X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Facl.c;h=a6f0a853d01b1284a67bdfa291d619aff5ce9df5;hb=e281e08e79829175aa9545dc2e3eb85e4e873717;hp=cbf1b677f248bec2c72820b018f6aedc869d1d4c;hpb=a96f2af281f312bbc9fc59709eb72f3013df0c17;p=openldap diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c index cbf1b677f2..a6f0a853d0 100644 --- a/servers/slapd/acl.c +++ b/servers/slapd/acl.c @@ -37,10 +37,6 @@ #include "lber_pvt.h" #include "lutil.h" -#ifdef LDAP_SLAPI -#include "slapi/slapi.h" -#endif /* LDAPI_SLAPI */ - #define ACL_BUF_SIZE 1024 /* use most appropriate size */ /* @@ -54,7 +50,9 @@ static struct berval aci_bv_br_entry = BER_BVC("[entry]"), aci_bv_br_all = BER_BVC("[all]"), aci_bv_access_id = BER_BVC("access-id"), +#if 0 aci_bv_anonymous = BER_BVC("anonymous"), +#endif aci_bv_public = BER_BVC("public"), aci_bv_users = BER_BVC("users"), aci_bv_self = BER_BVC("self"), @@ -69,7 +67,9 @@ static struct berval aci_bv_ip_eq = BER_BVC("IP="), #ifdef LDAP_PF_LOCAL aci_bv_path_eq = BER_BVC("PATH="), +#if 0 aci_bv_dirsep = BER_BVC(LDAP_DIRSEP), +#endif #endif /* LDAP_PF_LOCAL */ aci_bv_group_class = BER_BVC(SLAPD_GROUP_CLASS), @@ -84,7 +84,7 @@ typedef enum slap_aci_scope_t { SLAP_ACI_SCOPE_SUBTREE = ( SLAP_ACI_SCOPE_ENTRY | SLAP_ACI_SCOPE_CHILDREN ) } slap_aci_scope_t; -static AccessControl * acl_get( +static AccessControl * slap_acl_get( AccessControl *ac, int *count, Operation *op, Entry *e, AttributeDescription *desc, @@ -92,7 +92,7 @@ static AccessControl * acl_get( int nmatch, regmatch_t *matches, AccessControlState *state ); -static slap_control_t acl_mask( +static slap_control_t slap_acl_mask( AccessControl *ac, slap_mask_t *mask, Operation *op, Entry *e, AttributeDescription *desc, @@ -113,7 +113,7 @@ static int aci_mask( slap_access_t *grant, slap_access_t *deny, slap_aci_scope_t scope); -#endif +#endif /* SLAPD_ACI_ENABLED */ static int regex_matches( struct berval *pat, char *str, char *buf, @@ -138,7 +138,7 @@ static int aci_match_set ( struct berval *subj, Operation *op, * the whole attribute is assumed (all values). * * This routine loops through all access controls and calls - * acl_mask() on each applicable access control. + * slap_acl_mask() on each applicable access control. * The loop exits when a definitive answer is reached or * or no more controls remain. * @@ -151,6 +151,369 @@ static int aci_match_set ( struct berval *subj, Operation *op, * - can be legally called with op->o_bd == NULL */ +#ifdef SLAP_OVERLAY_ACCESS +int +slap_access_always_allowed( + Operation *op, + Entry *e, + AttributeDescription *desc, + struct berval *val, + slap_access_t access, + AccessControlState *state, + slap_mask_t *maskp ) +{ + assert( maskp != NULL ); + + ACL_PRIV_SET( *maskp, ACL_ACCESS2PRIV( access ) ); + + return 1; +} + +int +slap_access_allowed( + Operation *op, + Entry *e, + AttributeDescription *desc, + struct berval *val, + slap_access_t access, + AccessControlState *state, + slap_mask_t *maskp ) +{ + int ret = 1; + int count; + AccessControl *a = NULL; + +#ifdef LDAP_DEBUG + char accessmaskbuf[ACCESSMASK_MAXLEN]; +#endif + slap_mask_t mask; + slap_control_t control; + slap_access_t access_level; + const char *attr; + regmatch_t matches[MAXREMATCHES]; + int st_same_attr = 0; + + assert( op != NULL ); + assert( e != NULL ); + assert( desc != NULL ); + assert( maskp != NULL ); + + access_level = ACL_LEVEL( access ); + attr = desc->ad_cname.bv_val; + + assert( attr != NULL ); + + /* grant database root access */ + if ( be_isroot( op ) ) { + Debug( LDAP_DEBUG_ACL, "<= root access granted\n", 0, 0, 0 ); + mask = ACL_LVL_MANAGE; + goto done; + } + + /* + * no-user-modification operational attributes are ignored + * by ACL_WRITE checking as any found here are not provided + * by the user + */ + if ( access_level >= ACL_WRITE && is_at_no_user_mod( desc->ad_type ) + && desc != slap_schema.si_ad_entry + && desc != slap_schema.si_ad_children ) + { + Debug( LDAP_DEBUG_ACL, "NoUserMod Operational attribute:" + " %s access granted\n", + attr, 0, 0 ); + goto done; + } + + /* use backend default access if no backend acls */ + if ( op->o_bd->be_acl == NULL ) { + int i; + + Debug( LDAP_DEBUG_ACL, + "=> slap_access_allowed: backend default %s " + "access %s to \"%s\"\n", + access2str( access ), + op->o_bd->be_dfltaccess >= access_level ? "granted" : "denied", + op->o_dn.bv_val ? op->o_dn.bv_val : "(anonymous)" ); + ret = op->o_bd->be_dfltaccess >= access_level; + + mask = ACL_PRIV_LEVEL; + for ( i = ACL_NONE; i <= op->o_bd->be_dfltaccess; i++ ) { + ACL_PRIV_SET( mask, ACL_ACCESS2PRIV( i ) ); + } + + goto done; + } + + ret = 0; + control = ACL_BREAK; + + if ( st_same_attr ) { + assert( state->as_vd_acl != NULL ); + + a = state->as_vd_acl; + count = state->as_vd_acl_count; + if ( !ACL_IS_INVALID( state->as_vd_acl_mask ) ) { + mask = state->as_vd_acl_mask; + AC_MEMCPY( matches, state->as_vd_acl_matches, sizeof(matches) ); + goto vd_access; + } + + } else { + if ( state ) state->as_vi_acl = NULL; + a = NULL; + ACL_PRIV_ASSIGN( mask, *maskp ); + count = 0; + memset( matches, '\0', sizeof( matches ) ); + } + + while ( ( a = slap_acl_get( a, &count, op, e, desc, val, + MAXREMATCHES, matches, state ) ) != NULL ) + { + int i; + + for ( i = 0; i < MAXREMATCHES && matches[i].rm_so > 0; i++ ) { + Debug( LDAP_DEBUG_ACL, "=> match[%d]: %d %d ", i, + (int)matches[i].rm_so, (int)matches[i].rm_eo ); + if ( matches[i].rm_so <= matches[0].rm_eo ) { + int n; + for ( n = matches[i].rm_so; n < matches[i].rm_eo; n++ ) { + Debug( LDAP_DEBUG_ACL, "%c", e->e_ndn[n], 0, 0 ); + } + } + Debug( LDAP_DEBUG_ARGS, "\n", 0, 0, 0 ); + } + + if ( state ) { + if ( state->as_vi_acl == a && + ( state->as_recorded & ACL_STATE_RECORDED_NV ) ) + { + Debug( LDAP_DEBUG_ACL, + "=> slap_access_allowed: result from state (%s)\n", + attr, 0, 0 ); + ret = state->as_result; + goto done; + } else { + Debug( LDAP_DEBUG_ACL, + "=> slap_access_allowed: no res from state (%s)\n", + attr, 0, 0 ); + } + } + +vd_access: + control = slap_acl_mask( a, &mask, op, + e, desc, val, MAXREMATCHES, matches, count, state ); + + if ( control != ACL_BREAK ) { + break; + } + + memset( matches, '\0', sizeof( matches ) ); + } + + if ( ACL_IS_INVALID( mask ) ) { + Debug( LDAP_DEBUG_ACL, + "=> slap_access_allowed: \"%s\" (%s) invalid!\n", + e->e_dn, attr, 0 ); + ACL_PRIV_ASSIGN( mask, *maskp ); + + } else if ( control == ACL_BREAK ) { + Debug( LDAP_DEBUG_ACL, + "=> slap_access_allowed: no more rules\n", 0, 0, 0 ); + + goto done; + } + + ret = ACL_GRANT( mask, access ); + + Debug( LDAP_DEBUG_ACL, + "=> slap_access_allowed: %s access %s by %s\n", + access2str( access ), ret ? "granted" : "denied", + accessmask2str( mask, accessmaskbuf, 1 ) ); + +done: + ACL_PRIV_ASSIGN( *maskp, mask ); + return ret; +} + +int +fe_access_allowed( + Operation *op, + Entry *e, + AttributeDescription *desc, + struct berval *val, + slap_access_t access, + AccessControlState *state, + slap_mask_t *maskp ) +{ + BackendDB *be_orig; + int rc; + + /* + * NOTE: control gets here if FIXME + * if an appropriate backend cannot be selected for the operation, + * we assume that the frontend should handle this + * FIXME: should select_backend() take care of this, + * and return frontendDB instead of NULL? maybe for some value + * of the flags? + */ + be_orig = op->o_bd; + + op->o_bd = select_backend( &op->o_req_ndn, 0, 0 ); + if ( op->o_bd == NULL ) { + op->o_bd = frontendDB; + } + rc = slap_access_allowed( op, e, desc, val, access, state, maskp ); + op->o_bd = be_orig; + + return rc; +} + +int +access_allowed_mask( + Operation *op, + Entry *e, + AttributeDescription *desc, + struct berval *val, + slap_access_t access, + AccessControlState *state, + slap_mask_t *maskp ) +{ + int ret = 1; + AccessControl *a = NULL; + int be_null = 0; + +#ifdef LDAP_DEBUG + char accessmaskbuf[ACCESSMASK_MAXLEN]; +#endif + slap_mask_t mask; + slap_control_t control; + slap_access_t access_level; + const char *attr; + int st_same_attr = 0; + static AccessControlState state_init = ACL_STATE_INIT; + + assert( e != NULL ); + assert( desc != NULL ); + + access_level = ACL_LEVEL( access ); + + assert( access_level > ACL_NONE ); + + ACL_INIT( mask ); + if ( maskp ) ACL_INVALIDATE( *maskp ); + + attr = desc->ad_cname.bv_val; + + assert( attr != NULL ); + + if ( op && op->o_is_auth_check && + ( access_level == ACL_SEARCH || access_level == ACL_READ ) ) + { + access = ACL_AUTH; + } + + if ( state ) { + if ( state->as_vd_ad == desc ) { + if ( state->as_recorded ) { + if ( ( state->as_recorded & ACL_STATE_RECORDED_NV ) && + val == NULL ) + { + return state->as_result; + + } else if ( ( state->as_recorded & ACL_STATE_RECORDED_VD ) && + val != NULL && state->as_vd_acl == NULL ) + { + return state->as_result; + } + } + st_same_attr = 1; + } else { + *state = state_init; + } + + state->as_vd_ad = desc; + } + + Debug( LDAP_DEBUG_ACL, + "=> access_allowed: %s access to \"%s\" \"%s\" requested\n", + access2str( access ), e->e_dn, attr ); + + if ( op == NULL ) { + /* no-op call */ + goto done; + } + + if ( op->o_bd == NULL ) { + op->o_bd = LDAP_STAILQ_FIRST( &backendDB ); + be_null = 1; + +#ifdef LDAP_DEVEL + /* + * FIXME: experimental; use first backend rules + * iff there is no global_acl (ITS#3100) */ + if ( frontendDB->be_acl != NULL ) { + op->o_bd = frontendDB; + } +#endif /* LDAP_DEVEL */ + } + assert( op->o_bd != NULL ); + + /* this is enforced in backend_add() */ + if ( op->o_bd->bd_info->bi_access_allowed ) { + /* delegate to backend */ + ret = op->o_bd->bd_info->bi_access_allowed( op, e, + desc, val, access, state, &mask ); + + } else { + BackendDB *be_orig = op->o_bd; + + /* use default (but pass through frontend + * for global ACL overlays) */ + op->o_bd = frontendDB; + ret = frontendDB->bd_info->bi_access_allowed( op, e, + desc, val, access, state, &mask ); + op->o_bd = be_orig; + } + + if ( !ret ) { + if ( ACL_IS_INVALID( mask ) ) { + Debug( LDAP_DEBUG_ACL, + "=> access_allowed: \"%s\" (%s) invalid!\n", + e->e_dn, attr, 0 ); + ACL_INIT( mask ); + + } else if ( control == ACL_BREAK ) { + Debug( LDAP_DEBUG_ACL, + "=> access_allowed: no more rules\n", 0, 0, 0 ); + + goto done; + } + + ret = ACL_GRANT( mask, access ); + } + + Debug( LDAP_DEBUG_ACL, + "=> access_allowed: %s access %s by %s\n", + access2str( access ), ret ? "granted" : "denied", + accessmask2str( mask, accessmaskbuf, 1 ) ); + +done: + if ( state != NULL ) { + /* If not value-dependent, save ACL in case of more attrs */ + if ( !( state->as_recorded & ACL_STATE_RECORDED_VD ) ) { + state->as_vi_acl = a; + state->as_result = ret; + } + state->as_recorded |= ACL_STATE_RECORDED; + } + if ( be_null ) op->o_bd = NULL; + if ( maskp ) ACL_PRIV_ASSIGN( *maskp, mask ); + return ret; +} + +#else /* !SLAP_OVERLAY_ACCESS */ + int access_allowed_mask( Operation *op, @@ -164,42 +527,47 @@ access_allowed_mask( int ret = 1; int count; AccessControl *a = NULL; - Backend *be; - int be_null = 0; + Backend *be; + int be_null = 0; #ifdef LDAP_DEBUG - char accessmaskbuf[ACCESSMASK_MAXLEN]; + char accessmaskbuf[ACCESSMASK_MAXLEN]; #endif - slap_mask_t mask; - slap_control_t control; - const char *attr; - regmatch_t matches[MAXREMATCHES]; - int st_same_attr = 0; - static AccessControlState state_init = ACL_STATE_INIT; + slap_mask_t mask; + slap_control_t control; + slap_access_t access_level; + const char *attr; + regmatch_t matches[MAXREMATCHES]; + int st_same_attr = 0; + static AccessControlState state_init = ACL_STATE_INIT; assert( e != NULL ); assert( desc != NULL ); - assert( access > ACL_NONE ); + + access_level = ACL_LEVEL( access ); + + assert( access_level > ACL_NONE ); if ( maskp ) ACL_INVALIDATE( *maskp ); attr = desc->ad_cname.bv_val; assert( attr != NULL ); - if( op && op->o_is_auth_check && - ( access == ACL_SEARCH || access == ACL_READ )) + if ( op && op->o_is_auth_check && + ( access_level == ACL_SEARCH || access_level == ACL_READ ) ) { access = ACL_AUTH; } - if( state ) { - if ( state->as_vd_ad==desc) { + if ( state ) { + if ( state->as_vd_ad == desc ) { if ( state->as_recorded ) { - if( state->as_recorded & ACL_STATE_RECORDED_NV && + if ( ( state->as_recorded & ACL_STATE_RECORDED_NV ) && val == NULL ) { return state->as_result; - } else if ( state->as_recorded & ACL_STATE_RECORDED_VD && + + } else if ( ( state->as_recorded & ACL_STATE_RECORDED_VD ) && val != NULL && state->as_vd_acl == NULL ) { return state->as_result; @@ -215,7 +583,7 @@ access_allowed_mask( Debug( LDAP_DEBUG_ACL, "=> access_allowed: %s access to \"%s\" \"%s\" requested\n", - access2str( access ), e->e_dn, attr ); + access2str( access ), e->e_dn, attr ); if ( op == NULL ) { /* no-op call */ @@ -238,21 +606,9 @@ access_allowed_mask( } assert( be != NULL ); -#ifdef LDAP_SLAPI - if ( op->o_pb != NULL ) { - ret = slapi_int_access_allowed( op, e, desc, val, access, state ); - if ( ret == 0 ) { - /* ACL plugin denied access */ - goto done; - } - } -#endif /* LDAP_SLAPI */ - /* grant database root access */ - if ( /* be != NULL && */ be_isroot( op ) ) { - Debug( LDAP_DEBUG_ACL, - "<= root access granted\n", - 0, 0, 0 ); + if ( be_isroot( op ) ) { + Debug( LDAP_DEBUG_ACL, "<= root access granted\n", 0, 0, 0 ); if ( maskp ) { mask = ACL_LVL_MANAGE; } @@ -265,7 +621,7 @@ access_allowed_mask( * by ACL_WRITE checking as any found here are not provided * by the user */ - if ( access >= ACL_WRITE && is_at_no_user_mod( desc->ad_type ) + if ( access_level >= ACL_WRITE && is_at_no_user_mod( desc->ad_type ) && desc != slap_schema.si_ad_entry && desc != slap_schema.si_ad_children ) { @@ -276,13 +632,14 @@ access_allowed_mask( } /* use backend default access if no backend acls */ - if( be != NULL && be->be_acl == NULL ) { + if ( be->be_acl == NULL ) { Debug( LDAP_DEBUG_ACL, - "=> access_allowed: backend default %s access %s to \"%s\"\n", + "=> access_allowed: backend default %s " + "access %s to \"%s\"\n", access2str( access ), - be->be_dfltaccess >= access ? "granted" : "denied", + be->be_dfltaccess >= access_level ? "granted" : "denied", op->o_dn.bv_val ? op->o_dn.bv_val : "(anonymous)" ); - ret = be->be_dfltaccess >= access; + ret = be->be_dfltaccess >= access_level; if ( maskp ) { int i; @@ -302,8 +659,9 @@ access_allowed_mask( Debug( LDAP_DEBUG_ACL, "=> access_allowed: global default %s access %s to \"%s\"\n", access2str( access ), - frontendDB->be_dfltaccess >= access ? "granted" : "denied", op->o_dn.bv_val ); - ret = frontendDB->be_dfltaccess >= access; + frontendDB->be_dfltaccess >= access_level ? + "granted" : "denied", op->o_dn.bv_val ); + ret = frontendDB->be_dfltaccess >= access_level; if ( maskp ) { int i; @@ -321,12 +679,12 @@ access_allowed_mask( ret = 0; control = ACL_BREAK; - if( st_same_attr ) { + if ( st_same_attr ) { assert( state->as_vd_acl != NULL ); a = state->as_vd_acl; count = state->as_vd_acl_count; - if ( !ACL_IS_INVALID( state->as_vd_acl_mask )) { + if ( !ACL_IS_INVALID( state->as_vd_acl_mask ) ) { mask = state->as_vd_acl_mask; AC_MEMCPY( matches, state->as_vd_acl_matches, sizeof(matches) ); goto vd_access; @@ -337,45 +695,51 @@ access_allowed_mask( a = NULL; ACL_INIT(mask); count = 0; - memset(matches, '\0', sizeof(matches)); + memset( matches, '\0', sizeof(matches) ); } - while((a = acl_get( a, &count, op, e, desc, val, - MAXREMATCHES, matches, state )) != NULL) + while ( ( a = slap_acl_get( a, &count, op, e, desc, val, + MAXREMATCHES, matches, state ) ) != NULL ) { int i; - for (i = 0; i < MAXREMATCHES && matches[i].rm_so > 0; i++) { + for ( i = 0; i < MAXREMATCHES && matches[i].rm_so > 0; i++ ) { Debug( LDAP_DEBUG_ACL, "=> match[%d]: %d %d ", i, - (int)matches[i].rm_so, (int)matches[i].rm_eo ); - if( matches[i].rm_so <= matches[0].rm_eo ) { + (int)matches[i].rm_so, (int)matches[i].rm_eo ); + if ( matches[i].rm_so <= matches[0].rm_eo ) { int n; - for ( n = matches[i].rm_so; n < matches[i].rm_eo; n++) { + for ( n = matches[i].rm_so; n < matches[i].rm_eo; n++ ) { Debug( LDAP_DEBUG_ACL, "%c", e->e_ndn[n], 0, 0 ); } } Debug( LDAP_DEBUG_ARGS, "\n", 0, 0, 0 ); } - if (state) { - if (state->as_vi_acl == a && (state->as_recorded & ACL_STATE_RECORDED_NV)) { - Debug( LDAP_DEBUG_ACL, "access_allowed: result from state (%s)\n", attr, 0, 0 ); + if ( state ) { + if ( state->as_vi_acl == a && + ( state->as_recorded & ACL_STATE_RECORDED_NV ) ) + { + Debug( LDAP_DEBUG_ACL, + "access_allowed: result from state (%s)\n", + attr, 0, 0 ); ret = state->as_result; goto done; } else { - Debug( LDAP_DEBUG_ACL, "access_allowed: no res from state (%s)\n", attr, 0, 0); + Debug( LDAP_DEBUG_ACL, + "access_allowed: no res from state (%s)\n", + attr, 0, 0 ); } } vd_access: - control = acl_mask( a, &mask, op, + control = slap_acl_mask( a, &mask, op, e, desc, val, MAXREMATCHES, matches, count, state ); if ( control != ACL_BREAK ) { break; } - memset(matches, '\0', sizeof(matches)); + memset( matches, '\0', sizeof(matches) ); } if ( ACL_IS_INVALID( mask ) ) { @@ -386,7 +750,7 @@ vd_access: } else if ( control == ACL_BREAK ) { Debug( LDAP_DEBUG_ACL, - "=> access_allowed: no more rules\n", 0, 0, 0); + "=> access_allowed: no more rules\n", 0, 0, 0 ); goto done; } @@ -400,28 +764,29 @@ vd_access: ret = ACL_GRANT(mask, access); done: - if( state != NULL ) { + if ( state != NULL ) { /* If not value-dependent, save ACL in case of more attrs */ - if ( !(state->as_recorded & ACL_STATE_RECORDED_VD) ) { + if ( !( state->as_recorded & ACL_STATE_RECORDED_VD ) ) { state->as_vi_acl = a; state->as_result = ret; } state->as_recorded |= ACL_STATE_RECORDED; } - if (be_null) op->o_bd = NULL; + if ( be_null ) op->o_bd = NULL; if ( maskp ) *maskp = mask; return ret; } +#endif /* SLAP_OVERLAY_ACCESS */ /* - * acl_get - return the acl applicable to entry e, attribute + * slap_acl_get - return the acl applicable to entry e, attribute * attr. the acl returned is suitable for use in subsequent calls to * acl_access_allowed(). */ static AccessControl * -acl_get( +slap_acl_get( AccessControl *a, int *count, Operation *op, @@ -531,7 +896,7 @@ acl_get( if( state && !( state->as_recorded & ACL_STATE_RECORDED_VD )) { state->as_recorded |= ACL_STATE_RECORDED_VD; - state->as_vd_acl = prev; + state->as_vd_acl = a; state->as_vd_acl_count = *count; state->as_vd_access = a->acl_access; state->as_vd_access_count = 1; @@ -556,7 +921,7 @@ acl_get( if ( a->acl_attrs[0].an_desc->ad_type->sat_syntax != slap_schema.si_syn_distinguishedName ) { if (value_match( &match, desc, - desc->ad_type->sat_equality, 0, + /* desc->ad_type->sat_equality */ a->acl_attrval_mr, 0, val, &a->acl_attrval, &text ) != LDAP_SUCCESS || match ) continue; @@ -570,11 +935,11 @@ acl_get( if ( vdnlen < patlen ) continue; - if ( a->acl_dn_style == ACL_STYLE_BASE ) { + if ( a->acl_attrval_style == ACL_STYLE_BASE ) { if ( vdnlen > patlen ) continue; - } else if ( a->acl_dn_style == ACL_STYLE_ONE ) { + } else if ( a->acl_attrval_style == ACL_STYLE_ONE ) { int rdnlen = -1; if ( !DN_SEPARATOR( val->bv_val[vdnlen - patlen - 1] ) ) @@ -584,11 +949,11 @@ acl_get( if ( rdnlen != vdnlen - patlen - 1 ) continue; - } else if ( a->acl_dn_style == ACL_STYLE_SUBTREE ) { + } else if ( a->acl_attrval_style == ACL_STYLE_SUBTREE ) { if ( vdnlen > patlen && !DN_SEPARATOR( val->bv_val[vdnlen - patlen - 1] ) ) continue; - } else if ( a->acl_dn_style == ACL_STYLE_CHILDREN ) { + } else if ( a->acl_attrval_style == ACL_STYLE_CHILDREN ) { if ( vdnlen <= patlen ) continue; @@ -602,20 +967,295 @@ acl_get( } } - if ( a->acl_filter != NULL ) { - ber_int_t rc = test_filter( NULL, e, a->acl_filter ); - if ( rc != LDAP_COMPARE_TRUE ) { - continue; + if ( a->acl_filter != NULL ) { + ber_int_t rc = test_filter( NULL, e, a->acl_filter ); + if ( rc != LDAP_COMPARE_TRUE ) { + continue; + } + } + + Debug( LDAP_DEBUG_ACL, "=> acl_get: [%d] attr %s\n", + *count, attr, 0); + return a; + } + + Debug( LDAP_DEBUG_ACL, "<= acl_get: done.\n", 0, 0, 0 ); + return( NULL ); +} + +static int +acl_mask_dn( + Operation *op, + Entry *e, + AccessControl *a, + int nmatch, + regmatch_t *matches, + slap_dn_access *b, + struct berval *opndn ) +{ + /* + * if access applies to the entry itself, and the + * user is bound as somebody in the same namespace as + * the entry, OR the given dn matches the dn pattern + */ + /* + * NOTE: styles "anonymous", "users" and "self" + * have been moved to enum slap_style_t, whose + * value is set in a_dn_style; however, the string + * is maintaned in a_dn_pat. + */ + if ( b->a_style == ACL_STYLE_ANONYMOUS ) { + if ( !BER_BVISEMPTY( opndn ) ) { + return 1; + } + + } else if ( b->a_style == ACL_STYLE_USERS ) { + if ( BER_BVISEMPTY( opndn ) ) { + return 1; + } + + } else if ( b->a_style == ACL_STYLE_SELF ) { + struct berval ndn, selfndn; + int level; + + if ( BER_BVISEMPTY( opndn ) || BER_BVISNULL( &e->e_nname ) ) { + return 1; + } + + level = b->a_self_level; + if ( level < 0 ) { + selfndn = *opndn; + ndn = e->e_nname; + level = -level; + + } else { + ndn = *opndn; + selfndn = e->e_nname; + } + + for ( ; level > 0; level-- ) { + if ( BER_BVISEMPTY( &ndn ) ) { + break; + } + dnParent( &ndn, &ndn ); + } + + if ( BER_BVISEMPTY( &ndn ) || !dn_match( &ndn, &selfndn ) ) + { + return 1; + } + + } else if ( b->a_style == ACL_STYLE_REGEX ) { + if ( !ber_bvccmp( &b->a_pat, '*' ) ) { + int tmp_nmatch; + regmatch_t tmp_matches[2], + *tmp_matchesp = tmp_matches; + + int rc = 0; + + switch ( a->acl_dn_style ) { + case ACL_STYLE_REGEX: + if ( !BER_BVISNULL( &a->acl_dn_pat ) ) { + tmp_matchesp = matches; + tmp_nmatch = nmatch; + break; + } + /* FALLTHRU: applies also to ACL_STYLE_REGEX when pattern is "*" */ + + case ACL_STYLE_BASE: + tmp_matches[0].rm_so = 0; + tmp_matches[0].rm_eo = e->e_nname.bv_len; + tmp_nmatch = 1; + break; + + case ACL_STYLE_ONE: + case ACL_STYLE_SUBTREE: + case ACL_STYLE_CHILDREN: + tmp_matches[0].rm_so = 0; + tmp_matches[0].rm_eo = e->e_nname.bv_len; + tmp_matches[1].rm_so = e->e_nname.bv_len - a->acl_dn_pat.bv_len; + tmp_matches[1].rm_eo = e->e_nname.bv_len; + tmp_nmatch = 2; + break; + + default: + /* error */ + rc = 1; + break; + } + + if ( rc ) { + return 1; + } + + if ( !regex_matches( &b->a_pat, opndn->bv_val, + e->e_ndn, tmp_nmatch, tmp_matchesp ) ) + { + return 1; + } + } + + } else { + struct berval pat; + ber_len_t patlen, odnlen; + int got_match = 0; + + if ( e->e_dn == NULL ) + return 1; + + if ( b->a_expand ) { + struct berval bv; + char buf[ACL_BUF_SIZE]; + + int tmp_nmatch; + regmatch_t tmp_matches[2], + *tmp_matchesp = tmp_matches; + + int rc = 0; + + bv.bv_len = sizeof( buf ) - 1; + bv.bv_val = buf; + + switch ( a->acl_dn_style ) { + case ACL_STYLE_REGEX: + if ( !BER_BVISNULL( &a->acl_dn_pat ) ) { + tmp_matchesp = matches; + tmp_nmatch = nmatch; + break; + } + /* FALLTHRU: applies also to ACL_STYLE_REGEX when pattern is "*" */ + + case ACL_STYLE_BASE: + tmp_matches[0].rm_so = 0; + tmp_matches[0].rm_eo = e->e_nname.bv_len; + tmp_nmatch = 1; + break; + + case ACL_STYLE_ONE: + case ACL_STYLE_SUBTREE: + case ACL_STYLE_CHILDREN: + tmp_matches[0].rm_so = 0; + tmp_matches[0].rm_eo = e->e_nname.bv_len; + tmp_matches[1].rm_so = e->e_nname.bv_len - a->acl_dn_pat.bv_len; + tmp_matches[1].rm_eo = e->e_nname.bv_len; + tmp_nmatch = 2; + break; + + default: + /* error */ + rc = 1; + break; + } + + if ( rc ) { + return 1; + } + + if ( string_expand( &bv, &b->a_pat, + e->e_nname.bv_val, + tmp_nmatch, tmp_matchesp ) ) + { + return 1; + } + + if ( dnNormalize(0, NULL, NULL, &bv, + &pat, op->o_tmpmemctx ) + != LDAP_SUCCESS ) + { + /* did not expand to a valid dn */ + return 1; + } + + } else { + pat = b->a_pat; + } + + patlen = pat.bv_len; + odnlen = opndn->bv_len; + if ( odnlen < patlen ) { + goto dn_match_cleanup; + + } + + if ( b->a_style == ACL_STYLE_BASE ) { + /* base dn -- entire object DN must match */ + if ( odnlen != patlen ) { + goto dn_match_cleanup; + } + + } else if ( b->a_style == ACL_STYLE_ONE ) { + int rdnlen = -1; + + if ( odnlen <= patlen ) { + goto dn_match_cleanup; + } + + if ( !DN_SEPARATOR( opndn->bv_val[odnlen - patlen - 1] ) ) { + goto dn_match_cleanup; + } + + rdnlen = dn_rdnlen( NULL, opndn ); + if ( rdnlen != odnlen - patlen - 1 ) { + goto dn_match_cleanup; + } + + } else if ( b->a_style == ACL_STYLE_SUBTREE ) { + if ( odnlen > patlen && !DN_SEPARATOR( opndn->bv_val[odnlen - patlen - 1] ) ) { + goto dn_match_cleanup; + } + + } else if ( b->a_style == ACL_STYLE_CHILDREN ) { + if ( odnlen <= patlen ) { + goto dn_match_cleanup; + } + + if ( !DN_SEPARATOR( opndn->bv_val[odnlen - patlen - 1] ) ) { + goto dn_match_cleanup; + } + + } else if ( b->a_style == ACL_STYLE_LEVEL ) { + int level; + struct berval ndn; + + if ( odnlen <= patlen ) { + goto dn_match_cleanup; + } + + if ( level > 0 && !DN_SEPARATOR( opndn->bv_val[odnlen - patlen - 1] ) ) + { + goto dn_match_cleanup; + } + + level = b->a_level; + ndn = *opndn; + for ( ; level > 0; level-- ) { + if ( BER_BVISEMPTY( &ndn ) ) { + goto dn_match_cleanup; + } + dnParent( &ndn, &ndn ); + if ( ndn.bv_len < patlen ) { + goto dn_match_cleanup; + } + } + + if ( ndn.bv_len != patlen ) { + goto dn_match_cleanup; } } - Debug( LDAP_DEBUG_ACL, "=> acl_get: [%d] attr %s\n", - *count, attr, 0); - return a; + got_match = !strcmp( pat.bv_val, &opndn->bv_val[ odnlen - patlen ] ); + +dn_match_cleanup:; + if ( pat.bv_val != b->a_pat.bv_val ) { + slap_sl_free( pat.bv_val, op->o_tmpmemctx ); + } + + if ( !got_match ) { + return 1; + } } - Debug( LDAP_DEBUG_ACL, "<= acl_get: done.\n", 0, 0, 0 ); - return( NULL ); + return 0; } /* @@ -633,8 +1273,102 @@ acl_get( } \ } while( 0 ) +static int +acl_mask_dnattr( + Operation *op, + Entry *e, + struct berval *val, + AccessControl *a, + Access *b, + int i, + regmatch_t *matches, + int count, + AccessControlState *state, + slap_dn_access *bdn, + struct berval *opndn ) +{ + Attribute *at; + struct berval bv; + int rc, match = 0; + const char *text; + const char *attr = bdn->a_at->ad_cname.bv_val; + + assert( attr != NULL ); + + if ( BER_BVISEMPTY( opndn ) ) { + return 1; + } + + Debug( LDAP_DEBUG_ACL, "<= check a_dn_at: %s\n", attr, 0, 0 ); + bv = *opndn; + + /* see if asker is listed in dnattr */ + for ( at = attrs_find( e->e_attrs, bdn->a_at ); + at != NULL; + at = attrs_find( at->a_next, bdn->a_at ) ) + { + if ( value_find_ex( bdn->a_at, + SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH | + SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH, + at->a_nvals, + &bv, op->o_tmpmemctx ) == 0 ) + { + /* found it */ + match = 1; + break; + } + } + + if ( match ) { + /* have a dnattr match. if this is a self clause then + * the target must also match the op dn. + */ + if ( bdn->a_self ) { + /* check if the target is an attribute. */ + if ( val == NULL ) return 1; + + /* target is attribute, check if the attribute value + * is the op dn. + */ + rc = value_match( &match, bdn->a_at, + bdn->a_at->ad_type->sat_equality, 0, + val, &bv, &text ); + /* on match error or no match, fail the ACL clause */ + if ( rc != LDAP_SUCCESS || match != 0 ) + return 1; + } + + } else { + /* no dnattr match, check if this is a self clause */ + if ( ! bdn->a_self ) + return 1; + + ACL_RECORD_VALUE_STATE; + + /* this is a self clause, check if the target is an + * attribute. + */ + if ( val == NULL ) + return 1; + + /* target is attribute, check if the attribute value + * is the op dn. + */ + rc = value_match( &match, bdn->a_at, + bdn->a_at->ad_type->sat_equality, 0, + val, &bv, &text ); + + /* on match error or no match, fail the ACL clause */ + if ( rc != LDAP_SUCCESS || match != 0 ) + return 1; + } + + return 0; +} + + /* - * acl_mask - modifies mask based upon the given acl and the + * slap_acl_mask - modifies mask based upon the given acl and the * requested access to entry e, attribute attr, value val. if val * is null, access to the whole attribute is assumed (all values). * @@ -643,7 +1377,7 @@ acl_get( */ static slap_control_t -acl_mask( +slap_acl_mask( AccessControl *a, slap_mask_t *mask, Operation *op, @@ -655,13 +1389,13 @@ acl_mask( int count, AccessControlState *state ) { - int i, odnlen, patlen; + int i; Access *b; #ifdef LDAP_DEBUG char accessmaskbuf[ACCESSMASK_MAXLEN]; #if !defined( SLAP_DYNACL ) && defined( SLAPD_ACI_ENABLED ) char accessmaskbuf1[ACCESSMASK_MAXLEN]; -#endif /* SLAPD_ACI_ENABLED */ +#endif /* !SLAP_DYNACL && SLAPD_ACI_ENABLED */ #endif /* DEBUG */ const char *attr; @@ -681,7 +1415,7 @@ acl_mask( "=> acl_mask: to %s by \"%s\", (%s) \n", val ? "value" : "all values", op->o_ndn.bv_val ? op->o_ndn.bv_val : "", - accessmask2str( *mask, accessmaskbuf, 1) ); + accessmask2str( *mask, accessmaskbuf, 1 ) ); if( state && ( state->as_recorded & ACL_STATE_RECORDED_VD ) @@ -715,204 +1449,42 @@ acl_mask( * value is set in a_dn_style; however, the string * is maintaned in a_dn_pat. */ - if ( b->a_dn_style == ACL_STYLE_ANONYMOUS ) { - if ( !BER_BVISEMPTY( &op->o_ndn ) ) { - continue; - } - - } else if ( b->a_dn_style == ACL_STYLE_USERS ) { - if ( BER_BVISEMPTY( &op->o_ndn ) ) { - continue; - } - - } else if ( b->a_dn_style == ACL_STYLE_SELF ) { - if ( BER_BVISEMPTY( &op->o_ndn ) ) { - continue; - } - - if ( e->e_dn == NULL || !dn_match( &e->e_nname, &op->o_ndn ) ) { - continue; - } - - } else if ( b->a_dn_style == ACL_STYLE_REGEX ) { - if ( !ber_bvccmp( &b->a_dn_pat, '*' ) ) { - int tmp_nmatch; - regmatch_t tmp_matches[2], - *tmp_matchesp = tmp_matches; - - int rc = 0; - - switch ( a->acl_dn_style ) { - case ACL_STYLE_REGEX: - if ( !BER_BVISNULL( &a->acl_dn_pat ) ) { - tmp_matchesp = matches; - tmp_nmatch = nmatch; - break; - } - /* FALLTHRU: applies also to ACL_STYLE_REGEX when pattern is "*" */ - - case ACL_STYLE_BASE: - tmp_matches[0].rm_so = 0; - tmp_matches[0].rm_eo = e->e_nname.bv_len; - tmp_nmatch = 1; - break; - case ACL_STYLE_ONE: - case ACL_STYLE_SUBTREE: - case ACL_STYLE_CHILDREN: - tmp_matches[0].rm_so = 0; - tmp_matches[0].rm_eo = e->e_nname.bv_len; - tmp_matches[1].rm_so = e->e_nname.bv_len - a->acl_dn_pat.bv_len; - tmp_matches[1].rm_eo = e->e_nname.bv_len; - tmp_nmatch = 2; - break; - - default: - /* error */ - rc = 1; - break; - } + if ( acl_mask_dn( op, e, a, nmatch, matches, + &b->a_dn, &op->o_ndn ) ) + { + continue; + } + } - if ( rc ) { - continue; - } + if ( !BER_BVISEMPTY( &b->a_realdn_pat ) ) { + struct berval ndn; - if ( !regex_matches( &b->a_dn_pat, - op->o_ndn.bv_val, e->e_ndn, - tmp_nmatch, tmp_matchesp ) ) - { - continue; - } - } + Debug( LDAP_DEBUG_ACL, "<= check a_realdn_pat: %s\n", + b->a_realdn_pat.bv_val, 0, 0); + /* + * if access applies to the entry itself, and the + * user is bound as somebody in the same namespace as + * the entry, OR the given dn matches the dn pattern + */ + /* + * NOTE: styles "anonymous", "users" and "self" + * have been moved to enum slap_style_t, whose + * value is set in a_dn_style; however, the string + * is maintaned in a_dn_pat. + */ + if ( op->o_conn && !BER_BVISNULL( &op->o_conn->c_ndn ) ) + { + ndn = op->o_conn->c_ndn; } else { - struct berval pat; - int got_match = 0; - - if ( e->e_dn == NULL ) - continue; - - if ( b->a_dn_expand ) { - struct berval bv; - char buf[ACL_BUF_SIZE]; - - int tmp_nmatch; - regmatch_t tmp_matches[2], - *tmp_matchesp = tmp_matches; - - int rc = 0; - - bv.bv_len = sizeof( buf ) - 1; - bv.bv_val = buf; - - switch ( a->acl_dn_style ) { - case ACL_STYLE_REGEX: - if ( !BER_BVISNULL( &a->acl_dn_pat ) ) { - tmp_matchesp = matches; - tmp_nmatch = nmatch; - break; - } - /* FALLTHRU: applies also to ACL_STYLE_REGEX when pattern is "*" */ - - case ACL_STYLE_BASE: - tmp_matches[0].rm_so = 0; - tmp_matches[0].rm_eo = e->e_nname.bv_len; - tmp_nmatch = 1; - break; - - case ACL_STYLE_ONE: - case ACL_STYLE_SUBTREE: - case ACL_STYLE_CHILDREN: - tmp_matches[0].rm_so = 0; - tmp_matches[0].rm_eo = e->e_nname.bv_len; - tmp_matches[1].rm_so = e->e_nname.bv_len - a->acl_dn_pat.bv_len; - tmp_matches[1].rm_eo = e->e_nname.bv_len; - tmp_nmatch = 2; - break; - - default: - /* error */ - rc = 1; - break; - } - - if ( rc ) { - continue; - } - - if ( string_expand( &bv, &b->a_dn_pat, - e->e_nname.bv_val, - tmp_nmatch, tmp_matchesp ) ) - { - continue; - } - - if ( dnNormalize(0, NULL, NULL, &bv, - &pat, op->o_tmpmemctx ) - != LDAP_SUCCESS ) - { - /* did not expand to a valid dn */ - continue; - } - - } else { - pat = b->a_dn_pat; - } - - patlen = pat.bv_len; - odnlen = op->o_ndn.bv_len; - if ( odnlen < patlen ) { - goto dn_match_cleanup; - - } - - if ( b->a_dn_style == ACL_STYLE_BASE ) { - /* base dn -- entire object DN must match */ - if ( odnlen != patlen ) { - goto dn_match_cleanup; - } - - } else if ( b->a_dn_style == ACL_STYLE_ONE ) { - int rdnlen = -1; - - if ( odnlen <= patlen ) { - goto dn_match_cleanup; - } - - if ( !DN_SEPARATOR( op->o_ndn.bv_val[odnlen - patlen - 1] ) ) { - goto dn_match_cleanup; - } - - rdnlen = dn_rdnlen( NULL, &op->o_ndn ); - if ( rdnlen != odnlen - patlen - 1 ) { - goto dn_match_cleanup; - } - - } else if ( b->a_dn_style == ACL_STYLE_SUBTREE ) { - if ( odnlen > patlen && !DN_SEPARATOR( op->o_ndn.bv_val[odnlen - patlen - 1] ) ) { - goto dn_match_cleanup; - } - - } else if ( b->a_dn_style == ACL_STYLE_CHILDREN ) { - if ( odnlen <= patlen ) { - goto dn_match_cleanup; - } - - if ( !DN_SEPARATOR( op->o_ndn.bv_val[odnlen - patlen - 1] ) ) { - goto dn_match_cleanup; - } - } - - got_match = !strcmp( pat.bv_val, op->o_ndn.bv_val + odnlen - patlen ); - -dn_match_cleanup:; - if ( pat.bv_val != b->a_dn_pat.bv_val ) { - slap_sl_free( pat.bv_val, op->o_tmpmemctx ); - } + ndn = op->o_ndn; + } - if ( !got_match ) { - continue; - } + if ( acl_mask_dn( op, e, a, nmatch, matches, + &b->a_realdn, &ndn ) ) + { + continue; } } @@ -1159,80 +1731,29 @@ dn_match_cleanup:; } if ( b->a_dn_at != NULL ) { - Attribute *at; - struct berval bv; - int rc, match = 0; - const char *text; - const char *attr = b->a_dn_at->ad_cname.bv_val; - - assert( attr != NULL ); - - if ( op->o_ndn.bv_len == 0 ) { + if ( acl_mask_dnattr( op, e, val, a, b, i, + matches, count, state, + &b->a_dn, &op->o_ndn ) ) + { continue; } + } - Debug( LDAP_DEBUG_ACL, "<= check a_dn_at: %s\n", - attr, 0, 0); - bv = op->o_ndn; + if ( b->a_realdn_at != NULL ) { + struct berval ndn; - /* see if asker is listed in dnattr */ - for( at = attrs_find( e->e_attrs, b->a_dn_at ); - at != NULL; - at = attrs_find( at->a_next, b->a_dn_at ) ) + if ( op->o_conn && !BER_BVISNULL( &op->o_conn->c_ndn ) ) { - if( value_find_ex( b->a_dn_at, - SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH | - SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH, - at->a_nvals, - &bv, op->o_tmpmemctx ) == 0 ) - { - /* found it */ - match = 1; - break; - } - } - - if( match ) { - /* have a dnattr match. if this is a self clause then - * the target must also match the op dn. - */ - if ( b->a_dn_self ) { - /* check if the target is an attribute. */ - if ( val == NULL ) continue; - - /* target is attribute, check if the attribute value - * is the op dn. - */ - rc = value_match( &match, b->a_dn_at, - b->a_dn_at->ad_type->sat_equality, 0, - val, &bv, &text ); - /* on match error or no match, fail the ACL clause */ - if (rc != LDAP_SUCCESS || match != 0 ) - continue; - } + ndn = op->o_conn->c_ndn; } else { - /* no dnattr match, check if this is a self clause */ - if ( ! b->a_dn_self ) - continue; - - ACL_RECORD_VALUE_STATE; - - /* this is a self clause, check if the target is an - * attribute. - */ - if ( val == NULL ) - continue; - - /* target is attribute, check if the attribute value - * is the op dn. - */ - rc = value_match( &match, b->a_dn_at, - b->a_dn_at->ad_type->sat_equality, 0, - val, &bv, &text ); + ndn = op->o_ndn; + } - /* on match error or no match, fail the ACL clause */ - if (rc != LDAP_SUCCESS || match != 0 ) - continue; + if ( acl_mask_dnattr( op, e, val, a, b, i, + matches, count, state, + &b->a_realdn, &ndn ) ) + { + continue; } } @@ -1472,7 +1993,7 @@ dn_match_cleanup:; continue; } - /* this could be improved by changing acl_mask so that it can deal with + /* this could be improved by changing slap_acl_mask so that it can deal with * by clauses that return grant/deny pairs. Right now, it does either * additive or subtractive rights, but not both at the same time. So, * we need to combine the grant/deny pair into a single rights mask in @@ -1625,7 +2146,7 @@ dn_match_cleanup:; continue; } - /* this could be improved by changing acl_mask so that it can deal with + /* this could be improved by changing slap_acl_mask so that it can deal with * by clauses that return grant/deny pairs. Right now, it does either * additive or subtractive rights, but not both at the same time. So, * we need to combine the grant/deny pair into a single rights mask in @@ -1753,6 +2274,16 @@ acl_check_modlist( } for ( ; mlist != NULL; mlist = mlist->sml_next ) { + /* + * Internal mods are ignored by ACL_WRITE checking + */ + if ( mlist->sml_flags & SLAP_MOD_INTERNAL ) { + Debug( LDAP_DEBUG_ACL, "acl: internal mod %s:" + " modify access granted\n", + mlist->sml_desc->ad_cname.bv_val, 0, 0 ); + continue; + } + /* * no-user-modification operational attributes are ignored * by ACL_WRITE checking as any found here are not provided @@ -1773,7 +2304,7 @@ acl_check_modlist( * This prevents abuse from selfwriters. */ if ( ! access_allowed( op, e, - mlist->sml_desc, NULL, ACL_WRITE, &state ) ) + mlist->sml_desc, NULL, ACL_WDEL, &state ) ) { ret = 0; goto done; @@ -1791,7 +2322,7 @@ acl_check_modlist( bv->bv_val != NULL; bv++ ) { if ( ! access_allowed( op, e, - mlist->sml_desc, bv, ACL_WRITE, &state ) ) + mlist->sml_desc, bv, ACL_WADD, &state ) ) { ret = 0; goto done; @@ -1802,7 +2333,7 @@ acl_check_modlist( case LDAP_MOD_DELETE: if ( mlist->sml_values == NULL ) { if ( ! access_allowed( op, e, - mlist->sml_desc, NULL, ACL_WRITE, NULL ) ) + mlist->sml_desc, NULL, ACL_WDEL, NULL ) ) { ret = 0; goto done; @@ -1814,7 +2345,7 @@ acl_check_modlist( bv->bv_val != NULL; bv++ ) { if ( ! access_allowed( op, e, - mlist->sml_desc, bv, ACL_WRITE, &state ) ) + mlist->sml_desc, bv, ACL_WDEL, &state ) ) { ret = 0; goto done; @@ -2643,6 +3174,11 @@ aci_mask( } #ifdef SLAP_DYNACL +/* + * FIXME: there is a silly dependence that makes it difficult + * to move ACIs in a run-time loadable module under the "dynacl" + * umbrella, because sets share some helpers with ACIs. + */ static int dynacl_aci_parse( const char *fname, int lineno, slap_style_t sty, const char *right, void **privp ) { @@ -2652,7 +3188,7 @@ dynacl_aci_parse( const char *fname, int lineno, slap_style_t sty, const char *r if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) { fprintf( stderr, "%s: line %d: " "inappropriate style \"%s\" in \"aci\" by clause\n", - fname, lineno, sty ); + fname, lineno, style_strings[sty] ); return -1; } @@ -2687,7 +3223,7 @@ dynacl_aci_unparse( void *priv, struct berval *bv ) AttributeDescription *ad = ( AttributeDescription * )priv; char *ptr; - assert( ad ); + assert( ad != NULL ); bv->bv_val = ch_malloc( STRLENOF(" aci=") + ad->ad_cname.bv_len + 1 ); ptr = lutil_strcopy( bv->bv_val, " aci=" ); @@ -2919,8 +3455,8 @@ slap_dynacl_get( const char *name ) int acl_init( void ) { - int i, rc; #ifdef SLAP_DYNACL + int i, rc; slap_dynacl_t *known_dynacl[] = { #ifdef SLAPD_ACI_ENABLED &dynacl_aci,