X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Faclparse.c;h=0032846346699260a925059317b70088e9a86f91;hb=b1b8d9d651d285f88a98d41db43924ea83399e27;hp=f53d273aa6373e5edbb946b996a252555962bea1;hpb=8354160f8b01d219d69178c88f9062be3699abe2;p=openldap

diff --git a/servers/slapd/aclparse.c b/servers/slapd/aclparse.c
index f53d273aa6..0032846346 100644
--- a/servers/slapd/aclparse.c
+++ b/servers/slapd/aclparse.c
@@ -1,7 +1,7 @@
 /* aclparse.c - routines to parse and check acl's */
 /* $OpenLDAP$ */
 /*
- * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved.
+ * Copyright 1998-2003 The OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
  */
 
@@ -17,6 +17,7 @@
 
 #include "slap.h"
 #include "lber_pvt.h"
+#include "lutil.h"
 
 static void		split(char *line, int splitchar, char **left, char **right);
 static void		access_append(Access **l, Access *a);
@@ -118,7 +119,9 @@ parse_acl(
 				}
 
 				if ( strcasecmp( argv[i], "*" ) == 0 ) {
-					if( a->acl_dn_pat.bv_len != 0 ) {
+					if( a->acl_dn_pat.bv_len ||
+						( a->acl_dn_style != ACL_STYLE_REGEX ) )
+					{
 						fprintf( stderr,
 							"%s: line %d: dn pattern"
 							" already specified in to clause.\n",
@@ -142,7 +145,9 @@ parse_acl(
 				}
 
 				if ( strcasecmp( left, "dn" ) == 0 ) {
-					if( a->acl_dn_pat.bv_len != 0 ) {
+					if( a->acl_dn_pat.bv_len != 0 ||
+						( a->acl_dn_style != ACL_STYLE_REGEX ) )
+					{
 						fprintf( stderr,
 							"%s: line %d: dn pattern"
 							" already specified in to clause.\n",
@@ -180,7 +185,7 @@ parse_acl(
 					} else if ( strcasecmp( style, "one" ) == 0 ) {
 						a->acl_dn_style = ACL_STYLE_ONE;
 						ber_str2bv( right, 0, 1, &a->acl_dn_pat );
-					} else if ( strcasecmp( style, "subtree" ) == 0 ) {
+					} else if ( strcasecmp( style, "subtree" ) == 0 || strcasecmp( style, "sub" ) == 0 ) {
 						a->acl_dn_style = ACL_STYLE_SUBTREE;
 						ber_str2bv( right, 0, 1, &a->acl_dn_pat );
 					} else if ( strcasecmp( style, "children" ) == 0 ) {
@@ -197,8 +202,7 @@ parse_acl(
 				}
 
 				if ( strcasecmp( left, "filter" ) == 0 ) {
-					if ( (a->acl_filter = str2filter(
-					    right )) == NULL ) {
+					if ( (a->acl_filter = str2filter( right )) == NULL ) {
 						fprintf( stderr,
 				"%s: line %d: bad filter \"%s\" in to clause\n",
 						    fname, lineno, right );
@@ -223,17 +227,19 @@ parse_acl(
 			}
 
 			if ( a->acl_dn_pat.bv_len != 0 &&
-				strcmp(a->acl_dn_pat.bv_val, "*") == 0)
+				strcmp(a->acl_dn_pat.bv_val, "*") == 0 )
 			{
 				free( a->acl_dn_pat.bv_val );
 				a->acl_dn_pat.bv_val = NULL;
 				a->acl_dn_pat.bv_len = 0;
 			}
 			
-			if( a->acl_dn_pat.bv_len != 0 ) {
+			if( a->acl_dn_pat.bv_len != 0 ||
+				( a->acl_dn_style != ACL_STYLE_REGEX ) )
+			{
 				if ( a->acl_dn_style != ACL_STYLE_REGEX ) {
 					struct berval bv;
-					rc = dnNormalize2( NULL, &a->acl_dn_pat, &bv);
+					rc = dnNormalize2( NULL, &a->acl_dn_pat, &bv, NULL);
 					if ( rc != LDAP_SUCCESS ) {
 						fprintf( stderr,
 							"%s: line %d: bad DN \"%s\"\n",
@@ -301,7 +307,7 @@ parse_acl(
 					sty = ACL_STYLE_BASE;
 				} else if ( strcasecmp( style, "one" ) == 0 ) {
 					sty = ACL_STYLE_ONE;
-				} else if ( strcasecmp( style, "subtree" ) == 0 ) {
+				} else if ( strcasecmp( style, "subtree" ) == 0 || strcasecmp( style, "sub" ) == 0 ) {
 					sty = ACL_STYLE_SUBTREE;
 				} else if ( strcasecmp( style, "children" ) == 0 ) {
 					sty = ACL_STYLE_CHILDREN;
@@ -404,7 +410,7 @@ parse_acl(
 					}
 
 					if ( sty != ACL_STYLE_REGEX && expand == 0 ) {
-						rc = dnNormalize2(NULL, &bv, &b->a_dn_pat);
+						rc = dnNormalize2(NULL, &bv, &b->a_dn_pat, NULL);
 						if ( rc != LDAP_SUCCESS ) {
 							fprintf( stderr,
 								"%s: line %d: bad DN \"%s\"\n",
@@ -458,6 +464,15 @@ parse_acl(
 						acl_usage();
 					}
 
+					if( b->a_dn_at->ad_type->sat_equality == NULL )
+					{
+						fprintf( stderr,
+							"%s: line %d: dnattr \"%s\": "
+							"inappropriate matching (no EQUALITY)\n",
+							fname, lineno, right );
+						acl_usage();
+					}
+
 					continue;
 				}
 
@@ -505,7 +520,7 @@ parse_acl(
 						b->a_group_pat = bv;
 					} else {
 						ber_str2bv( right, 0, 0, &bv );
-						rc = dnNormalize2( NULL, &bv, &b->a_group_pat );
+						rc = dnNormalize2( NULL, &bv, &b->a_group_pat, NULL );
 						if ( rc != LDAP_SUCCESS ) {
 							fprintf( stderr,
 								"%s: line %d: bad DN \"%s\"\n",
@@ -1101,24 +1116,24 @@ accessmask2str( slap_mask_t mask, char *buf )
 
 	if ( ACL_IS_LEVEL( mask ) ) {
 		if ( ACL_LVL_IS_NONE(mask) ) {
-			ptr = slap_strcopy( ptr, "none" );
+			ptr = lutil_strcopy( ptr, "none" );
 
 		} else if ( ACL_LVL_IS_AUTH(mask) ) {
-			ptr = slap_strcopy( ptr, "auth" );
+			ptr = lutil_strcopy( ptr, "auth" );
 
 		} else if ( ACL_LVL_IS_COMPARE(mask) ) {
-			ptr = slap_strcopy( ptr, "compare" );
+			ptr = lutil_strcopy( ptr, "compare" );
 
 		} else if ( ACL_LVL_IS_SEARCH(mask) ) {
-			ptr = slap_strcopy( ptr, "search" );
+			ptr = lutil_strcopy( ptr, "search" );
 
 		} else if ( ACL_LVL_IS_READ(mask) ) {
-			ptr = slap_strcopy( ptr, "read" );
+			ptr = lutil_strcopy( ptr, "read" );
 
 		} else if ( ACL_LVL_IS_WRITE(mask) ) {
-			ptr = slap_strcopy( ptr, "write" );
+			ptr = lutil_strcopy( ptr, "write" );
 		} else {
-			ptr = slap_strcopy( ptr, "unknown" );
+			ptr = lutil_strcopy( ptr, "unknown" );
 		}
 		
 		*ptr++ = '(';
@@ -1267,7 +1282,7 @@ acl_usage( void )
 			"\t[aci=<attrname>]\n"
 #endif
 			"\t[ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]\n"
-		"<dnstyle> ::= regex | base | exact (alias of base) | one | sub | children\n"
+		"<dnstyle> ::= regex | base | exact (alias of base) | one | subtree | children\n"
 		"<style> ::= regex | base | exact (alias of base)\n"
 		"<groupflags> ::= R\n"
 		"<access> ::= [self]{<level>|<priv>}\n"