/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 2004 The OpenLDAP Foundation.
+ * Copyright 2004-2005 The OpenLDAP Foundation.
* Portions Copyright 2004 Pierangelo Masarati.
* All rights reserved.
*
{
int rc = EXIT_SUCCESS;
const char *progname = "slapacl";
- Connection conn;
- Operation op;
- Entry e = { 0 };
+ Connection conn = { 0 };
+ Listener listener;
+ char opbuf[OPERATION_BUFFER_SIZE];
+ Operation *op;
+ Entry e = { 0 }, *ep = &e;
+ char *attr = NULL;
-#ifdef NEW_LOGGING
- lutil_log_initialize( argc, argv );
-#endif
slap_tool_init( progname, SLAPACL, argc, argv );
argv = &argv[ optind ];
argc -= optind;
- memset( &conn, 0, sizeof( Connection ) );
- memset( &op, 0, sizeof( Operation ) );
+ op = (Operation *)opbuf;
+ connection_fake_init( &conn, op, &conn );
- connection_fake_init( &conn, &op, &conn );
-
- assert( be != NULL );
+ conn.c_listener = &listener;
+ conn.c_listener_url = listener_url;
+ conn.c_peer_domain = peer_domain;
+ conn.c_peer_name = peer_name;
+ conn.c_sock_name = sock_name;
+ op->o_ssf = ssf;
+ op->o_transport_ssf = transport_ssf;
+ op->o_tls_ssf = tls_ssf;
+ op->o_sasl_ssf = sasl_ssf;
if ( !BER_BVISNULL( &authcID ) ) {
- rc = slap_sasl_getdn( &conn, &op, &authcID, NULL, &authcDN, SLAP_GETDN_AUTHCID );
+ rc = slap_sasl_getdn( &conn, op, &authcID, NULL,
+ &authcDN, SLAP_GETDN_AUTHCID );
if ( rc != LDAP_SUCCESS ) {
fprintf( stderr, "ID: <%s> check failed %d (%s)\n",
authcID.bv_val, rc,
rc = 1;
goto destroy;
}
+
+ } else if ( !BER_BVISNULL( &authcDN ) ) {
+ struct berval ndn;
+
+ rc = dnNormalize( 0, NULL, NULL, &authcDN, &ndn, NULL );
+ if ( rc != LDAP_SUCCESS ) {
+ fprintf( stderr, "autchDN=\"%s\" normalization failed %d (%s)\n",
+ authcDN.bv_val, rc,
+ ldap_err2string( rc ) );
+ rc = 1;
+ goto destroy;
+ }
+ ch_free( authcDN.bv_val );
+ authcDN = ndn;
}
+
if ( !BER_BVISNULL( &authcDN ) ) {
fprintf( stderr, "DN: \"%s\"\n", authcDN.bv_val );
}
goto destroy;
}
- op.o_bd = be;
+ op->o_bd = be;
if ( !BER_BVISNULL( &authcDN ) ) {
- op.o_dn = authcDN;
- op.o_ndn = authcDN;
+ op->o_dn = authcDN;
+ op->o_ndn = authcDN;
+ }
+
+ if ( argc == 0 ) {
+ argc = 1;
+ attr = slap_schema.si_ad_entry->ad_cname.bv_val;
+ }
+
+ if ( !dryrun ) {
+ ID id;
+
+ if ( !be->be_entry_open ||
+ !be->be_entry_close ||
+ !be->be_dn2id_get ||
+ !be->be_entry_get )
+ {
+ fprintf( stderr, "%s: target database "
+ "doesn't support necessary operations; "
+ "you may try with \"-u\" (dry run).\n",
+ progname );
+ rc = 1;
+ goto destroy;
+ }
+
+ if ( be->be_entry_open( be, 0 ) != 0 ) {
+ fprintf( stderr, "%s: could not open database.\n",
+ progname );
+ rc = 1;
+ goto destroy;
+ }
+
+ id = be->be_dn2id_get( be, &e.e_nname );
+ if ( id == NOID ) {
+ fprintf( stderr, "%s: unable to fetch ID of DN \"%s\"\n",
+ progname, e.e_nname.bv_val );
+ rc = 1;
+ goto destroy;
+ }
+ if ( be->be_id2entry_get( be, id, &ep ) != 0 ) {
+ fprintf( stderr, "%s: unable to fetch entry \"%s\" (%lu)\n",
+ progname, e.e_nname.bv_val, id );
+ rc = 1;
+ goto destroy;
+
+ }
}
for ( ; argc--; argv++ ) {
slap_mask_t mask;
AttributeDescription *desc = NULL;
int rc;
- struct berval val;
+ struct berval val = BER_BVNULL,
+ *valp = NULL;
const char *text;
char accessmaskbuf[ACCESSMASK_MAXLEN];
char *accessstr;
slap_access_t access = ACL_AUTH;
- val.bv_val = strchr( argv[0], ':' );
+ if ( attr == NULL ) {
+ attr = argv[ 0 ];
+ }
+
+ val.bv_val = strchr( attr, ':' );
if ( val.bv_val != NULL ) {
val.bv_val[0] = '\0';
val.bv_val++;
val.bv_len = strlen( val.bv_val );
+ valp = &val;
}
- accessstr = strchr( argv[0], '/' );
+ accessstr = strchr( attr, '/' );
if ( accessstr != NULL ) {
accessstr[0] = '\0';
accessstr++;
access = str2access( accessstr );
if ( access == ACL_INVALID_ACCESS ) {
fprintf( stderr, "unknown access \"%s\" for attribute \"%s\"\n",
- accessstr, argv[0] );
- continue;
+ accessstr, attr );
+ if ( continuemode ) {
+ continue;
+ }
+ break;
}
}
- rc = slap_str2ad( argv[0], &desc, &text );
+ rc = slap_str2ad( attr, &desc, &text );
if ( rc != LDAP_SUCCESS ) {
fprintf( stderr, "slap_str2ad(%s) failed %d (%s)\n",
- argv[0], rc, ldap_err2string( rc ) );
- continue;
+ attr, rc, ldap_err2string( rc ) );
+ if ( continuemode ) {
+ continue;
+ }
+ break;
}
- rc = access_allowed_mask( &op, &e, desc, &val, access,
+ rc = access_allowed_mask( op, ep, desc, valp, access,
NULL, &mask );
- fprintf( stderr, "%s%s%s: %s\n",
- desc->ad_cname.bv_val,
- val.bv_val ? "=" : "",
- val.bv_val ? val.bv_val : "",
- accessmask2str( mask, accessmaskbuf ) );
+ if ( accessstr ) {
+ fprintf( stderr, "%s access to %s%s%s: %s\n",
+ accessstr,
+ desc->ad_cname.bv_val,
+ val.bv_val ? "=" : "",
+ val.bv_val ? val.bv_val : "",
+ rc ? "ALLOWED" : "DENIED" );
+
+ } else {
+ fprintf( stderr, "%s%s%s: %s\n",
+ desc->ad_cname.bv_val,
+ val.bv_val ? "=" : "",
+ val.bv_val ? val.bv_val : "",
+ accessmask2str( mask, accessmaskbuf, 1 ) );
+ }
+ rc = 0;
+ attr = NULL;
}
destroy:;
+ ber_memfree( e.e_name.bv_val );
+ ber_memfree( e.e_nname.bv_val );
+ if ( !dryrun ) {
+ if ( ep != &e ) {
+ be_entry_release_r( op, ep );
+ }
+ be->be_entry_close( be );
+ }
+
slap_tool_destroy();
return rc;