( &a->a_dn_pat ) ) {
free( a->a_dn_pat.bv_val );
}
+ if ( !BER_BVISNULL( &a->a_realdn_pat ) ) {
+ free( a->a_realdn_pat.bv_val );
+ }
if ( !BER_BVISNULL( &a->a_peername_pat ) ) {
free( a->a_peername_pat.bv_val );
}
if ( access == ACL_NONE ) {
return "none";
+ } else if ( access == ACL_DISCLOSE ) {
+ return "disclose";
+
} else if ( access == ACL_AUTH ) {
return "auth";
} else if ( access == ACL_WRITE ) {
return "write";
+
+ } else if ( access == ACL_WADD ) {
+ return "add";
+
+ } else if ( access == ACL_WDEL ) {
+ return "delete";
+
+ } else if ( access == ACL_MANAGE ) {
+ return "manage";
+
}
return "unknown";
if ( strcasecmp( str, "none" ) == 0 ) {
return ACL_NONE;
+ } else if ( strcasecmp( str, "disclose" ) == 0 ) {
+ return ACL_DISCLOSE;
+
} else if ( strcasecmp( str, "auth" ) == 0 ) {
return ACL_AUTH;
} else if ( strcasecmp( str, "write" ) == 0 ) {
return ACL_WRITE;
+
+ } else if ( strcasecmp( str, "add" ) == 0 ) {
+ return ACL_WADD;
+
+ } else if ( strcasecmp( str, "delete" ) == 0 ) {
+ return ACL_WDEL;
+
+ } else if ( strcasecmp( str, "manage" ) == 0 ) {
+ return ACL_MANAGE;
}
return( ACL_INVALID_ACCESS );
}
-#ifdef LDAP_DEBUG
+#define ACLBUF_MAXLEN 8192
-static void
-print_access( Access *b )
+static char aclbuf[ACLBUF_MAXLEN];
+
+static char *
+dnaccess2text( slap_dn_access *bdn, char *ptr, int is_realdn )
{
- char maskbuf[ACCESSMASK_MAXLEN];
+ *ptr++ = ' ';
+
+ if ( is_realdn ) {
+ ptr = lutil_strcopy( ptr, "real" );
+ }
- fprintf( stderr, "\tby" );
+ if ( ber_bvccmp( &bdn->a_pat, '*' ) ||
+ bdn->a_style == ACL_STYLE_ANONYMOUS ||
+ bdn->a_style == ACL_STYLE_USERS ||
+ bdn->a_style == ACL_STYLE_SELF )
+ {
+ if ( is_realdn ) {
+ assert( ! ber_bvccmp( &bdn->a_pat, '*' ) );
+ }
+
+ ptr = lutil_strcopy( ptr, bdn->a_pat.bv_val );
+ if ( bdn->a_style == ACL_STYLE_SELF && bdn->a_self_level != 0 ) {
+ int n = sprintf( ptr, ".level{%d}", bdn->a_self_level );
+ if ( n > 0 ) {
+ ptr += n;
+ } /* else ? */
+ }
- if ( !BER_BVISEMPTY( &b->a_dn_pat ) ) {
- if ( ber_bvccmp( &b->a_dn_pat, '*' ) ||
- b->a_dn_style == ACL_STYLE_ANONYMOUS /* strcmp( b->a_dn_pat.bv_val, "anonymous" ) == 0 */ ||
- b->a_dn_style == ACL_STYLE_USERS /* strcmp( b->a_dn_pat.bv_val, "users" ) == 0 */ ||
- b->a_dn_style == ACL_STYLE_SELF /* strcmp( b->a_dn_pat.bv_val, "self" ) == 0 */ )
- {
- fprintf( stderr, " %s", b->a_dn_pat.bv_val );
+ } else {
+ ptr = lutil_strcopy( ptr, "dn." );
+ ptr = lutil_strcopy( ptr, style_strings[bdn->a_style] );
+ if ( bdn->a_style == ACL_STYLE_LEVEL ) {
+ int n = sprintf( ptr, "{%d}", bdn->a_level );
+ if ( n > 0 ) {
+ ptr += n;
+ } /* else ? */
+ }
+ if ( bdn->a_expand ) {
+ ptr = lutil_strcopy( ptr, ",expand" );
+ }
+ *ptr++ = '=';
+ *ptr++ = '"';
+ ptr = lutil_strcopy( ptr, bdn->a_pat.bv_val );
+ *ptr++ = '"';
+ }
- } else {
- fprintf( stderr, " dn.%s=\"%s\"",
- style_strings[b->a_dn_style], b->a_dn_pat.bv_val );
+ if ( bdn->a_at != NULL ) {
+ *ptr++ = ' ';
+ if ( is_realdn ) {
+ ptr = lutil_strcopy( ptr, "real" );
}
+ ptr = lutil_strcopy( ptr, "dnattr=" );
+ ptr = lutil_strcopy( ptr, bdn->a_at->ad_cname.bv_val );
+ }
+
+ return ptr;
+}
+
+static char *
+access2text( Access *b, char *ptr )
+{
+ char maskbuf[ACCESSMASK_MAXLEN];
+
+ ptr = lutil_strcopy( ptr, "\tby" );
+
+ if ( !BER_BVISEMPTY( &b->a_dn_pat ) ) {
+ ptr = dnaccess2text( &b->a_dn, ptr, 0 );
}
- if ( b->a_dn_at != NULL ) {
- fprintf( stderr, " dnattr=%s", b->a_dn_at->ad_cname.bv_val );
+ if ( !BER_BVISEMPTY( &b->a_realdn_pat ) ) {
+ ptr = dnaccess2text( &b->a_realdn, ptr, 1 );
}
if ( !BER_BVISEMPTY( &b->a_group_pat ) ) {
- fprintf( stderr, " group/%s/%s.%s=\"%s\"",
- b->a_group_oc ? b->a_group_oc->soc_cname.bv_val : "groupOfNames",
- b->a_group_at ? b->a_group_at->ad_cname.bv_val : "member",
- style_strings[b->a_group_style],
- b->a_group_pat.bv_val );
+ ptr = lutil_strcopy( ptr, " group/" );
+ ptr = lutil_strcopy( ptr, b->a_group_oc ?
+ b->a_group_oc->soc_cname.bv_val : "groupOfNames" );
+ *ptr++ = '/';
+ ptr = lutil_strcopy( ptr, b->a_group_at ?
+ b->a_group_at->ad_cname.bv_val : "member" );
+ *ptr++ = '.';
+ ptr = lutil_strcopy( ptr, style_strings[b->a_group_style] );
+ *ptr++ = '=';
+ *ptr++ = '"';
+ ptr = lutil_strcopy( ptr, b->a_group_pat.bv_val );
+ *ptr++ = '"';
}
if ( !BER_BVISEMPTY( &b->a_peername_pat ) ) {
- fprintf( stderr, " peername=\"%s\"", b->a_peername_pat.bv_val );
+ ptr = lutil_strcopy( ptr, " peername=\"" );
+ ptr = lutil_strcopy( ptr, b->a_peername_pat.bv_val );
+ *ptr++ = '"';
}
if ( !BER_BVISEMPTY( &b->a_sockname_pat ) ) {
- fprintf( stderr, " sockname=\"%s\"", b->a_sockname_pat.bv_val );
+ ptr = lutil_strcopy( ptr, " sockname=\"" );
+ ptr = lutil_strcopy( ptr, b->a_sockname_pat.bv_val );
+ *ptr++ = '"';
}
if ( !BER_BVISEMPTY( &b->a_domain_pat ) ) {
- fprintf( stderr, " domain=%s", b->a_domain_pat.bv_val );
+ ptr = lutil_strcopy( ptr, " domain=" );
+ ptr = lutil_strcopy( ptr, b->a_domain_pat.bv_val );
}
if ( !BER_BVISEMPTY( &b->a_sockurl_pat ) ) {
- fprintf( stderr, " sockurl=\"%s\"", b->a_sockurl_pat.bv_val );
+ ptr = lutil_strcopy( ptr, " sockurl=\"" );
+ ptr = lutil_strcopy( ptr, b->a_sockurl_pat.bv_val );
+ *ptr++ = '"';
}
if ( !BER_BVISEMPTY( &b->a_set_pat ) ) {
- fprintf( stderr, " set=\"%s\"", b->a_set_pat.bv_val );
+ ptr = lutil_strcopy( ptr, " set=\"" );
+ ptr = lutil_strcopy( ptr, b->a_set_pat.bv_val );
+ *ptr++ = '"';
}
#ifdef SLAP_DYNACL
slap_dynacl_t *da;
for ( da = b->a_dynacl; da; da = da->da_next ) {
- if ( da->da_print ) {
- (void)( *da->da_print )( da->da_private );
+ if ( da->da_unparse ) {
+ struct berval bv;
+ (void)( *da->da_unparse )( da->da_private, &bv );
+ ptr = lutil_strcopy( ptr, bv.bv_val );
+ ch_free( bv.bv_val );
}
}
}
#else /* ! SLAP_DYNACL */
#ifdef SLAPD_ACI_ENABLED
if ( b->a_aci_at != NULL ) {
- fprintf( stderr, " aci=%s", b->a_aci_at->ad_cname.bv_val );
+ ptr = lutil_strcopy( ptr, " aci=" );
+ ptr = lutil_strcopy( ptr, b->a_aci_at->ad_cname.bv_val );
}
#endif
#endif /* SLAP_DYNACL */
/* Security Strength Factors */
if ( b->a_authz.sai_ssf ) {
- fprintf( stderr, " ssf=%u",
+ ptr += sprintf( ptr, " ssf=%u",
b->a_authz.sai_ssf );
}
if ( b->a_authz.sai_transport_ssf ) {
- fprintf( stderr, " transport_ssf=%u",
+ ptr += sprintf( ptr, " transport_ssf=%u",
b->a_authz.sai_transport_ssf );
}
if ( b->a_authz.sai_tls_ssf ) {
- fprintf( stderr, " tls_ssf=%u",
+ ptr += sprintf( ptr, " tls_ssf=%u",
b->a_authz.sai_tls_ssf );
}
if ( b->a_authz.sai_sasl_ssf ) {
- fprintf( stderr, " sasl_ssf=%u",
+ ptr += sprintf( ptr, " sasl_ssf=%u",
b->a_authz.sai_sasl_ssf );
}
- fprintf( stderr, " %s%s",
- b->a_dn_self ? "self" : "",
- accessmask2str( b->a_access_mask, maskbuf ) );
+ *ptr++ = ' ';
+ if ( b->a_dn_self ) {
+ ptr = lutil_strcopy( ptr, "self" );
+ } else if ( b->a_realdn_self ) {
+ ptr = lutil_strcopy( ptr, "realself" );
+ }
+ ptr = lutil_strcopy( ptr, accessmask2str( b->a_access_mask, maskbuf, 0 ));
+ if ( !maskbuf[0] ) ptr--;
if( b->a_type == ACL_BREAK ) {
- fprintf( stderr, " break" );
+ ptr = lutil_strcopy( ptr, " break" );
} else if( b->a_type == ACL_CONTINUE ) {
- fprintf( stderr, " continue" );
+ ptr = lutil_strcopy( ptr, " continue" );
} else if( b->a_type != ACL_STOP ) {
- fprintf( stderr, " unknown-control" );
+ ptr = lutil_strcopy( ptr, " unknown-control" );
+ } else {
+ if ( !maskbuf[0] ) ptr = lutil_strcopy( ptr, " stop" );
}
+ *ptr++ = '\n';
- fprintf( stderr, "\n" );
+ return ptr;
}
-
-static void
-print_acl( Backend *be, AccessControl *a )
+void
+acl_unparse( AccessControl *a, struct berval *bv )
{
+ Access *b;
+ char *ptr;
int to = 0;
- Access *b;
+ struct berval abv;
- fprintf( stderr, "%s ACL: access to",
- be == NULL ? "Global" : "Backend" );
+ bv->bv_val = aclbuf;
+ bv->bv_len = 0;
- if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ) {
+ ptr = bv->bv_val;
+
+ ptr = lutil_strcopy( ptr, "to" );
+ if ( !BER_BVISNULL( &a->acl_dn_pat ) ) {
to++;
- fprintf( stderr, " dn.%s=\"%s\"\n",
- style_strings[a->acl_dn_style], a->acl_dn_pat.bv_val );
+ ptr = lutil_strcopy( ptr, " dn." );
+ ptr = lutil_strcopy( ptr, style_strings[a->acl_dn_style] );
+ *ptr++ = '=';
+ *ptr++ = '"';
+ ptr = lutil_strcopy( ptr, a->acl_dn_pat.bv_val );
+ ptr = lutil_strcopy( ptr, "\"\n" );
}
if ( a->acl_filter != NULL ) {
to++;
filter2bv( a->acl_filter, &bv );
- fprintf( stderr, " filter=%s\n", bv.bv_val );
+ ptr = lutil_strcopy( ptr, " filter=\"" );
+ ptr = lutil_strcopy( ptr, bv.bv_val );
+ *ptr++ = '"';
+ *ptr++ = '\n';
ch_free( bv.bv_val );
}
AttributeName *an;
to++;
- fprintf( stderr, " attrs=" );
+ ptr = lutil_strcopy( ptr, " attrs=" );
for ( an = a->acl_attrs; an && !BER_BVISNULL( &an->an_name ); an++ ) {
- if ( ! first ) fprintf( stderr, "," );
+ if ( ! first ) *ptr++ = ',';
if (an->an_oc) {
- fputc( an->an_oc_exclude ? '!' : '@', stderr);
+ *ptr++ = an->an_oc_exclude ? '!' : '@';
+ ptr = lutil_strcopy( ptr, an->an_oc->soc_cname.bv_val );
+
+ } else {
+ ptr = lutil_strcopy( ptr, an->an_name.bv_val );
}
- fputs( an->an_name.bv_val, stderr );
first = 0;
}
- fprintf( stderr, "\n" );
+ *ptr++ = '\n';
}
if ( !BER_BVISEMPTY( &a->acl_attrval ) ) {
to++;
- fprintf( stderr, " val.%s=\"%s\"\n",
- style_strings[a->acl_attrval_style], a->acl_attrval.bv_val );
-
+ ptr = lutil_strcopy( ptr, " val." );
+ ptr = lutil_strcopy( ptr, style_strings[a->acl_attrval_style] );
+ *ptr++ = '=';
+ *ptr++ = '"';
+ ptr = lutil_strcopy( ptr, a->acl_attrval.bv_val );
+ *ptr++ = '"';
+ *ptr++ = '\n';
}
- if( !to ) fprintf( stderr, " *\n" );
+ if( !to ) {
+ ptr = lutil_strcopy( ptr, " *\n" );
+ }
for ( b = a->acl_access; b != NULL; b = b->a_next ) {
- print_access( b );
+ ptr = access2text( b, ptr );
}
+ *ptr = '\0';
+ bv->bv_len = ptr - bv->bv_val;
+}
+
+#ifdef LDAP_DEBUG
+
+static void
+print_acl( Backend *be, AccessControl *a )
+{
+ int to = 0;
+ Access *b;
+ struct berval bv;
- fprintf( stderr, "\n" );
+ acl_unparse( a, &bv );
+ fprintf( stderr, "%s ACL: access %s\n",
+ be == NULL ? "Global" : "Backend", bv.bv_val );
}
#endif /* LDAP_DEBUG */