X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Faclparse.c;h=051e4a6fb4ace6f12a3614915d89552ae188d208;hb=c3960b98d3b5fbd6ebeb200ca7799ece7b766d50;hp=c6160fc07196498e55b55a4a287a82ad65e65985;hpb=fbbb8a5d93eb1942668f1d271837e0fa72c53c21;p=openldap diff --git a/servers/slapd/aclparse.c b/servers/slapd/aclparse.c index c6160fc071..051e4a6fb4 100644 --- a/servers/slapd/aclparse.c +++ b/servers/slapd/aclparse.c @@ -52,6 +52,7 @@ char *style_strings[] = { "users", "self", "ip", + "ipv6", "path", NULL }; @@ -804,6 +805,14 @@ parse_acl( } else if ( strcasecmp( style, "ip" ) == 0 ) { sty = ACL_STYLE_IP; + } else if ( strcasecmp( style, "ipv6" ) == 0 ) { +#ifndef LDAP_PF_INET6 + Debug( LDAP_DEBUG_ANY, + "%s: line %d: IPv6 not supported\n", + fname, lineno, 0 ); +#endif /* ! LDAP_PF_INET6 */ + sty = ACL_STYLE_IPV6; + } else if ( strcasecmp( style, "path" ) == 0 ) { sty = ACL_STYLE_PATH; #ifndef LDAP_PF_LOCAL @@ -1270,13 +1279,13 @@ parse_acl( { int rc; - struct berval vals[2]; + ObjectClass *ocs[2]; - ber_str2bv( b->a_group_oc->soc_oid, 0, 0, &vals[0] ); - BER_BVZERO( &vals[1] ); + ocs[0] = b->a_group_oc; + ocs[1] = NULL; rc = oc_check_allowed( b->a_group_at->ad_type, - vals, NULL ); + ocs, NULL ); if( rc != 0 ) { char buf[ SLAP_TEXT_BUFLEN ]; @@ -1301,6 +1310,7 @@ parse_acl( case ACL_STYLE_EXPAND: /* cheap replacement to regex for simple expansion */ case ACL_STYLE_IP: + case ACL_STYLE_IPV6: case ACL_STYLE_PATH: /* legal, peername specific */ break; @@ -1384,6 +1394,52 @@ parse_acl( goto fail; } } + +#ifdef LDAP_PF_INET6 + } else if ( sty == ACL_STYLE_IPV6 ) { + char *addr = NULL, + *mask = NULL, + *port = NULL; + + split( right, '{', &addr, &port ); + split( addr, '%', &addr, &mask ); + + if ( inet_pton( AF_INET6, addr, &b->a_peername_addr6 ) != 1 ) { + /* illegal address */ + Debug( LDAP_DEBUG_ANY, "%s: line %d: " + "illegal peername address \"%s\".\n", + fname, lineno, addr ); + goto fail; + } + + if ( mask == NULL ) { + mask = "FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF"; + } + + if ( inet_pton( AF_INET6, mask, &b->a_peername_mask6 ) != 1 ) { + /* illegal mask */ + Debug( LDAP_DEBUG_ANY, "%s: line %d: " + "illegal peername address mask " + "\"%s\".\n", + fname, lineno, mask ); + goto fail; + } + + b->a_peername_port = -1; + if ( port ) { + char *end = NULL; + + b->a_peername_port = strtol( port, &end, 10 ); + if ( end == port || end[0] != '}' ) { + /* illegal port */ + Debug( LDAP_DEBUG_ANY, "%s: line %d: " + "illegal peername port specification " + "\"{%s}\".\n", + fname, lineno, port ); + goto fail; + } + } +#endif /* LDAP_PF_INET6 */ } } continue; @@ -2192,9 +2248,9 @@ acl_usage( void ) { char *access = " ::= access to " - "[ by [ ] ]+ \n"; + "[ by [ ] [ ] ]+ \n"; char *what = - " ::= * | [dn[.]=] [filter=] [attrs=]\n" + " ::= * | dn[.=] [filter=] [attrs=]\n" " ::= [val[/][.]=] | \n" " ::= [ , ]\n" " ::= | @ | ! | entry | children\n"; @@ -2216,7 +2272,7 @@ acl_usage( void ) "exact | regex\n" " ::= exact | regex | base(Object) | one(level) | " "sub(tree) | children\n" - " ::= exact | regex | ip | path\n" + " ::= exact | regex | ip | ipv6 | path\n" " ::= exact | regex | base(Object) | sub(tree)\n" " ::= [[real]self]{|}\n" " ::= none|disclose|auth|compare|search|read|{write|add|delete}|manage\n"