/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2005 The OpenLDAP Foundation.
+ * Copyright 1998-2006 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
{
char *name = NULL,
*opts = NULL;
-
+
+#if 1 /* tolerate legacy "aci" <who> */
if ( strcasecmp( left, "aci" ) == 0 ) {
+ Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+ "undocumented deprecated \"aci\" directive "
+ "is superseded by \"dynacl/aci\".\n",
+ fname, lineno, 0 );
name = "aci";
- } else if ( strncasecmp( left, "dynacl/", STRLENOF( "dynacl/" ) ) == 0 ) {
+ } else
+#endif /* tolerate legacy "aci" <who> */
+ if ( strncasecmp( left, "dynacl/", STRLENOF( "dynacl/" ) ) == 0 ) {
name = &left[ STRLENOF( "dynacl/" ) ];
opts = strchr( name, '/' );
if ( opts ) {
continue;
}
}
-#else /* ! SLAP_DYNACL */
-
-#ifdef SLAPD_ACI_ENABLED
- if ( strcasecmp( left, "aci" ) == 0 ) {
- if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
- Debug( LDAP_DEBUG_ANY, "%s: line %d: "
- "inappropriate style \"%s\" in by clause.\n",
- fname, lineno, style );
- return acl_usage();
- }
-
- if( b->a_aci_at != NULL ) {
- Debug( LDAP_DEBUG_ANY,
- "%s: line %d: ACI attribute already specified.\n",
- fname, lineno, 0 );
- return acl_usage();
- }
-
- if ( right != NULL && *right != '\0' ) {
- rc = slap_str2ad( right, &b->a_aci_at, &text );
-
- if( rc != LDAP_SUCCESS ) {
- char buf[ SLAP_TEXT_BUFLEN ];
-
- snprintf( buf, sizeof( buf ),
- "aci \"%s\": %s.",
- right, text );
- Debug( LDAP_DEBUG_ANY,
- "%s: line %d: %s\n",
- fname, lineno, buf );
- return acl_usage();
- }
-
- } else {
- b->a_aci_at = slap_ad_aci;
- }
-
- if( !is_at_syntax( b->a_aci_at->ad_type,
- SLAPD_ACI_SYNTAX) )
- {
- char buf[ SLAP_TEXT_BUFLEN ];
-
- snprintf( buf, sizeof( buf ),
- "ACI \"%s\": inappropriate syntax: %s.",
- right,
- b->a_aci_at->ad_type->sat_syntax_oid );
- Debug( LDAP_DEBUG_ANY, "%s: line %d: %s\n",
- fname, lineno, buf );
- return acl_usage();
- }
-
- continue;
- }
-#endif /* SLAPD_ACI_ENABLED */
-#endif /* ! SLAP_DYNACL */
+#endif /* SLAP_DYNACL */
if ( strcasecmp( left, "ssf" ) == 0 ) {
if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
}
if ( be != NULL ) {
- if ( !BER_BVISNULL( &be->be_nsuffix[ 1 ] ) ) {
+ if ( be->be_nsuffix == NULL ) {
Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
- "scope checking only applies to single-valued "
- "suffix databases\n",
+ "scope checking needs suffix before ACLs.\n",
fname, lineno, 0 );
/* go ahead, since checking is not authoritative */
- }
-
- switch ( check_scope( be, a ) ) {
- case ACL_SCOPE_UNKNOWN:
+ } else if ( !BER_BVISNULL( &be->be_nsuffix[ 1 ] ) ) {
Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
- "cannot assess the validity of the ACL scope within "
- "backend naming context\n",
- fname, lineno, 0 );
- break;
-
- case ACL_SCOPE_WARN:
- Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
- "ACL could be out of scope within backend naming context\n",
+ "scope checking only applies to single-valued "
+ "suffix databases\n",
fname, lineno, 0 );
- break;
+ /* go ahead, since checking is not authoritative */
+ } else {
+ switch ( check_scope( be, a ) ) {
+ case ACL_SCOPE_UNKNOWN:
+ Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
+ "cannot assess the validity of the ACL scope within "
+ "backend naming context\n",
+ fname, lineno, 0 );
+ break;
- case ACL_SCOPE_PARTIAL:
- Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
- "ACL appears to be partially out of scope within "
- "backend naming context\n",
- fname, lineno, 0 );
- break;
+ case ACL_SCOPE_WARN:
+ Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
+ "ACL could be out of scope within backend naming context\n",
+ fname, lineno, 0 );
+ break;
- case ACL_SCOPE_ERR:
- Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
- "ACL appears to be out of scope within "
- "backend naming context\n",
- fname, lineno, 0 );
- break;
+ case ACL_SCOPE_PARTIAL:
+ Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
+ "ACL appears to be partially out of scope within "
+ "backend naming context\n",
+ fname, lineno, 0 );
+ break;
+
+ case ACL_SCOPE_ERR:
+ Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
+ "ACL appears to be out of scope within "
+ "backend naming context\n",
+ fname, lineno, 0 );
+ break;
- default:
- break;
+ default:
+ break;
+ }
}
acl_append( &be->be_acl, a, pos );
"\t[domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>]\n"
#ifdef SLAP_DYNACL
"\t[dynacl/<name>[/<options>][.<dynstyle>][=<pattern>]]\n"
-#else /* ! SLAP_DYNACL */
-#ifdef SLAPD_ACI_ENABLED
- "\t[aci[=<attrname>]]\n"
-#endif /* SLAPD_ACI_ENABLED */
-#endif /* ! SLAP_DYNACL */
+#endif /* SLAP_DYNACL */
"\t[ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]\n"
"<style> ::= exact | regex | base(Object)\n"
"<dnstyle> ::= base(Object) | one(level) | sub(tree) | children | "
free( an->an_name.bv_val );
}
free( a->acl_attrs );
+
+ if ( a->acl_attrval_style == ACL_STYLE_REGEX ) {
+ regfree( &a->acl_attrval_re );
+ }
+
+ if ( !BER_BVISNULL( &a->acl_attrval ) ) {
+ ber_memfree( a->acl_attrval.bv_val );
+ }
}
for ( ; a->acl_access; a->acl_access = n ) {
n = a->acl_access->a_next;
}
}
}
-#else /* ! SLAP_DYNACL */
-#ifdef SLAPD_ACI_ENABLED
- if ( b->a_aci_at != NULL ) {
- ptr = lutil_strcopy( ptr, " aci=" );
- ptr = lutil_strcopy( ptr, b->a_aci_at->ad_cname.bv_val );
- }
-#endif
#endif /* SLAP_DYNACL */
/* Security Strength Factors */