static void split(char *line, int splitchar, char **left, char **right);
static void access_append(Access **l, Access *a);
+static void access_free( Access *a );
static int acl_usage(void);
static void acl_regex_normalized_dn(const char *src, struct berval *pat);
int i;
char *left, *right, *style;
struct berval bv;
- AccessControl *a;
- Access *b;
+ AccessControl *a = NULL;
+ Access *b = NULL;
int rc;
const char *text;
- a = NULL;
for ( i = 1; i < argc; i++ ) {
/* to clause - select which entries are protected */
if ( strcasecmp( argv[i], "to" ) == 0 ) {
Debug( LDAP_DEBUG_ANY, "%s: line %d: "
"only one to clause allowed in access line\n",
fname, lineno, 0 );
- return acl_usage();
+ goto fail;
}
a = (AccessControl *) ch_calloc( 1, sizeof(AccessControl) );
for ( ++i; i < argc; i++ ) {
"%s: line %d: dn pattern"
" already specified in to clause.\n",
fname, lineno, 0 );
- return acl_usage();
+ goto fail;
}
ber_str2bv( "*", STRLENOF( "*" ), 1, &a->acl_dn_pat );
Debug( LDAP_DEBUG_ANY, "%s: line %d: "
"missing \"=\" in \"%s\" in to clause\n",
fname, lineno, left );
- return acl_usage();
+ goto fail;
}
if ( strcasecmp( left, "dn" ) == 0 ) {
"%s: line %d: dn pattern"
" already specified in to clause.\n",
fname, lineno, 0 );
- return acl_usage();
+ goto fail;
}
if ( style == NULL || *style == '\0' ||
Debug( LDAP_DEBUG_ANY, "%s: line %d: "
"unknown dn style \"%s\" in to clause\n",
fname, lineno, style );
- return acl_usage();
+ goto fail;
}
continue;
Debug( LDAP_DEBUG_ANY,
"%s: line %d: bad filter \"%s\" in to clause\n",
fname, lineno, right );
- return acl_usage();
+ goto fail;
}
} else if ( strcasecmp( left, "attr" ) == 0 /* TOLERATED */
Debug( LDAP_DEBUG_ANY,
"%s: line %d: unknown attr \"%s\" in to clause\n",
fname, lineno, right );
- return acl_usage();
+ goto fail;
}
} else if ( strncasecmp( left, "val", 3 ) == 0 ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: attr val already specified in to clause.\n",
fname, lineno, 0 );
- return acl_usage();
+ goto fail;
}
if ( a->acl_attrs == NULL || !BER_BVISEMPTY( &a->acl_attrs[1].an_name ) )
{
Debug( LDAP_DEBUG_ANY,
"%s: line %d: attr val requires a single attribute.\n",
fname, lineno, 0 );
- return acl_usage();
+ goto fail;
}
ber_str2bv( right, 0, 0, &bv );
Debug( LDAP_DEBUG_ANY, "%s: line %d: "
"invalid matching rule \"%s\".\n",
fname, lineno, mr );
- return acl_usage();
+ goto fail;
}
if( !mr_usable_with_at( a->acl_attrval_mr, a->acl_attrs[ 0 ].an_desc->ad_type ) )
Debug( LDAP_DEBUG_ANY, "%s: line %d: %s\n",
fname, lineno, buf );
- return acl_usage();
+ goto fail;
}
}
Debug( LDAP_DEBUG_ANY, "%s: line %d: %s\n",
fname, lineno, buf );
- return acl_usage();
+ goto fail;
}
a->acl_attrval_style = ACL_STYLE_REGEX;
} else {
char buf[ SLAP_TEXT_BUFLEN ];
- /* FIXME: should be an error */
-
snprintf( buf, sizeof( buf ),
- "unknown val.<style> \"%s\" "
- "for attributeType \"%s\" with DN syntax"
-#ifndef SLAPD_CONF_UNKNOWN_BAILOUT
- "; using \"base\""
-#endif /* ! SLAPD_CONF_UNKNOWN_BAILOUT */
- SLAPD_CONF_UNKNOWN_IGNORED ".",
+ "unknown val.<style> \"%s\" for attributeType \"%s\" "
+ "with DN syntax.",
style,
a->acl_attrs[0].an_desc->ad_cname.bv_val );
Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL,
"%s: line %d: %s\n",
fname, lineno, buf );
-#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
- return acl_usage();
-#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
- a->acl_attrval_style = ACL_STYLE_BASE;
+ goto fail;
}
rc = dnNormalize( 0, NULL, NULL, &bv, &a->acl_attrval, NULL );
Debug( LDAP_DEBUG_ANY,
"%s: line %d: %s\n",
fname, lineno, buf );
- return acl_usage();
+ goto fail;
}
} else {
char buf[ SLAP_TEXT_BUFLEN ];
- /* FIXME: should be an error */
-
snprintf( buf, sizeof( buf ),
- "unknown val.<style> \"%s\" "
- "for attributeType \"%s\""
-#ifndef SLAPD_CONF_UNKNOWN_BAILOUT
- "; using \"exact\""
-#endif /* ! SLAPD_CONF_UNKNOWN_BAILOUT */
- SLAPD_CONF_UNKNOWN_IGNORED ".",
+ "unknown val.<style> \"%s\" for attributeType \"%s\".",
style, a->acl_attrs[0].an_desc->ad_cname.bv_val );
Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL,
"%s: line %d: %s\n",
fname, lineno, buf );
-#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
- return acl_usage();
-#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
- a->acl_attrval_style = ACL_STYLE_BASE;
+ goto fail;
}
}
}
Debug( LDAP_DEBUG_ANY, "%s: line %d: "
"attr \"%s\" does not have an EQUALITY matching rule.\n",
fname, lineno, a->acl_attrs[ 0 ].an_name.bv_val );
- return acl_usage();
+ goto fail;
}
rc = asserted_value_validate_normalize(
snprintf( buf, sizeof( buf ), "%s: line %d: "
" attr \"%s\" normalization failed (%d: %s)",
+ fname, lineno,
a->acl_attrs[ 0 ].an_name.bv_val, rc, text );
Debug( LDAP_DEBUG_ANY, "%s: line %d: %s.\n",
fname, lineno, buf );
- return acl_usage();
+ goto fail;
}
}
Debug( LDAP_DEBUG_ANY,
"%s: line %d: expecting <what> got \"%s\"\n",
fname, lineno, left );
- return acl_usage();
+ goto fail;
}
}
Debug( LDAP_DEBUG_ANY,
"%s: line %d: bad DN \"%s\" in to DN clause\n",
fname, lineno, a->acl_dn_pat.bv_val );
- return acl_usage();
+ goto fail;
}
free( a->acl_dn_pat.bv_val );
a->acl_dn_pat = bv;
right, err );
Debug( LDAP_DEBUG_ANY, "%s: line %d: %s\n",
fname, lineno, buf );
- return acl_usage();
+ goto fail;
}
}
}
Debug( LDAP_DEBUG_ANY, "%s: line %d: "
"to clause required before by clause in access line\n",
fname, lineno, 0 );
- return acl_usage();
+ goto fail;
}
/*
* by clause consists of <who> and <access>
*/
- b = (Access *) ch_calloc( 1, sizeof(Access) );
-
- ACL_INVALIDATE( b->a_access_mask );
-
if ( ++i == argc ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: premature EOL: expecting <who>\n",
fname, lineno, 0 );
- return acl_usage();
+ goto fail;
}
+ b = (Access *) ch_calloc( 1, sizeof(Access) );
+
+ ACL_INVALIDATE( b->a_access_mask );
+
/* get <who> */
for ( ; i < argc; i++ ) {
slap_style_t sty = ACL_STYLE_REGEX;
"%s: line %d: premature eol: "
"expecting closing '}' in \"level{n}\"\n",
fname, lineno, 0 );
- return acl_usage();
+ goto fail;
} else if ( p == style_level ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: empty level "
"in \"level{n}\"\n",
fname, lineno, 0 );
- return acl_usage();
+ goto fail;
}
p[0] = '\0';
}
"%s: line %d: unable to parse level "
"in \"level{n}\"\n",
fname, lineno, 0 );
- return acl_usage();
+ goto fail;
}
sty = ACL_STYLE_LEVEL;
#ifndef LDAP_PF_LOCAL
Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL,
"%s: line %d: "
- "\"path\" style modifier is useless without local"
- SLAPD_CONF_UNKNOWN_IGNORED ".\n",
+ "\"path\" style modifier is useless without local.\n",
fname, lineno, 0 );
-#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
- return acl_usage();
-#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
+ goto fail;
#endif /* LDAP_PF_LOCAL */
} else {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: unknown style \"%s\" in by clause\n",
fname, lineno, style );
- return acl_usage();
+ goto fail;
}
if ( style_modifier &&
switch ( sty ) {
case ACL_STYLE_REGEX:
Debug( LDAP_DEBUG_ANY, "%s: line %d: "
- "\"regex\" style implies "
- "\"expand\" modifier"
- SLAPD_CONF_UNKNOWN_IGNORED ".\n",
+ "\"regex\" style implies \"expand\" modifier.\n",
fname, lineno, 0 );
-#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
- return acl_usage();
-#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
+ goto fail;
break;
case ACL_STYLE_EXPAND:
if ( ( sty == ACL_STYLE_EXPAND || expand )
&& a->acl_dn_style != ACL_STYLE_REGEX )
{
- Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL, "%s: line %d: "
- "\"expand\" style or modifier used "
- "in conjunction with "
- "a non-regex <what> clause"
- SLAPD_CONF_UNKNOWN_IGNORED ".\n",
+ Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL, "%s: line %d: \"expand\" style "
+ "or modifier used in conjunction with a non-regex <what> clause.\n",
fname, lineno, 0 );
-#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
- return acl_usage();
-#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
+ goto fail;
}
if ( strncasecmp( left, "real", STRLENOF( "real" ) ) == 0 ) {
if ( strcasecmp( left, "*" ) == 0 ) {
if ( is_realdn ) {
- return acl_usage();
+ goto fail;
}
ber_str2bv( "*", STRLENOF( "*" ), 1, &bv );
"missing \"=\" in (or value after) \"%s\" "
"in by clause\n",
fname, lineno, left );
- return acl_usage();
+ goto fail;
} else {
ber_str2bv( right, 0, 1, &bv );
Debug( LDAP_DEBUG_ANY,
"%s: line %d: dn pattern already specified.\n",
fname, lineno, 0 );
- return acl_usage();
+ goto fail;
}
if ( sty != ACL_STYLE_REGEX &&
Debug( LDAP_DEBUG_ANY,
"%s: line %d: bad DN \"%s\" in by DN clause\n",
fname, lineno, bv.bv_val );
- return acl_usage();
+ goto fail;
}
free( bv.bv_val );
if ( sty == ACL_STYLE_BASE
int gotit = 0;
for ( exp = strchr( bdn->a_pat.bv_val, '$' );
- exp && (ber_len_t)(exp - bdn->a_pat.bv_val)
- < bdn->a_pat.bv_len;
- exp = strchr( exp, '$' ) )
+ exp && (ber_len_t)(exp - bdn->a_pat.bv_val)
+ < bdn->a_pat.bv_len;
+ exp = strchr( exp, '$' ) )
{
- if ( isdigit( exp[ 1 ] ) ) {
+ if ( isdigit( (unsigned char) exp[ 1 ] ) ) {
gotit = 1;
break;
}
bdn->a_expand = expand;
} else {
- Debug( LDAP_DEBUG_ANY,
- "%s: line %d: \"expand\" used "
- "with no expansions in \"pattern\""
- SLAPD_CONF_UNKNOWN_IGNORED ".\n",
+ Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+ "\"expand\" used with no expansions in \"pattern\".\n",
fname, lineno, 0 );
-#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
- return acl_usage();
-#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
+ goto fail;
}
}
if ( sty == ACL_STYLE_SELF ) {
"%s: line %d: bad negative level \"%d\" "
"in by DN clause\n",
fname, lineno, level );
- return acl_usage();
+ goto fail;
} else if ( level == 1 ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: \"onelevel\" should be used "
"missing \"=\" in (or value after) \"%s\" "
"in by clause\n",
fname, lineno, left );
- return acl_usage();
+ goto fail;
}
if( bdn->a_at != NULL ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: dnattr already specified.\n",
fname, lineno, 0 );
- return acl_usage();
+ goto fail;
}
rc = slap_str2ad( right, &bdn->a_at, &text );
Debug( LDAP_DEBUG_ANY,
"%s: line %d: %s\n",
fname, lineno, buf );
- return acl_usage();
+ goto fail;
}
Debug( LDAP_DEBUG_ANY,
"%s: line %d: %s\n",
fname, lineno, buf );
- return acl_usage();
+ goto fail;
}
if( bdn->a_at->ad_type->sat_equality == NULL ) {
"%s: line %d: dnattr \"%s\": "
"inappropriate matching (no EQUALITY)\n",
fname, lineno, right );
- return acl_usage();
+ goto fail;
}
continue;
"%s: line %d: "
"inappropriate style \"%s\" in by clause.\n",
fname, lineno, style );
- return acl_usage();
+ goto fail;
}
if ( right == NULL || right[0] == '\0' ) {
"missing \"=\" in (or value after) \"%s\" "
"in by clause.\n",
fname, lineno, left );
- return acl_usage();
+ goto fail;
}
if ( !BER_BVISEMPTY( &b->a_group_pat ) ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: group pattern already specified.\n",
fname, lineno, 0 );
- return acl_usage();
+ goto fail;
}
/* format of string is
Debug( LDAP_DEBUG_ANY,
"%s: line %d: bad DN \"%s\".\n",
fname, lineno, right );
- return acl_usage();
+ goto fail;
}
}
"%s: line %d: group objectclass "
"\"%s\" unknown.\n",
fname, lineno, value );
- return acl_usage();
+ goto fail;
}
} else {
"%s: line %d: group default objectclass "
"\"%s\" unknown.\n",
fname, lineno, SLAPD_GROUP_CLASS );
- return acl_usage();
+ goto fail;
}
}
"%s: line %d: group objectclass \"%s\" "
"is subclass of referral.\n",
fname, lineno, value );
- return acl_usage();
+ goto fail;
}
if ( is_object_subclass( slap_schema.si_oc_alias,
"%s: line %d: group objectclass \"%s\" "
"is subclass of alias.\n",
fname, lineno, value );
- return acl_usage();
+ goto fail;
}
if ( name && *name ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: %s\n",
fname, lineno, buf );
- return acl_usage();
+ goto fail;
}
*--name = '/';
Debug( LDAP_DEBUG_ANY,
"%s: line %d: %s\n",
fname, lineno, buf );
- return acl_usage();
+ goto fail;
}
}
Debug( LDAP_DEBUG_ANY,
"%s: line %d: %s\n",
fname, lineno, buf );
- return acl_usage();
+ goto fail;
}
b->a_group_oc->soc_oid );
Debug( LDAP_DEBUG_ANY, "%s: line %d: %s\n",
fname, lineno, buf );
- return acl_usage();
+ goto fail;
}
}
continue;
Debug( LDAP_DEBUG_ANY, "%s: line %d: "
"inappropriate style \"%s\" in by clause.\n",
fname, lineno, style );
- return acl_usage();
+ goto fail;
}
if ( right == NULL || right[0] == '\0' ) {
"missing \"=\" in (or value after) \"%s\" "
"in by clause.\n",
fname, lineno, left );
- return acl_usage();
+ goto fail;
}
if ( !BER_BVISEMPTY( &b->a_peername_pat ) ) {
Debug( LDAP_DEBUG_ANY, "%s: line %d: "
"peername pattern already specified.\n",
fname, lineno, 0 );
- return acl_usage();
+ goto fail;
}
b->a_peername_style = sty;
Debug( LDAP_DEBUG_ANY, "%s: line %d: "
"illegal peername address \"%s\".\n",
fname, lineno, addr );
- return acl_usage();
+ goto fail;
}
b->a_peername_mask = (unsigned long)(-1);
"illegal peername address mask "
"\"%s\".\n",
fname, lineno, mask );
- return acl_usage();
+ goto fail;
}
}
"illegal peername port specification "
"\"{%s}\".\n",
fname, lineno, port );
- return acl_usage();
+ goto fail;
}
}
}
Debug( LDAP_DEBUG_ANY, "%s: line %d: "
"inappropriate style \"%s\" in by clause\n",
fname, lineno, style );
- return acl_usage();
+ goto fail;
}
if ( right == NULL || right[0] == '\0' ) {
"missing \"=\" in (or value after) \"%s\" "
"in by clause\n",
fname, lineno, left );
- return acl_usage();
+ goto fail;
}
if ( !BER_BVISNULL( &b->a_sockname_pat ) ) {
Debug( LDAP_DEBUG_ANY, "%s: line %d: "
"sockname pattern already specified.\n",
fname, lineno, 0 );
- return acl_usage();
+ goto fail;
}
b->a_sockname_style = sty;
Debug( LDAP_DEBUG_ANY, "%s: line %d: "
"inappropriate style \"%s\" in by clause.\n",
fname, lineno, style );
- return acl_usage();
+ goto fail;
}
if ( right == NULL || right[0] == '\0' ) {
"missing \"=\" in (or value after) \"%s\" "
"in by clause.\n",
fname, lineno, left );
- return acl_usage();
+ goto fail;
}
if ( !BER_BVISEMPTY( &b->a_domain_pat ) ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: domain pattern already specified.\n",
fname, lineno, 0 );
- return acl_usage();
+ goto fail;
}
b->a_domain_style = sty;
Debug( LDAP_DEBUG_ANY, "%s: line %d: "
"inappropriate style \"%s\" in by clause.\n",
fname, lineno, style );
- return acl_usage();
+ goto fail;
}
if ( right == NULL || right[0] == '\0' ) {
"missing \"=\" in (or value after) \"%s\" "
"in by clause.\n",
fname, lineno, left );
- return acl_usage();
+ goto fail;
}
if ( !BER_BVISEMPTY( &b->a_sockurl_pat ) ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: sockurl pattern already specified.\n",
fname, lineno, 0 );
- return acl_usage();
+ goto fail;
}
b->a_sockurl_style = sty;
Debug( LDAP_DEBUG_ANY, "%s: line %d: "
"inappropriate style \"%s\" in by clause.\n",
fname, lineno, style );
- return acl_usage();
+ goto fail;
}
if ( !BER_BVISEMPTY( &b->a_set_pat ) ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: set attribute already specified.\n",
fname, lineno, 0 );
- return acl_usage();
+ goto fail;
}
if ( right == NULL || *right == '\0' ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: no set is defined.\n",
fname, lineno, 0 );
- return acl_usage();
+ goto fail;
}
b->a_set_style = sty;
Debug( LDAP_DEBUG_ANY, "%s: line %d: "
"unable to configure dynacl \"%s\".\n",
fname, lineno, name );
- return acl_usage();
+ goto fail;
}
continue;
Debug( LDAP_DEBUG_ANY, "%s: line %d: "
"inappropriate style \"%s\" in by clause.\n",
fname, lineno, style );
- return acl_usage();
+ goto fail;
}
if ( b->a_authz.sai_ssf ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: ssf attribute already specified.\n",
fname, lineno, 0 );
- return acl_usage();
+ goto fail;
}
if ( right == NULL || *right == '\0' ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: no ssf is defined.\n",
fname, lineno, 0 );
- return acl_usage();
+ goto fail;
}
if ( lutil_atou( &b->a_authz.sai_ssf, right ) != 0 ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: unable to parse ssf value (%s).\n",
fname, lineno, right );
- return acl_usage();
+ goto fail;
}
if ( !b->a_authz.sai_ssf ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: invalid ssf value (%s).\n",
fname, lineno, right );
- return acl_usage();
+ goto fail;
}
continue;
}
Debug( LDAP_DEBUG_ANY, "%s: line %d: "
"inappropriate style \"%s\" in by clause.\n",
fname, lineno, style );
- return acl_usage();
+ goto fail;
}
if ( b->a_authz.sai_transport_ssf ) {
Debug( LDAP_DEBUG_ANY, "%s: line %d: "
"transport_ssf attribute already specified.\n",
fname, lineno, 0 );
- return acl_usage();
+ goto fail;
}
if ( right == NULL || *right == '\0' ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: no transport_ssf is defined.\n",
fname, lineno, 0 );
- return acl_usage();
+ goto fail;
}
if ( lutil_atou( &b->a_authz.sai_transport_ssf, right ) != 0 ) {
Debug( LDAP_DEBUG_ANY, "%s: line %d: "
"unable to parse transport_ssf value (%s).\n",
fname, lineno, right );
- return acl_usage();
+ goto fail;
}
if ( !b->a_authz.sai_transport_ssf ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: invalid transport_ssf value (%s).\n",
fname, lineno, right );
- return acl_usage();
+ goto fail;
}
continue;
}
Debug( LDAP_DEBUG_ANY, "%s: line %d: "
"inappropriate style \"%s\" in by clause.\n",
fname, lineno, style );
- return acl_usage();
+ goto fail;
}
if ( b->a_authz.sai_tls_ssf ) {
Debug( LDAP_DEBUG_ANY, "%s: line %d: "
"tls_ssf attribute already specified.\n",
fname, lineno, 0 );
- return acl_usage();
+ goto fail;
}
if ( right == NULL || *right == '\0' ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: no tls_ssf is defined\n",
fname, lineno, 0 );
- return acl_usage();
+ goto fail;
}
if ( lutil_atou( &b->a_authz.sai_tls_ssf, right ) != 0 ) {
Debug( LDAP_DEBUG_ANY, "%s: line %d: "
"unable to parse tls_ssf value (%s).\n",
fname, lineno, right );
- return acl_usage();
+ goto fail;
}
if ( !b->a_authz.sai_tls_ssf ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: invalid tls_ssf value (%s).\n",
fname, lineno, right );
- return acl_usage();
+ goto fail;
}
continue;
}
Debug( LDAP_DEBUG_ANY, "%s: line %d: "
"inappropriate style \"%s\" in by clause.\n",
fname, lineno, style );
- return acl_usage();
+ goto fail;
}
if ( b->a_authz.sai_sasl_ssf ) {
Debug( LDAP_DEBUG_ANY, "%s: line %d: "
"sasl_ssf attribute already specified.\n",
fname, lineno, 0 );
- return acl_usage();
+ goto fail;
}
if ( right == NULL || *right == '\0' ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: no sasl_ssf is defined.\n",
fname, lineno, 0 );
- return acl_usage();
+ goto fail;
}
if ( lutil_atou( &b->a_authz.sai_sasl_ssf, right ) != 0 ) {
Debug( LDAP_DEBUG_ANY, "%s: line %d: "
"unable to parse sasl_ssf value (%s).\n",
fname, lineno, right );
- return acl_usage();
+ goto fail;
}
if ( !b->a_authz.sai_sasl_ssf ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: invalid sasl_ssf value (%s).\n",
fname, lineno, right );
- return acl_usage();
+ goto fail;
}
continue;
}
/* out of arguments or plain stop */
ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
+ ACL_PRIV_SET( b->a_access_mask, ACL_PRIV_NONE);
b->a_type = ACL_STOP;
access_append( &a->acl_access, b );
/* plain continue */
ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
+ ACL_PRIV_SET( b->a_access_mask, ACL_PRIV_NONE);
b->a_type = ACL_CONTINUE;
access_append( &a->acl_access, b );
/* plain continue */
ACL_PRIV_ASSIGN(b->a_access_mask, ACL_PRIV_ADDITIVE);
+ ACL_PRIV_SET( b->a_access_mask, ACL_PRIV_NONE);
b->a_type = ACL_BREAK;
access_append( &a->acl_access, b );
/* we've gone too far */
--i;
ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
+ ACL_PRIV_SET( b->a_access_mask, ACL_PRIV_NONE);
b->a_type = ACL_STOP;
access_append( &a->acl_access, b );
}
/* get <access> */
- if ( strncasecmp( left, "self", STRLENOF( "self" ) ) == 0 ) {
- b->a_dn_self = 1;
- ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( &left[ STRLENOF( "self" ) ] ) );
+ {
+ char *lleft = left;
- } else if ( strncasecmp( left, "realself", STRLENOF( "realself" ) ) == 0 ) {
- b->a_realdn_self = 1;
- ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( &left[ STRLENOF( "realself" ) ] ) );
+ if ( strncasecmp( left, "self", STRLENOF( "self" ) ) == 0 ) {
+ b->a_dn_self = 1;
+ lleft = &left[ STRLENOF( "self" ) ];
- } else {
- ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( left ) );
+ } else if ( strncasecmp( left, "realself", STRLENOF( "realself" ) ) == 0 ) {
+ b->a_realdn_self = 1;
+ lleft = &left[ STRLENOF( "realself" ) ];
+ }
+
+ ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( lleft ) );
}
if ( ACL_IS_INVALID( b->a_access_mask ) ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: expecting <access> got \"%s\".\n",
fname, lineno, left );
- return acl_usage();
+ goto fail;
}
b->a_type = ACL_STOP;
}
access_append( &a->acl_access, b );
+ b = NULL;
} else {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: expecting \"to\" "
"or \"by\" got \"%s\"\n",
fname, lineno, argv[i] );
- return acl_usage();
+ goto fail;
}
}
/* if we have no real access clause, complain and do nothing */
if ( a == NULL ) {
Debug( LDAP_DEBUG_ANY, "%s: line %d: "
- "warning: no access clause(s) "
- "specified in access line"
- SLAPD_CONF_UNKNOWN_IGNORED ".\n",
+ "warning: no access clause(s) specified in access line.\n",
fname, lineno, 0 );
-#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
- return acl_usage();
-#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
+ goto fail;
} else {
#ifdef LDAP_DEBUG
if ( a->acl_access == NULL ) {
Debug( LDAP_DEBUG_ANY, "%s: line %d: "
- "warning: no by clause(s) "
- "specified in access line"
- SLAPD_CONF_UNKNOWN_IGNORED ".\n",
+ "warning: no by clause(s) specified in access line.\n",
fname, lineno, 0 );
-#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
- return acl_usage();
-#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
+ goto fail;
}
if ( be != NULL ) {
}
return 0;
+
+fail:
+ if ( b ) access_free( b );
+ if ( a ) acl_free( a );
+ return acl_usage();
}
char *
} else if( TOLOWER((unsigned char) str[i]) == 'd' ) {
ACL_PRIV_SET(mask, ACL_PRIV_DISCLOSE);
- } else if( str[i] != '0' ) {
+ } else if( str[i] == '0' ) {
+ ACL_PRIV_SET(mask, ACL_PRIV_NONE);
+
+ } else {
ACL_INVALIDATE(mask);
return mask;
}
{
char *access =
"<access clause> ::= access to <what> "
- "[ by <who> <access> [ <control> ] ]+ \n";
+ "[ by <who> [ <access> ] [ <control> ] ]+ \n";
char *what =
- "<what> ::= * | [dn[.<dnstyle>]=<DN>] [filter=<filter>] [attrs=<attrspec>]\n"
+ "<what> ::= * | dn[.<dnstyle>=<DN>] [filter=<filter>] [attrs=<attrspec>]\n"
"<attrspec> ::= <attrname> [val[/<matchingRule>][.<attrstyle>]=<value>] | <attrlist>\n"
"<attrlist> ::= <attr> [ , <attrlist> ]\n"
"<attr> ::= <attrname> | @<objectClass> | !<objectClass> | entry | children\n";
return ACL_NONE;
} else if ( strcasecmp( str, "disclose" ) == 0 ) {
-#ifndef SLAP_ACL_HONOR_DISCLOSE
- Debug( LDAP_DEBUG_ACL, "str2access: warning, "
- "\"disclose\" privilege disabled.\n",
- 0, 0, 0 );
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
return ACL_DISCLOSE;
} else if ( strcasecmp( str, "auth" ) == 0 ) {