X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Faclparse.c;h=051e4a6fb4ace6f12a3614915d89552ae188d208;hb=c3960b98d3b5fbd6ebeb200ca7799ece7b766d50;hp=567e2b63f37071d511e0c52fc0900a31a022fef7;hpb=f5b9ff7940245da236a391019394598198074780;p=openldap

diff --git a/servers/slapd/aclparse.c b/servers/slapd/aclparse.c
index 567e2b63f3..051e4a6fb4 100644
--- a/servers/slapd/aclparse.c
+++ b/servers/slapd/aclparse.c
@@ -52,12 +52,14 @@ char *style_strings[] = {
 	"users",
 	"self",
 	"ip",
+	"ipv6",
 	"path",
 	NULL
 };
 
 static void		split(char *line, int splitchar, char **left, char **right);
 static void		access_append(Access **l, Access *a);
+static void		access_free( Access *a );
 static int		acl_usage(void);
 
 static void		acl_regex_normalized_dn(const char *src, struct berval *pat);
@@ -327,12 +329,11 @@ parse_acl(
 	int		i;
 	char		*left, *right, *style;
 	struct berval	bv;
-	AccessControl	*a;
-	Access	*b;
+	AccessControl	*a = NULL;
+	Access	*b = NULL;
 	int rc;
 	const char *text;
 
-	a = NULL;
 	for ( i = 1; i < argc; i++ ) {
 		/* to clause - select which entries are protected */
 		if ( strcasecmp( argv[i], "to" ) == 0 ) {
@@ -340,7 +341,7 @@ parse_acl(
 				Debug( LDAP_DEBUG_ANY, "%s: line %d: "
 					"only one to clause allowed in access line\n",
 				    fname, lineno, 0 );
-				return acl_usage();
+				goto fail;
 			}
 			a = (AccessControl *) ch_calloc( 1, sizeof(AccessControl) );
 			for ( ++i; i < argc; i++ ) {
@@ -357,7 +358,7 @@ parse_acl(
 							"%s: line %d: dn pattern"
 							" already specified in to clause.\n",
 							fname, lineno, 0 );
-						return acl_usage();
+						goto fail;
 					}
 
 					ber_str2bv( "*", STRLENOF( "*" ), 1, &a->acl_dn_pat );
@@ -371,7 +372,7 @@ parse_acl(
 					Debug( LDAP_DEBUG_ANY, "%s: line %d: "
 						"missing \"=\" in \"%s\" in to clause\n",
 					    fname, lineno, left );
-					return acl_usage();
+					goto fail;
 				}
 
 				if ( strcasecmp( left, "dn" ) == 0 ) {
@@ -382,7 +383,7 @@ parse_acl(
 							"%s: line %d: dn pattern"
 							" already specified in to clause.\n",
 							fname, lineno, 0 );
-						return acl_usage();
+						goto fail;
 					}
 
 					if ( style == NULL || *style == '\0' ||
@@ -440,7 +441,7 @@ parse_acl(
 						Debug( LDAP_DEBUG_ANY, "%s: line %d: "
 							"unknown dn style \"%s\" in to clause\n",
 						    fname, lineno, style );
-						return acl_usage();
+						goto fail;
 					}
 
 					continue;
@@ -451,7 +452,7 @@ parse_acl(
 						Debug( LDAP_DEBUG_ANY,
 				"%s: line %d: bad filter \"%s\" in to clause\n",
 						    fname, lineno, right );
-						return acl_usage();
+						goto fail;
 					}
 
 				} else if ( strcasecmp( left, "attr" ) == 0		/* TOLERATED */
@@ -471,7 +472,7 @@ parse_acl(
 						Debug( LDAP_DEBUG_ANY,
 				"%s: line %d: unknown attr \"%s\" in to clause\n",
 						    fname, lineno, right );
-						return acl_usage();
+						goto fail;
 					}
 
 				} else if ( strncasecmp( left, "val", 3 ) == 0 ) {
@@ -482,14 +483,14 @@ parse_acl(
 						Debug( LDAP_DEBUG_ANY,
 				"%s: line %d: attr val already specified in to clause.\n",
 							fname, lineno, 0 );
-						return acl_usage();
+						goto fail;
 					}
 					if ( a->acl_attrs == NULL || !BER_BVISEMPTY( &a->acl_attrs[1].an_name ) )
 					{
 						Debug( LDAP_DEBUG_ANY,
 				"%s: line %d: attr val requires a single attribute.\n",
 							fname, lineno, 0 );
-						return acl_usage();
+						goto fail;
 					}
 
 					ber_str2bv( right, 0, 0, &bv );
@@ -505,7 +506,7 @@ parse_acl(
 							Debug( LDAP_DEBUG_ANY, "%s: line %d: "
 								"invalid matching rule \"%s\".\n",
 								fname, lineno, mr );
-							return acl_usage();
+							goto fail;
 						}
 
 						if( !mr_usable_with_at( a->acl_attrval_mr, a->acl_attrs[ 0 ].an_desc->ad_type ) )
@@ -520,7 +521,7 @@ parse_acl(
 
 							Debug( LDAP_DEBUG_ANY, "%s: line %d: %s\n",
 								fname, lineno, buf );
-							return acl_usage();
+							goto fail;
 						}
 					}
 					
@@ -540,7 +541,7 @@ parse_acl(
 
 								Debug( LDAP_DEBUG_ANY, "%s: line %d: %s\n",
 									fname, lineno, buf );
-								return acl_usage();
+								goto fail;
 							}
 							a->acl_attrval_style = ACL_STYLE_REGEX;
 
@@ -571,8 +572,6 @@ parse_acl(
 								} else {
 									char	buf[ SLAP_TEXT_BUFLEN ];
 
-									/* FIXME: should be an error */
-
 									snprintf( buf, sizeof( buf ),
 										"unknown val.<style> \"%s\" for attributeType \"%s\" "
 											"with DN syntax.",
@@ -582,8 +581,7 @@ parse_acl(
 									Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL, 
 										"%s: line %d: %s\n",
 										fname, lineno, buf );
-									return acl_usage();
-									a->acl_attrval_style = ACL_STYLE_BASE;
+									goto fail;
 								}
 
 								rc = dnNormalize( 0, NULL, NULL, &bv, &a->acl_attrval, NULL );
@@ -599,22 +597,19 @@ parse_acl(
 									Debug( LDAP_DEBUG_ANY, 
 										"%s: line %d: %s\n",
 										fname, lineno, buf );
-									return acl_usage();
+									goto fail;
 								}
 
 							} else {
 								char	buf[ SLAP_TEXT_BUFLEN ];
 
-								/* FIXME: should be an error */
-
 								snprintf( buf, sizeof( buf ),
 									"unknown val.<style> \"%s\" for attributeType \"%s\".",
 									style, a->acl_attrs[0].an_desc->ad_cname.bv_val );
 								Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL, 
 									"%s: line %d: %s\n",
 									fname, lineno, buf );
-								return acl_usage();
-								a->acl_attrval_style = ACL_STYLE_BASE;
+								goto fail;
 							}
 						}
 					}
@@ -635,7 +630,7 @@ parse_acl(
 							Debug( LDAP_DEBUG_ANY, "%s: line %d: "
 								"attr \"%s\" does not have an EQUALITY matching rule.\n",
 								fname, lineno, a->acl_attrs[ 0 ].an_name.bv_val );
-							return acl_usage();
+							goto fail;
 						}
 
 						rc = asserted_value_validate_normalize(
@@ -651,10 +646,11 @@ parse_acl(
 
 							snprintf( buf, sizeof( buf ), "%s: line %d: "
 								" attr \"%s\" normalization failed (%d: %s)",
+								fname, lineno,
 								a->acl_attrs[ 0 ].an_name.bv_val, rc, text );
 							Debug( LDAP_DEBUG_ANY, "%s: line %d: %s.\n",
 								fname, lineno, buf );
-							return acl_usage();
+							goto fail;
 						}
 					}
 
@@ -662,7 +658,7 @@ parse_acl(
 					Debug( LDAP_DEBUG_ANY,
 						"%s: line %d: expecting <what> got \"%s\"\n",
 					    fname, lineno, left );
-					return acl_usage();
+					goto fail;
 				}
 			}
 
@@ -684,7 +680,7 @@ parse_acl(
 						Debug( LDAP_DEBUG_ANY,
 							"%s: line %d: bad DN \"%s\" in to DN clause\n",
 							fname, lineno, a->acl_dn_pat.bv_val );
-						return acl_usage();
+						goto fail;
 					}
 					free( a->acl_dn_pat.bv_val );
 					a->acl_dn_pat = bv;
@@ -702,7 +698,7 @@ parse_acl(
 							right, err );
 						Debug( LDAP_DEBUG_ANY, "%s: line %d: %s\n",
 							fname, lineno, buf );
-						return acl_usage();
+						goto fail;
 					}
 				}
 			}
@@ -713,24 +709,24 @@ parse_acl(
 				Debug( LDAP_DEBUG_ANY, "%s: line %d: "
 					"to clause required before by clause in access line\n",
 					fname, lineno, 0 );
-				return acl_usage();
+				goto fail;
 			}
 
 			/*
 			 * by clause consists of <who> and <access>
 			 */
 
-			b = (Access *) ch_calloc( 1, sizeof(Access) );
-
-			ACL_INVALIDATE( b->a_access_mask );
-
 			if ( ++i == argc ) {
 				Debug( LDAP_DEBUG_ANY,
 					"%s: line %d: premature EOL: expecting <who>\n",
 					fname, lineno, 0 );
-				return acl_usage();
+				goto fail;
 			}
 
+			b = (Access *) ch_calloc( 1, sizeof(Access) );
+
+			ACL_INVALIDATE( b->a_access_mask );
+
 			/* get <who> */
 			for ( ; i < argc; i++ ) {
 				slap_style_t	sty = ACL_STYLE_REGEX;
@@ -755,13 +751,13 @@ parse_acl(
 									"%s: line %d: premature eol: "
 									"expecting closing '}' in \"level{n}\"\n",
 									fname, lineno, 0 );
-								return acl_usage();
+								goto fail;
 							} else if ( p == style_level ) {
 								Debug( LDAP_DEBUG_ANY,
 									"%s: line %d: empty level "
 									"in \"level{n}\"\n",
 									fname, lineno, 0 );
-								return acl_usage();
+								goto fail;
 							}
 							p[0] = '\0';
 						}
@@ -795,7 +791,7 @@ parse_acl(
 							"%s: line %d: unable to parse level "
 							"in \"level{n}\"\n",
 							fname, lineno, 0 );
-						return acl_usage();
+						goto fail;
 					}
 
 					sty = ACL_STYLE_LEVEL;
@@ -809,6 +805,14 @@ parse_acl(
 				} else if ( strcasecmp( style, "ip" ) == 0 ) {
 					sty = ACL_STYLE_IP;
 
+				} else if ( strcasecmp( style, "ipv6" ) == 0 ) {
+#ifndef LDAP_PF_INET6
+					Debug( LDAP_DEBUG_ANY,
+						"%s: line %d: IPv6 not supported\n",
+						fname, lineno, 0 );
+#endif /* ! LDAP_PF_INET6 */
+					sty = ACL_STYLE_IPV6;
+
 				} else if ( strcasecmp( style, "path" ) == 0 ) {
 					sty = ACL_STYLE_PATH;
 #ifndef LDAP_PF_LOCAL
@@ -816,14 +820,14 @@ parse_acl(
 						"%s: line %d: "
 						"\"path\" style modifier is useless without local.\n",
 						fname, lineno, 0 );
-					return acl_usage();
+					goto fail;
 #endif /* LDAP_PF_LOCAL */
 
 				} else {
 					Debug( LDAP_DEBUG_ANY,
 						"%s: line %d: unknown style \"%s\" in by clause\n",
 						fname, lineno, style );
-					return acl_usage();
+					goto fail;
 				}
 
 				if ( style_modifier &&
@@ -834,7 +838,7 @@ parse_acl(
 						Debug( LDAP_DEBUG_ANY, "%s: line %d: "
 							"\"regex\" style implies \"expand\" modifier.\n",
 							fname, lineno, 0 );
-						return acl_usage();
+						goto fail;
 						break;
 
 					case ACL_STYLE_EXPAND:
@@ -854,7 +858,7 @@ parse_acl(
 					Debug( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL, "%s: line %d: \"expand\" style "
 						"or modifier used in conjunction with a non-regex <what> clause.\n",
 						fname, lineno, 0 );
-						return acl_usage();
+						goto fail;
 				}
 
 				if ( strncasecmp( left, "real", STRLENOF( "real" ) ) == 0 ) {
@@ -865,7 +869,7 @@ parse_acl(
 
 				if ( strcasecmp( left, "*" ) == 0 ) {
 					if ( is_realdn ) {
-						return acl_usage();
+						goto fail;
 					}
 
 					ber_str2bv( "*", STRLENOF( "*" ), 1, &bv );
@@ -943,7 +947,7 @@ parse_acl(
 							"missing \"=\" in (or value after) \"%s\" "
 							"in by clause\n",
 							fname, lineno, left );
-						return acl_usage();
+						goto fail;
 
 					} else {
 						ber_str2bv( right, 0, 1, &bv );
@@ -958,7 +962,7 @@ parse_acl(
 						Debug( LDAP_DEBUG_ANY,
 							"%s: line %d: dn pattern already specified.\n",
 							fname, lineno, 0 );
-						return acl_usage();
+						goto fail;
 					}
 
 					if ( sty != ACL_STYLE_REGEX &&
@@ -973,7 +977,7 @@ parse_acl(
 							Debug( LDAP_DEBUG_ANY,
 								"%s: line %d: bad DN \"%s\" in by DN clause\n",
 								fname, lineno, bv.bv_val );
-							return acl_usage();
+							goto fail;
 						}
 						free( bv.bv_val );
 						if ( sty == ACL_STYLE_BASE
@@ -1000,7 +1004,7 @@ parse_acl(
 								< bdn->a_pat.bv_len;
 							exp = strchr( exp, '$' ) )
 						{
-							if ( isdigit( exp[ 1 ] ) ) {
+							if ( isdigit( (unsigned char) exp[ 1 ] ) ) {
 								gotit = 1;
 								break;
 							}
@@ -1013,7 +1017,7 @@ parse_acl(
 							Debug( LDAP_DEBUG_ANY, "%s: line %d: "
 								"\"expand\" used with no expansions in \"pattern\".\n",
 								fname, lineno, 0 );
-							return acl_usage();
+							goto fail;
 						} 
 					}
 					if ( sty == ACL_STYLE_SELF ) {
@@ -1025,7 +1029,7 @@ parse_acl(
 								"%s: line %d: bad negative level \"%d\" "
 								"in by DN clause\n",
 								fname, lineno, level );
-							return acl_usage();
+							goto fail;
 						} else if ( level == 1 ) {
 							Debug( LDAP_DEBUG_ANY,
 								"%s: line %d: \"onelevel\" should be used "
@@ -1049,14 +1053,14 @@ parse_acl(
 							"missing \"=\" in (or value after) \"%s\" "
 							"in by clause\n",
 							fname, lineno, left );
-						return acl_usage();
+						goto fail;
 					}
 
 					if( bdn->a_at != NULL ) {
 						Debug( LDAP_DEBUG_ANY,
 							"%s: line %d: dnattr already specified.\n",
 							fname, lineno, 0 );
-						return acl_usage();
+						goto fail;
 					}
 
 					rc = slap_str2ad( right, &bdn->a_at, &text );
@@ -1070,7 +1074,7 @@ parse_acl(
 						Debug( LDAP_DEBUG_ANY,
 							"%s: line %d: %s\n",
 							fname, lineno, buf );
-						return acl_usage();
+						goto fail;
 					}
 
 
@@ -1089,7 +1093,7 @@ parse_acl(
 						Debug( LDAP_DEBUG_ANY,
 							"%s: line %d: %s\n",
 							fname, lineno, buf );
-						return acl_usage();
+						goto fail;
 					}
 
 					if( bdn->a_at->ad_type->sat_equality == NULL ) {
@@ -1097,7 +1101,7 @@ parse_acl(
 							"%s: line %d: dnattr \"%s\": "
 							"inappropriate matching (no EQUALITY)\n",
 							fname, lineno, right );
-						return acl_usage();
+						goto fail;
 					}
 
 					continue;
@@ -1130,7 +1134,7 @@ parse_acl(
 							"%s: line %d: "
 							"inappropriate style \"%s\" in by clause.\n",
 							fname, lineno, style );
-						return acl_usage();
+						goto fail;
 					}
 
 					if ( right == NULL || right[0] == '\0' ) {
@@ -1139,14 +1143,14 @@ parse_acl(
 							"missing \"=\" in (or value after) \"%s\" "
 							"in by clause.\n",
 							fname, lineno, left );
-						return acl_usage();
+						goto fail;
 					}
 
 					if ( !BER_BVISEMPTY( &b->a_group_pat ) ) {
 						Debug( LDAP_DEBUG_ANY,
 							"%s: line %d: group pattern already specified.\n",
 							fname, lineno, 0 );
-						return acl_usage();
+						goto fail;
 					}
 
 					/* format of string is
@@ -1174,7 +1178,7 @@ parse_acl(
 							Debug( LDAP_DEBUG_ANY,
 								"%s: line %d: bad DN \"%s\".\n",
 								fname, lineno, right );
-							return acl_usage();
+							goto fail;
 						}
 					}
 
@@ -1187,7 +1191,7 @@ parse_acl(
 								"%s: line %d: group objectclass "
 								"\"%s\" unknown.\n",
 								fname, lineno, value );
-							return acl_usage();
+							goto fail;
 						}
 
 					} else {
@@ -1198,7 +1202,7 @@ parse_acl(
 								"%s: line %d: group default objectclass "
 								"\"%s\" unknown.\n",
 								fname, lineno, SLAPD_GROUP_CLASS );
-							return acl_usage();
+							goto fail;
 						}
 					}
 
@@ -1209,7 +1213,7 @@ parse_acl(
 							"%s: line %d: group objectclass \"%s\" "
 							"is subclass of referral.\n",
 							fname, lineno, value );
-						return acl_usage();
+						goto fail;
 					}
 
 					if ( is_object_subclass( slap_schema.si_oc_alias,
@@ -1219,7 +1223,7 @@ parse_acl(
 							"%s: line %d: group objectclass \"%s\" "
 							"is subclass of alias.\n",
 							fname, lineno, value );
-						return acl_usage();
+						goto fail;
 					}
 
 					if ( name && *name ) {
@@ -1234,7 +1238,7 @@ parse_acl(
 							Debug( LDAP_DEBUG_ANY,
 								"%s: line %d: %s\n",
 								fname, lineno, buf );
-							return acl_usage();
+							goto fail;
 						}
 						*--name = '/';
 
@@ -1250,7 +1254,7 @@ parse_acl(
 							Debug( LDAP_DEBUG_ANY,
 								"%s: line %d: %s\n",
 								fname, lineno, buf );
-							return acl_usage();
+							goto fail;
 						}
 					}
 
@@ -1269,19 +1273,19 @@ parse_acl(
 						Debug( LDAP_DEBUG_ANY,
 							"%s: line %d: %s\n",
 							fname, lineno, buf );
-						return acl_usage();
+						goto fail;
 					}
 
 
 					{
 						int rc;
-						struct berval vals[2];
+						ObjectClass *ocs[2];
 
-						ber_str2bv( b->a_group_oc->soc_oid, 0, 0, &vals[0] );
-						BER_BVZERO( &vals[1] );
+						ocs[0] = b->a_group_oc;
+						ocs[1] = NULL;
 
 						rc = oc_check_allowed( b->a_group_at->ad_type,
-							vals, NULL );
+							ocs, NULL );
 
 						if( rc != 0 ) {
 							char	buf[ SLAP_TEXT_BUFLEN ];
@@ -1292,7 +1296,7 @@ parse_acl(
 								b->a_group_oc->soc_oid );
 							Debug( LDAP_DEBUG_ANY, "%s: line %d: %s\n",
 								fname, lineno, buf );
-							return acl_usage();
+							goto fail;
 						}
 					}
 					continue;
@@ -1306,6 +1310,7 @@ parse_acl(
 					case ACL_STYLE_EXPAND:
 						/* cheap replacement to regex for simple expansion */
 					case ACL_STYLE_IP:
+					case ACL_STYLE_IPV6:
 					case ACL_STYLE_PATH:
 						/* legal, peername specific */
 						break;
@@ -1314,7 +1319,7 @@ parse_acl(
 						Debug( LDAP_DEBUG_ANY, "%s: line %d: "
 							"inappropriate style \"%s\" in by clause.\n",
 						    fname, lineno, style );
-						return acl_usage();
+						goto fail;
 					}
 
 					if ( right == NULL || right[0] == '\0' ) {
@@ -1322,14 +1327,14 @@ parse_acl(
 							"missing \"=\" in (or value after) \"%s\" "
 							"in by clause.\n",
 							fname, lineno, left );
-						return acl_usage();
+						goto fail;
 					}
 
 					if ( !BER_BVISEMPTY( &b->a_peername_pat ) ) {
 						Debug( LDAP_DEBUG_ANY, "%s: line %d: "
 							"peername pattern already specified.\n",
 							fname, lineno, 0 );
-						return acl_usage();
+						goto fail;
 					}
 
 					b->a_peername_style = sty;
@@ -1357,7 +1362,7 @@ parse_acl(
 								Debug( LDAP_DEBUG_ANY, "%s: line %d: "
 									"illegal peername address \"%s\".\n",
 									fname, lineno, addr );
-								return acl_usage();
+								goto fail;
 							}
 
 							b->a_peername_mask = (unsigned long)(-1);
@@ -1371,7 +1376,7 @@ parse_acl(
 										"illegal peername address mask "
 										"\"%s\".\n",
 										fname, lineno, mask );
-									return acl_usage();
+									goto fail;
 								}
 							} 
 
@@ -1386,9 +1391,55 @@ parse_acl(
 										"illegal peername port specification "
 										"\"{%s}\".\n",
 										fname, lineno, port );
-									return acl_usage();
+									goto fail;
 								}
 							}
+
+#ifdef LDAP_PF_INET6
+						} else if ( sty == ACL_STYLE_IPV6 ) {
+							char		*addr = NULL,
+									*mask = NULL,
+									*port = NULL;
+
+							split( right, '{', &addr, &port );
+							split( addr, '%', &addr, &mask );
+
+							if ( inet_pton( AF_INET6, addr, &b->a_peername_addr6 ) != 1 ) {
+								/* illegal address */
+								Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+									"illegal peername address \"%s\".\n",
+									fname, lineno, addr );
+								goto fail;
+							}
+
+							if ( mask == NULL ) {
+								mask = "FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF";
+							}
+
+							if ( inet_pton( AF_INET6, mask, &b->a_peername_mask6 ) != 1 ) {
+								/* illegal mask */
+								Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+									"illegal peername address mask "
+									"\"%s\".\n",
+									fname, lineno, mask );
+								goto fail;
+							}
+
+							b->a_peername_port = -1;
+							if ( port ) {
+								char	*end = NULL;
+
+								b->a_peername_port = strtol( port, &end, 10 );
+								if ( end == port || end[0] != '}' ) {
+									/* illegal port */
+									Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+										"illegal peername port specification "
+										"\"{%s}\".\n",
+										fname, lineno, port );
+									goto fail;
+								}
+							}
+#endif /* LDAP_PF_INET6 */
 						}
 					}
 					continue;
@@ -1408,7 +1459,7 @@ parse_acl(
 						Debug( LDAP_DEBUG_ANY, "%s: line %d: "
 							"inappropriate style \"%s\" in by clause\n",
 						    fname, lineno, style );
-						return acl_usage();
+						goto fail;
 					}
 
 					if ( right == NULL || right[0] == '\0' ) {
@@ -1416,14 +1467,14 @@ parse_acl(
 							"missing \"=\" in (or value after) \"%s\" "
 							"in by clause\n",
 							fname, lineno, left );
-						return acl_usage();
+						goto fail;
 					}
 
 					if ( !BER_BVISNULL( &b->a_sockname_pat ) ) {
 						Debug( LDAP_DEBUG_ANY, "%s: line %d: "
 							"sockname pattern already specified.\n",
 							fname, lineno, 0 );
-						return acl_usage();
+						goto fail;
 					}
 
 					b->a_sockname_style = sty;
@@ -1466,7 +1517,7 @@ parse_acl(
 						Debug( LDAP_DEBUG_ANY, "%s: line %d: "
 							"inappropriate style \"%s\" in by clause.\n",
 						    fname, lineno, style );
-						return acl_usage();
+						goto fail;
 					}
 
 					if ( right == NULL || right[0] == '\0' ) {
@@ -1474,14 +1525,14 @@ parse_acl(
 							"missing \"=\" in (or value after) \"%s\" "
 							"in by clause.\n",
 							fname, lineno, left );
-						return acl_usage();
+						goto fail;
 					}
 
 					if ( !BER_BVISEMPTY( &b->a_domain_pat ) ) {
 						Debug( LDAP_DEBUG_ANY,
 							"%s: line %d: domain pattern already specified.\n",
 							fname, lineno, 0 );
-						return acl_usage();
+						goto fail;
 					}
 
 					b->a_domain_style = sty;
@@ -1513,7 +1564,7 @@ parse_acl(
 						Debug( LDAP_DEBUG_ANY, "%s: line %d: "
 							"inappropriate style \"%s\" in by clause.\n",
 						    fname, lineno, style );
-						return acl_usage();
+						goto fail;
 					}
 
 					if ( right == NULL || right[0] == '\0' ) {
@@ -1521,14 +1572,14 @@ parse_acl(
 							"missing \"=\" in (or value after) \"%s\" "
 							"in by clause.\n",
 							fname, lineno, left );
-						return acl_usage();
+						goto fail;
 					}
 
 					if ( !BER_BVISEMPTY( &b->a_sockurl_pat ) ) {
 						Debug( LDAP_DEBUG_ANY,
 							"%s: line %d: sockurl pattern already specified.\n",
 							fname, lineno, 0 );
-						return acl_usage();
+						goto fail;
 					}
 
 					b->a_sockurl_style = sty;
@@ -1566,21 +1617,21 @@ parse_acl(
 						Debug( LDAP_DEBUG_ANY, "%s: line %d: "
 							"inappropriate style \"%s\" in by clause.\n",
 							fname, lineno, style );
-						return acl_usage();
+						goto fail;
 					}
 
 					if ( !BER_BVISEMPTY( &b->a_set_pat ) ) {
 						Debug( LDAP_DEBUG_ANY,
 							"%s: line %d: set attribute already specified.\n",
 							fname, lineno, 0 );
-						return acl_usage();
+						goto fail;
 					}
 
 					if ( right == NULL || *right == '\0' ) {
 						Debug( LDAP_DEBUG_ANY,
 							"%s: line %d: no set is defined.\n",
 							fname, lineno, 0 );
-						return acl_usage();
+						goto fail;
 					}
 
 					b->a_set_style = sty;
@@ -1618,7 +1669,7 @@ parse_acl(
 							Debug( LDAP_DEBUG_ANY, "%s: line %d: "
 								"unable to configure dynacl \"%s\".\n",
 								fname, lineno, name );
-							return acl_usage();
+							goto fail;
 						}
 
 						continue;
@@ -1631,35 +1682,35 @@ parse_acl(
 						Debug( LDAP_DEBUG_ANY, "%s: line %d: "
 							"inappropriate style \"%s\" in by clause.\n",
 						    fname, lineno, style );
-						return acl_usage();
+						goto fail;
 					}
 
 					if ( b->a_authz.sai_ssf ) {
 						Debug( LDAP_DEBUG_ANY,
 							"%s: line %d: ssf attribute already specified.\n",
 							fname, lineno, 0 );
-						return acl_usage();
+						goto fail;
 					}
 
 					if ( right == NULL || *right == '\0' ) {
 						Debug( LDAP_DEBUG_ANY,
 							"%s: line %d: no ssf is defined.\n",
 							fname, lineno, 0 );
-						return acl_usage();
+						goto fail;
 					}
 
 					if ( lutil_atou( &b->a_authz.sai_ssf, right ) != 0 ) {
 						Debug( LDAP_DEBUG_ANY,
 							"%s: line %d: unable to parse ssf value (%s).\n",
 							fname, lineno, right );
-						return acl_usage();
+						goto fail;
 					}
 
 					if ( !b->a_authz.sai_ssf ) {
 						Debug( LDAP_DEBUG_ANY,
 							"%s: line %d: invalid ssf value (%s).\n",
 							fname, lineno, right );
-						return acl_usage();
+						goto fail;
 					}
 					continue;
 				}
@@ -1669,35 +1720,35 @@ parse_acl(
 						Debug( LDAP_DEBUG_ANY, "%s: line %d: "
 							"inappropriate style \"%s\" in by clause.\n",
 							fname, lineno, style );
-						return acl_usage();
+						goto fail;
 					}
 
 					if ( b->a_authz.sai_transport_ssf ) {
 						Debug( LDAP_DEBUG_ANY, "%s: line %d: "
 							"transport_ssf attribute already specified.\n",
 							fname, lineno, 0 );
-						return acl_usage();
+						goto fail;
 					}
 
 					if ( right == NULL || *right == '\0' ) {
 						Debug( LDAP_DEBUG_ANY,
 							"%s: line %d: no transport_ssf is defined.\n",
 							fname, lineno, 0 );
-						return acl_usage();
+						goto fail;
 					}
 
 					if ( lutil_atou( &b->a_authz.sai_transport_ssf, right ) != 0 ) {
 						Debug( LDAP_DEBUG_ANY, "%s: line %d: "
 							"unable to parse transport_ssf value (%s).\n",
 							fname, lineno, right );
-						return acl_usage();
+						goto fail;
 					}
 
 					if ( !b->a_authz.sai_transport_ssf ) {
 						Debug( LDAP_DEBUG_ANY,
 							"%s: line %d: invalid transport_ssf value (%s).\n",
 							fname, lineno, right );
-						return acl_usage();
+						goto fail;
 					}
 					continue;
 				}
@@ -1707,35 +1758,35 @@ parse_acl(
 						Debug( LDAP_DEBUG_ANY, "%s: line %d: "
 							"inappropriate style \"%s\" in by clause.\n",
 							fname, lineno, style );
-						return acl_usage();
+						goto fail;
 					}
 
 					if ( b->a_authz.sai_tls_ssf ) {
 						Debug( LDAP_DEBUG_ANY, "%s: line %d: "
 							"tls_ssf attribute already specified.\n",
 							fname, lineno, 0 );
-						return acl_usage();
+						goto fail;
 					}
 
 					if ( right == NULL || *right == '\0' ) {
 						Debug( LDAP_DEBUG_ANY,
 							"%s: line %d: no tls_ssf is defined\n",
 							fname, lineno, 0 );
-						return acl_usage();
+						goto fail;
 					}
 
 					if ( lutil_atou( &b->a_authz.sai_tls_ssf, right ) != 0 ) {
 						Debug( LDAP_DEBUG_ANY, "%s: line %d: "
 							"unable to parse tls_ssf value (%s).\n",
 							fname, lineno, right );
-						return acl_usage();
+						goto fail;
 					}
 
 					if ( !b->a_authz.sai_tls_ssf ) {
 						Debug( LDAP_DEBUG_ANY,
 							"%s: line %d: invalid tls_ssf value (%s).\n",
 							fname, lineno, right );
-						return acl_usage();
+						goto fail;
 					}
 					continue;
 				}
@@ -1745,35 +1796,35 @@ parse_acl(
 						Debug( LDAP_DEBUG_ANY, "%s: line %d: "
 							"inappropriate style \"%s\" in by clause.\n",
 							fname, lineno, style );
-						return acl_usage();
+						goto fail;
 					}
 
 					if ( b->a_authz.sai_sasl_ssf ) {
 						Debug( LDAP_DEBUG_ANY, "%s: line %d: "
 							"sasl_ssf attribute already specified.\n",
 							fname, lineno, 0 );
-						return acl_usage();
+						goto fail;
 					}
 
 					if ( right == NULL || *right == '\0' ) {
 						Debug( LDAP_DEBUG_ANY,
 							"%s: line %d: no sasl_ssf is defined.\n",
 							fname, lineno, 0 );
-						return acl_usage();
+						goto fail;
 					}
 
 					if ( lutil_atou( &b->a_authz.sai_sasl_ssf, right ) != 0 ) {
 						Debug( LDAP_DEBUG_ANY, "%s: line %d: "
 							"unable to parse sasl_ssf value (%s).\n",
 							fname, lineno, right );
-						return acl_usage();
+						goto fail;
 					}
 
 					if ( !b->a_authz.sai_sasl_ssf ) {
 						Debug( LDAP_DEBUG_ANY,
 							"%s: line %d: invalid sasl_ssf value (%s).\n",
 							fname, lineno, right );
-						return acl_usage();
+						goto fail;
 					}
 					continue;
 				}
@@ -1789,6 +1840,7 @@ parse_acl(
 				/* out of arguments or plain stop */
 
 				ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
+				ACL_PRIV_SET( b->a_access_mask, ACL_PRIV_NONE);
 				b->a_type = ACL_STOP;
 
 				access_append( &a->acl_access, b );
@@ -1799,6 +1851,7 @@ parse_acl(
 				/* plain continue */
 
 				ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
+				ACL_PRIV_SET( b->a_access_mask, ACL_PRIV_NONE);
 				b->a_type = ACL_CONTINUE;
 
 				access_append( &a->acl_access, b );
@@ -1809,6 +1862,7 @@ parse_acl(
 				/* plain continue */
 
 				ACL_PRIV_ASSIGN(b->a_access_mask, ACL_PRIV_ADDITIVE);
+				ACL_PRIV_SET( b->a_access_mask, ACL_PRIV_NONE);
 				b->a_type = ACL_BREAK;
 
 				access_append( &a->acl_access, b );
@@ -1819,6 +1873,7 @@ parse_acl(
 				/* we've gone too far */
 				--i;
 				ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
+				ACL_PRIV_SET( b->a_access_mask, ACL_PRIV_NONE);
 				b->a_type = ACL_STOP;
 
 				access_append( &a->acl_access, b );
@@ -1826,23 +1881,26 @@ parse_acl(
 			}
 
 			/* get <access> */
-			if ( strncasecmp( left, "self", STRLENOF( "self" ) ) == 0 ) {
-				b->a_dn_self = 1;
-				ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( &left[ STRLENOF( "self" ) ] ) );
+			{
+				char	*lleft = left;
 
-			} else if ( strncasecmp( left, "realself", STRLENOF( "realself" ) ) == 0 ) {
-				b->a_realdn_self = 1;
-				ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( &left[ STRLENOF( "realself" ) ] ) );
+				if ( strncasecmp( left, "self", STRLENOF( "self" ) ) == 0 ) {
+					b->a_dn_self = 1;
+					lleft = &left[ STRLENOF( "self" ) ];
 
-			} else {
-				ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( left ) );
+				} else if ( strncasecmp( left, "realself", STRLENOF( "realself" ) ) == 0 ) {
+					b->a_realdn_self = 1;
+					lleft = &left[ STRLENOF( "realself" ) ];
+				}
+
+				ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( lleft ) );
 			}
 
 			if ( ACL_IS_INVALID( b->a_access_mask ) ) {
 				Debug( LDAP_DEBUG_ANY,
 					"%s: line %d: expecting <access> got \"%s\".\n",
 					fname, lineno, left );
-				return acl_usage();
+				goto fail;
 			}
 
 			b->a_type = ACL_STOP;
@@ -1867,13 +1925,14 @@ parse_acl(
 			}
 
 			access_append( &a->acl_access, b );
+			b = NULL;
 
 		} else {
 			Debug( LDAP_DEBUG_ANY,
 				"%s: line %d: expecting \"to\" "
 				"or \"by\" got \"%s\"\n",
 				fname, lineno, argv[i] );
-			return acl_usage();
+			goto fail;
 		}
 	}
 
@@ -1882,7 +1941,7 @@ parse_acl(
 		Debug( LDAP_DEBUG_ANY, "%s: line %d: "
 			"warning: no access clause(s) specified in access line.\n",
 			fname, lineno, 0 );
-		return acl_usage();
+		goto fail;
 
 	} else {
 #ifdef LDAP_DEBUG
@@ -1895,7 +1954,7 @@ parse_acl(
 			Debug( LDAP_DEBUG_ANY, "%s: line %d: "
 				"warning: no by clause(s) specified in access line.\n",
 				fname, lineno, 0 );
-			return acl_usage();
+			goto fail;
 		}
 
 		if ( be != NULL ) {
@@ -1951,6 +2010,11 @@ parse_acl(
 	}
 
 	return 0;
+
+fail:
+	if ( b ) access_free( b );
+	if ( a ) acl_free( a );
+	return acl_usage();
 }
 
 char *
@@ -2130,7 +2194,10 @@ str2accessmask( const char *str )
 			} else if( TOLOWER((unsigned char) str[i]) == 'd' ) {
 				ACL_PRIV_SET(mask, ACL_PRIV_DISCLOSE);
 
-			} else if( str[i] != '0' ) {
+			} else if( str[i] == '0' ) {
+				ACL_PRIV_SET(mask, ACL_PRIV_NONE);
+
+			} else {
 				ACL_INVALIDATE(mask);
 				return mask;
 			}
@@ -2181,9 +2248,9 @@ acl_usage( void )
 {
 	char *access =
 		"<access clause> ::= access to <what> "
-				"[ by <who> <access> [ <control> ] ]+ \n";
+				"[ by <who> [ <access> ] [ <control> ] ]+ \n";
 	char *what =
-		"<what> ::= * | [dn[.<dnstyle>]=<DN>] [filter=<filter>] [attrs=<attrspec>]\n"
+		"<what> ::= * | dn[.<dnstyle>=<DN>] [filter=<filter>] [attrs=<attrspec>]\n"
 		"<attrspec> ::= <attrname> [val[/<matchingRule>][.<attrstyle>]=<value>] | <attrlist>\n"
 		"<attrlist> ::= <attr> [ , <attrlist> ]\n"
 		"<attr> ::= <attrname> | @<objectClass> | !<objectClass> | entry | children\n";
@@ -2205,7 +2272,7 @@ acl_usage( void )
 			"exact | regex\n"
 		"<attrstyle> ::= exact | regex | base(Object) | one(level) | "
 			"sub(tree) | children\n"
-		"<peernamestyle> ::= exact | regex | ip | path\n"
+		"<peernamestyle> ::= exact | regex | ip | ipv6 | path\n"
 		"<domainstyle> ::= exact | regex | base(Object) | sub(tree)\n"
 		"<access> ::= [[real]self]{<level>|<priv>}\n"
 		"<level> ::= none|disclose|auth|compare|search|read|{write|add|delete}|manage\n"
@@ -2452,11 +2519,6 @@ str2access( const char *str )
 		return ACL_NONE;
 
 	} else if ( strcasecmp( str, "disclose" ) == 0 ) {
-#ifndef SLAP_ACL_HONOR_DISCLOSE
-		Debug( LDAP_DEBUG_ACL, "str2access: warning, "
-			"\"disclose\" privilege disabled.\n",
-		0, 0, 0 );
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
 		return ACL_DISCLOSE;
 
 	} else if ( strcasecmp( str, "auth" ) == 0 ) {