-/* acl.c - routines to parse and check acl's */
+/* aclparse.c - routines to parse and check acl's */
/* $OpenLDAP$ */
/*
- * Copyright 1998-1999 The OpenLDAP Foundation, All Rights Reserved.
+ * Copyright 1998-2000 The OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
*/
char *left, *right;
AccessControl *a;
Access *b;
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+ int rc;
+ const char *text;
+#endif
a = NULL;
for ( i = 1; i < argc; i++ ) {
}
if( *right == '\0' ) {
- a->acl_dn_pat = ch_strdup("^$");
+ a->acl_dn_pat = ch_strdup("anonymous");
} else if ( strcmp(right, "*") == 0
|| strcmp(right, ".*") == 0
pat = ch_strdup( "anonymous" );
} else if ( strcmp( right, "*" ) == 0 ) {
- /* dn=* /
- /* any or users? any for now */
+ /* dn=* */
+ /* any or users? users for now */
pat = ch_strdup( "users" );
} else if ( strcmp( right, ".+" ) == 0
}
if ( strcasecmp( left, "dnattr" ) == 0 ) {
- if( b->a_dn_pat != NULL ) {
+ if( b->a_dn_at != NULL ) {
fprintf( stderr,
"%s: line %d: dnattr already specified.\n",
fname, lineno );
acl_usage();
}
-#ifdef SLAPD_SCHEMA_COMPAT
- b->a_dn_at = ch_strdup( right );
-#else
- b->a_dn_at = at_find( right );
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+ rc = slap_str2ad( right, &b->a_dn_at, &text );
- if( b->a_dn_at == NULL ) {
+ if( rc != LDAP_SUCCESS ) {
fprintf( stderr,
- "%s: line %d: dnattr attribute type undefined.\n",
- fname, lineno );
+ "%s: line %d: dnattr \"%s\": %s\n",
+ fname, lineno, right, text );
acl_usage();
}
-#ifdef SLAPD_OID_DN_SYNTAX
- if( strcmp( b->a_dn_at->sat_syntax_oid,
- SLAPD_OID_DN_SYNTAX ) != 0 )
+
+ if( !is_at_syntax( b->a_dn_at->ad_type,
+ SLAPD_DN_SYNTAX ) )
{
fprintf( stderr,
- "%s: line %d: dnattr attribute type not of DN syntax.\n",
- fname, lineno );
+ "%s: line %d: dnattr \"%s\": "
+ "inappropriate syntax: %s\n",
+ fname, lineno, right,
+ b->a_dn_at->ad_type->sat_syntax_oid );
acl_usage();
}
-#endif
+
+#else
+ b->a_dn_at = ch_strdup( right );
#endif
continue;
}
b->a_group_pat = ch_strdup( right );
if (value && *value) {
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+ b->a_group_oc = oc_find( value );
+#else
b->a_group_oc = ch_strdup(value);
+#endif
*--value = '/';
+
+ if( b->a_group_oc == NULL ) {
+ fprintf( stderr,
+ "%s: line %d: group objectclass "
+ "\"%s\" unknown\n",
+ fname, lineno, value );
+ acl_usage();
+ }
} else {
- b->a_group_oc = ch_strdup("groupOfNames");
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+ b->a_group_oc = oc_find(SLAPD_GROUP_CLASS);
+
+ if( b->a_group_oc == NULL ) {
+ fprintf( stderr,
+ "%s: line %d: group default objectclass "
+ "\"%s\" unknown\n",
+ fname, lineno, SLAPD_GROUP_CLASS );
+ acl_usage();
+ }
+#else
+ b->a_group_oc = ch_strdup(SLAPD_GROUP_CLASS);
+#endif
}
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+#if 0
+ if( is_object_subclass( b->a_group_oc,
+ slap_schema.si_oc_referral ) )
+ {
+ fprintf( stderr,
+ "%s: line %d: group objectclass \"%s\" "
+ "is subclass of referral\n",
+ fname, lineno, value );
+ acl_usage();
+ }
+
+ if( is_object_subclass( b->a_group_oc,
+ slap_schema.si_oc_alias ) )
+ {
+ fprintf( stderr,
+ "%s: line %d: group objectclass \"%s\" "
+ "is subclass of alias\n",
+ fname, lineno, value );
+ acl_usage();
+ }
+#endif
+#endif
+
if (name && *name) {
-#ifdef SLAPD_SCHEMA_COMPAT
- b->a_group_at = ch_strdup(name);
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+ rc = slap_str2ad( right, &b->a_group_at, &text );
+
+ if( rc != LDAP_SUCCESS ) {
+ fprintf( stderr,
+ "%s: line %d: group \"%s\": %s\n",
+ fname, lineno, right, text );
+ acl_usage();
+ }
#else
- b->a_group_at = at_find( name );
+ b->a_group_at = ch_strdup(name);
#endif
*--name = '/';
-
} else {
-#ifdef SLAPD_SCHEMA_COMPAT
- b->a_group_at = ch_strdup("member");
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+ rc = slap_str2ad( SLAPD_GROUP_ATTR, &b->a_group_at, &text );
+
+ if( rc != LDAP_SUCCESS ) {
+ fprintf( stderr,
+ "%s: line %d: group \"%s\": %s\n",
+ fname, lineno, SLAPD_GROUP_ATTR, text );
+ acl_usage();
+ }
#else
- b->a_group_at = at_find("member");
+ b->a_group_at = ch_strdup( SLAPD_GROUP_ATTR );
#endif
}
-#ifndef SLAPD_SCHEMA_COMPAT
- if( b->a_group_at == NULL ) {
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+ if( !is_at_syntax( b->a_group_at->ad_type,
+ SLAPD_DN_SYNTAX ) )
+ {
fprintf( stderr,
- "%s: line %d: group attribute type undefined.\n",
- fname, lineno );
+ "%s: line %d: group \"%s\": inappropriate syntax: %s\n",
+ fname, lineno, right,
+ b->a_group_at->ad_type->sat_syntax_oid );
acl_usage();
}
-#ifdef SLAPD_OID_DN_SYNTAX
- if( strcmp( b->a_group_at->sat_syntax_oid,
- SLAPD_OID_DN_SYNTAX ) != 0 )
+
{
- fprintf( stderr,
- "%s: line %d: group attribute type not of DN syntax.\n",
- fname, lineno );
- acl_usage();
+ int rc;
+ struct berval val;
+ struct berval *vals[2];
+
+ val.bv_val = b->a_group_oc->soc_oid;
+ val.bv_len = strlen(val.bv_val);
+ vals[0] = &val;
+ vals[1] = NULL;
+
+
+ rc = oc_check_allowed( b->a_group_at->ad_type, vals );
+
+ if( rc != 0 ) {
+ fprintf( stderr,
+ "%s: line %d: group: \"%s\" not allowed by \"%s\"\n",
+ fname, lineno,
+ b->a_group_at->ad_type,
+ b->a_group_oc->soc_oid );
+ acl_usage();
+ }
}
-#endif /* SLAPD_OID_DN_SYNTAX */
-#endif /* !SLAPD_SCHEMA_COMPAT */
+#endif
continue;
}
acl_usage();
}
-#ifdef SLAPD_SCHEMA_COMPAT
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
if ( right != NULL && *right != '\0' ) {
- b->a_aci_at = ch_strdup( right );
- } else {
- b->a_aci_at = ch_strdup( SLAPD_ACI_DEFAULT_ATTR );
- }
-#else
- if ( right != NULL && *right != '\0' ) {
- b->a_aci_at = at_find( right );
+ rc = slap_str2ad( right, &b->a_aci_at, &text );
+
+ if( rc != LDAP_SUCCESS ) {
+ fprintf( stderr,
+ "%s: line %d: aci \"%s\": %s\n",
+ fname, lineno, right, text );
+ acl_usage();
+ }
+
} else {
- b->a_aci_at = at_find( SLAPD_ACI_DEFAULT_ATTR );
- }
+ rc = slap_str2ad( SLAPD_ACI_ATTR, &b->a_aci_at, &text );
- if( b->a_aci_at == NULL ) {
- fprintf( stderr,
- "%s: line %d: aci attribute type undefined.\n",
- fname, lineno );
- acl_usage();
+ if( rc != LDAP_SUCCESS ) {
+ fprintf( stderr,
+ "%s: line %d: aci \"%s\": %s\n",
+ fname, lineno, SLAPD_ACI_ATTR, text );
+ acl_usage();
+ }
}
- if( strcmp( b->a_aci_at->sat_syntax_oid,
- SLAPD_OID_DN_SYNTAX ) != 0 )
+ if( !is_at_syntax( b->a_aci_at->ad_type,
+ SLAPD_ACI_SYNTAX) )
{
fprintf( stderr,
- "%s: line %d: aci attribute type not of DN syntax.\n",
- fname, lineno );
+ "%s: line %d: aci \"%s\": inappropriate syntax: %s\n",
+ fname, lineno, right,
+ b->a_aci_at->ad_type->sat_syntax_oid );
acl_usage();
}
+
+#else
+ if ( right != NULL && *right != '\0' ) {
+ b->a_aci_at = ch_strdup( right );
+ } else {
+ b->a_aci_at = ch_strdup( SLAPD_ACI_ATTR );
+ }
#endif
continue;
}
}
if ( b->a_dn_at != NULL ) {
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+ fprintf( stderr, " dnattr=%s", b->a_dn_at->ad_cname->bv_val );
+#else
fprintf( stderr, " dnattr=%s", b->a_dn_at );
+#endif
}
if ( b->a_group_pat != NULL ) {
fprintf( stderr, " objectClass: %s", b->a_group_oc );
if ( b->a_group_at ) {
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+ fprintf( stderr, " attributeType: %s", b->a_group_at->ad_cname->bv_val );
+#else
fprintf( stderr, " attributeType: %s", b->a_group_at );
+#endif
}
}
}
#ifdef SLAPD_ACI_ENABLED
if ( b->a_aci_at != NULL ) {
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+ fprintf( stderr, " aci=%s", b->a_aci_at->ad_cname->bv_val );
+#else
fprintf( stderr, " aci=%s", b->a_aci_at );
+#endif
}
#endif
projects / openldap / blobdiff