/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2005 The OpenLDAP Foundation.
+ * Copyright 1998-2006 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
}
} else if ( strncasecmp( left, "val", 3 ) == 0 ) {
- char *mr;
+ struct berval bv;
+ char *mr;
if ( !BER_BVISEMPTY( &a->acl_attrval ) ) {
Debug( LDAP_DEBUG_ANY,
return acl_usage();
}
- ber_str2bv( right, 0, 1, &a->acl_attrval );
+ ber_str2bv( right, 0, 0, &bv );
a->acl_attrval_style = ACL_STYLE_BASE;
mr = strchr( left, '/' );
if ( style != NULL ) {
if ( strcasecmp( style, "regex" ) == 0 ) {
- int e = regcomp( &a->acl_attrval_re, a->acl_attrval.bv_val,
+ int e = regcomp( &a->acl_attrval_re, bv.bv_val,
REG_EXTENDED | REG_ICASE | REG_NOSUB );
if ( e ) {
char err[SLAP_TEXT_BUFLEN],
} else if ( a->acl_attrs[0].an_desc->ad_type->
sat_syntax == slap_schema.si_syn_distinguishedName )
{
- struct berval bv;
-
if ( !strcasecmp( style, "baseObject" ) ||
!strcasecmp( style, "base" ) )
{
/* FIXME: should be an error */
snprintf( buf, sizeof( buf ),
- "unknown val.<style> \"%s\" "
- "for attributeType \"%s\" with DN syntax; "
- "using \"base\""
- SLAPD_CONF_UNKNOWN_IGNORED ".",
+ "unknown val.<style> \"%s\" for attributeType \"%s\" "
+ "with DN syntax.",
style,
a->acl_attrs[0].an_desc->ad_cname.bv_val );
Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL,
"%s: line %d: %s\n",
fname, lineno, buf );
-#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
return acl_usage();
-#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
a->acl_attrval_style = ACL_STYLE_BASE;
}
- bv = a->acl_attrval;
rc = dnNormalize( 0, NULL, NULL, &bv, &a->acl_attrval, NULL );
if ( rc != LDAP_SUCCESS ) {
char buf[ SLAP_TEXT_BUFLEN ];
fname, lineno, buf );
return acl_usage();
}
- ber_memfree( bv.bv_val );
} else {
char buf[ SLAP_TEXT_BUFLEN ];
/* FIXME: should be an error */
snprintf( buf, sizeof( buf ),
- "unknown val.<style> \"%s\" "
- "for attributeType \"%s\"; using \"exact\""
- SLAPD_CONF_UNKNOWN_IGNORED ".",
+ "unknown val.<style> \"%s\" for attributeType \"%s\".",
style, a->acl_attrs[0].an_desc->ad_cname.bv_val );
Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL,
"%s: line %d: %s\n",
fname, lineno, buf );
-#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
return acl_usage();
-#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
a->acl_attrval_style = ACL_STYLE_BASE;
}
}
}
/* Check for appropriate matching rule */
- if ( a->acl_attrval_style != ACL_STYLE_REGEX ) {
+ if ( a->acl_attrval_style == ACL_STYLE_REGEX ) {
+ ber_dupbv( &a->acl_attrval, &bv );
+
+ } else if ( BER_BVISNULL( &a->acl_attrval ) ) {
+ int rc;
+ const char *text;
+
if ( a->acl_attrval_mr == NULL ) {
a->acl_attrval_mr = a->acl_attrs[ 0 ].an_desc->ad_type->sat_equality;
}
if ( a->acl_attrval_mr == NULL ) {
Debug( LDAP_DEBUG_ANY, "%s: line %d: "
- "attr \"%s\" must have an EQUALITY matching rule.\n",
+ "attr \"%s\" does not have an EQUALITY matching rule.\n",
fname, lineno, a->acl_attrs[ 0 ].an_name.bv_val );
return acl_usage();
}
+
+ rc = asserted_value_validate_normalize(
+ a->acl_attrs[ 0 ].an_desc,
+ a->acl_attrval_mr,
+ SLAP_MR_EQUALITY|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX,
+ &bv,
+ &a->acl_attrval,
+ &text,
+ NULL );
+ if ( rc != LDAP_SUCCESS ) {
+ char buf[ SLAP_TEXT_BUFLEN ];
+
+ snprintf( buf, sizeof( buf ), "%s: line %d: "
+ " attr \"%s\" normalization failed (%d: %s)",
+ a->acl_attrs[ 0 ].an_name.bv_val, rc, text );
+ Debug( LDAP_DEBUG_ANY, "%s: line %d: %s.\n",
+ fname, lineno, buf );
+ return acl_usage();
+ }
}
} else {
#ifndef LDAP_PF_LOCAL
Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL,
"%s: line %d: "
- "\"path\" style modifier is useless without local"
- SLAPD_CONF_UNKNOWN_IGNORED ".\n",
+ "\"path\" style modifier is useless without local.\n",
fname, lineno, 0 );
-#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
return acl_usage();
-#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
#endif /* LDAP_PF_LOCAL */
} else {
switch ( sty ) {
case ACL_STYLE_REGEX:
Debug( LDAP_DEBUG_ANY, "%s: line %d: "
- "\"regex\" style implies "
- "\"expand\" modifier"
- SLAPD_CONF_UNKNOWN_IGNORED ".\n",
+ "\"regex\" style implies \"expand\" modifier.\n",
fname, lineno, 0 );
-#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
return acl_usage();
-#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
break;
case ACL_STYLE_EXPAND:
if ( ( sty == ACL_STYLE_EXPAND || expand )
&& a->acl_dn_style != ACL_STYLE_REGEX )
{
- Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL, "%s: line %d: "
- "\"expand\" style or modifier used "
- "in conjunction with "
- "a non-regex <what> clause"
- SLAPD_CONF_UNKNOWN_IGNORED ".\n",
+ Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL, "%s: line %d: \"expand\" style "
+ "or modifier used in conjunction with a non-regex <what> clause.\n",
fname, lineno, 0 );
-#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
return acl_usage();
-#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
}
if ( strncasecmp( left, "real", STRLENOF( "real" ) ) == 0 ) {
int gotit = 0;
for ( exp = strchr( bdn->a_pat.bv_val, '$' );
- exp && (ber_len_t)(exp - bdn->a_pat.bv_val)
- < bdn->a_pat.bv_len;
- exp = strchr( exp, '$' ) )
+ exp && (ber_len_t)(exp - bdn->a_pat.bv_val)
+ < bdn->a_pat.bv_len;
+ exp = strchr( exp, '$' ) )
{
if ( isdigit( exp[ 1 ] ) ) {
gotit = 1;
bdn->a_expand = expand;
} else {
- Debug( LDAP_DEBUG_ANY,
- "%s: line %d: \"expand\" used "
- "with no expansions in \"pattern\""
- SLAPD_CONF_UNKNOWN_IGNORED ".\n",
+ Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+ "\"expand\" used with no expansions in \"pattern\".\n",
fname, lineno, 0 );
-#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
return acl_usage();
-#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
}
}
if ( sty == ACL_STYLE_SELF ) {
{
char *name = NULL,
*opts = NULL;
-
+
+#if 1 /* tolerate legacy "aci" <who> */
if ( strcasecmp( left, "aci" ) == 0 ) {
+ Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+ "undocumented deprecated \"aci\" directive "
+ "is superseded by \"dynacl/aci\".\n",
+ fname, lineno, 0 );
name = "aci";
- } else if ( strncasecmp( left, "dynacl/", STRLENOF( "dynacl/" ) ) == 0 ) {
+ } else
+#endif /* tolerate legacy "aci" <who> */
+ if ( strncasecmp( left, "dynacl/", STRLENOF( "dynacl/" ) ) == 0 ) {
name = &left[ STRLENOF( "dynacl/" ) ];
opts = strchr( name, '/' );
if ( opts ) {
continue;
}
}
-#else /* ! SLAP_DYNACL */
-
-#ifdef SLAPD_ACI_ENABLED
- if ( strcasecmp( left, "aci" ) == 0 ) {
- if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
- Debug( LDAP_DEBUG_ANY, "%s: line %d: "
- "inappropriate style \"%s\" in by clause.\n",
- fname, lineno, style );
- return acl_usage();
- }
-
- if( b->a_aci_at != NULL ) {
- Debug( LDAP_DEBUG_ANY,
- "%s: line %d: ACI attribute already specified.\n",
- fname, lineno, 0 );
- return acl_usage();
- }
-
- if ( right != NULL && *right != '\0' ) {
- rc = slap_str2ad( right, &b->a_aci_at, &text );
-
- if( rc != LDAP_SUCCESS ) {
- char buf[ SLAP_TEXT_BUFLEN ];
-
- snprintf( buf, sizeof( buf ),
- "aci \"%s\": %s.",
- right, text );
- Debug( LDAP_DEBUG_ANY,
- "%s: line %d: %s\n",
- fname, lineno, buf );
- return acl_usage();
- }
-
- } else {
- b->a_aci_at = slap_ad_aci;
- }
-
- if( !is_at_syntax( b->a_aci_at->ad_type,
- SLAPD_ACI_SYNTAX) )
- {
- char buf[ SLAP_TEXT_BUFLEN ];
-
- snprintf( buf, sizeof( buf ),
- "ACI \"%s\": inappropriate syntax: %s.",
- right,
- b->a_aci_at->ad_type->sat_syntax_oid );
- Debug( LDAP_DEBUG_ANY, "%s: line %d: %s\n",
- fname, lineno, buf );
- return acl_usage();
- }
-
- continue;
- }
-#endif /* SLAPD_ACI_ENABLED */
-#endif /* ! SLAP_DYNACL */
+#endif /* SLAP_DYNACL */
if ( strcasecmp( left, "ssf" ) == 0 ) {
if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
/* if we have no real access clause, complain and do nothing */
if ( a == NULL ) {
Debug( LDAP_DEBUG_ANY, "%s: line %d: "
- "warning: no access clause(s) "
- "specified in access line"
- SLAPD_CONF_UNKNOWN_IGNORED ".\n",
+ "warning: no access clause(s) specified in access line.\n",
fname, lineno, 0 );
-#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
return acl_usage();
-#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
} else {
#ifdef LDAP_DEBUG
if ( a->acl_access == NULL ) {
Debug( LDAP_DEBUG_ANY, "%s: line %d: "
- "warning: no by clause(s) "
- "specified in access line"
- SLAPD_CONF_UNKNOWN_IGNORED ".\n",
+ "warning: no by clause(s) specified in access line.\n",
fname, lineno, 0 );
-#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
return acl_usage();
-#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
}
if ( be != NULL ) {
- if ( !BER_BVISNULL( &be->be_nsuffix[ 1 ] ) ) {
+ if ( be->be_nsuffix == NULL ) {
Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
- "scope checking only applies to single-valued "
- "suffix databases\n",
+ "scope checking needs suffix before ACLs.\n",
fname, lineno, 0 );
/* go ahead, since checking is not authoritative */
- }
-
- switch ( check_scope( be, a ) ) {
- case ACL_SCOPE_UNKNOWN:
+ } else if ( !BER_BVISNULL( &be->be_nsuffix[ 1 ] ) ) {
Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
- "cannot assess the validity of the ACL scope within "
- "backend naming context\n",
- fname, lineno, 0 );
- break;
-
- case ACL_SCOPE_WARN:
- Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
- "ACL could be out of scope within backend naming context\n",
+ "scope checking only applies to single-valued "
+ "suffix databases\n",
fname, lineno, 0 );
- break;
+ /* go ahead, since checking is not authoritative */
+ } else {
+ switch ( check_scope( be, a ) ) {
+ case ACL_SCOPE_UNKNOWN:
+ Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
+ "cannot assess the validity of the ACL scope within "
+ "backend naming context\n",
+ fname, lineno, 0 );
+ break;
- case ACL_SCOPE_PARTIAL:
- Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
- "ACL appears to be partially out of scope within "
- "backend naming context\n",
- fname, lineno, 0 );
- break;
+ case ACL_SCOPE_WARN:
+ Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
+ "ACL could be out of scope within backend naming context\n",
+ fname, lineno, 0 );
+ break;
- case ACL_SCOPE_ERR:
- Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
- "ACL appears to be out of scope within "
- "backend naming context\n",
- fname, lineno, 0 );
- break;
+ case ACL_SCOPE_PARTIAL:
+ Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
+ "ACL appears to be partially out of scope within "
+ "backend naming context\n",
+ fname, lineno, 0 );
+ break;
+
+ case ACL_SCOPE_ERR:
+ Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
+ "ACL appears to be out of scope within "
+ "backend naming context\n",
+ fname, lineno, 0 );
+ break;
- default:
- break;
+ default:
+ break;
+ }
}
acl_append( &be->be_acl, a, pos );
"\t[domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>]\n"
#ifdef SLAP_DYNACL
"\t[dynacl/<name>[/<options>][.<dynstyle>][=<pattern>]]\n"
-#else /* ! SLAP_DYNACL */
-#ifdef SLAPD_ACI_ENABLED
- "\t[aci[=<attrname>]]\n"
-#endif /* SLAPD_ACI_ENABLED */
-#endif /* ! SLAP_DYNACL */
+#endif /* SLAP_DYNACL */
"\t[ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]\n"
"<style> ::= exact | regex | base(Object)\n"
"<dnstyle> ::= base(Object) | one(level) | sub(tree) | children | "
free( an->an_name.bv_val );
}
free( a->acl_attrs );
+
+ if ( a->acl_attrval_style == ACL_STYLE_REGEX ) {
+ regfree( &a->acl_attrval_re );
+ }
+
+ if ( !BER_BVISNULL( &a->acl_attrval ) ) {
+ ber_memfree( a->acl_attrval.bv_val );
+ }
}
for ( ; a->acl_access; a->acl_access = n ) {
n = a->acl_access->a_next;
}
}
}
-#else /* ! SLAP_DYNACL */
-#ifdef SLAPD_ACI_ENABLED
- if ( b->a_aci_at != NULL ) {
- ptr = lutil_strcopy( ptr, " aci=" );
- ptr = lutil_strcopy( ptr, b->a_aci_at->ad_cname.bv_val );
- }
-#endif
#endif /* SLAP_DYNACL */
/* Security Strength Factors */