X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Faclparse.c;h=9b0e8e7acb507e733e7b45a378e3745fe82fd3b9;hb=86bd3651e1bc6129cf2bd4ba271f33207843aaff;hp=339bc6a5824272a0186fa10ee5eab4a583d81b17;hpb=ceb9c15bdd1d0e1cbe8d17f6101897863856e8c2;p=openldap

diff --git a/servers/slapd/aclparse.c b/servers/slapd/aclparse.c
index 339bc6a582..9b0e8e7acb 100644
--- a/servers/slapd/aclparse.c
+++ b/servers/slapd/aclparse.c
@@ -267,7 +267,7 @@ regex_done:;
 					sep = 1;
 				}
 
-				rdnlen = (ber_len_t)dn_rdnlen( NULL, &dn );
+				rdnlen = dn_rdnlen( NULL, &dn );
 				if ( rdnlen != dn.bv_len - patlen - sep )
 					return ACL_SCOPE_ERR;
 			}
@@ -455,6 +455,14 @@ parse_acl(
 				} else if ( strcasecmp( left, "attr" ) == 0		/* TOLERATED */
 						|| strcasecmp( left, "attrs" ) == 0 )	/* DOCUMENTED */
 				{
+					if ( strcasecmp( left, "attr" ) == 0 ) {
+						Debug( LDAP_DEBUG_ANY,
+							"%s: line %d: \"attr\" "
+							"is deprecated (and undocumented); "
+							"use \"attrs\" instead.\n",
+							fname, lineno, 0 );
+					}
+
 					a->acl_attrs = str2anlist( a->acl_attrs,
 						right, "," );
 					if ( a->acl_attrs == NULL ) {
@@ -967,6 +975,16 @@ parse_acl(
 							acl_usage();
 						}
 						free( bv.bv_val );
+						if ( sty == ACL_STYLE_BASE
+							&& be != NULL
+							&& !BER_BVISNULL( &be->be_rootndn )
+							&& dn_match( &bdn->a_pat, &be->be_rootndn ) )
+						{
+							Debug( LDAP_DEBUG_ANY,
+								"%s: line %d: rootdn is always granted "
+								"unlimited privileges.\n",
+								fname, lineno, 0 );
+						}
 
 					} else {
 						bdn->a_pat = bv;
@@ -1648,7 +1666,7 @@ parse_acl(
 							"ACI \"%s\": inappropriate syntax: %s.",
 							right,
 							b->a_aci_at->ad_type->sat_syntax_oid );
-						Debug( LDAP_DEBUG_ANY, "%s: line %d: %s\n"
+						Debug( LDAP_DEBUG_ANY, "%s: line %d: %s\n",
 							fname, lineno, buf );
 						acl_usage();
 					}
@@ -2216,12 +2234,16 @@ str2accessmask( const char *str )
 static void
 acl_usage( void )
 {
-	Debug( LDAP_DEBUG_ANY, "%s%s%s\n",
+	char *access =
 		"<access clause> ::= access to <what> "
-				"[ by <who> <access> [ <control> ] ]+ \n"
+				"[ by <who> <access> [ <control> ] ]+ \n";
+
+	char *what =
 		"<what> ::= * | [dn[.<dnstyle>]=<DN>] [filter=<filter>] [attrs=<attrlist>]\n"
 		"<attrlist> ::= <attr> [val[/matchingRule][.<attrstyle>]=<value>] | <attr> , <attrlist>\n"
-		"<attr> ::= <attrname> | entry | children\n",
+		"<attr> ::= <attrname> | entry | children\n";
+
+	char *who =
 		"<who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ]\n"
 			"\t[ realanonymous | realusers | realself | realdn[.<dnstyle>]=<DN> ]\n"
 			"\t[dnattr=<attrname>]\n"
@@ -2236,7 +2258,7 @@ acl_usage( void )
 			"\t[aci[=<attrname>]]\n"
 #endif /* SLAPD_ACI_ENABLED */
 #endif /* ! SLAP_DYNACL */
-			"\t[ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]\n",
+			"\t[ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]\n"
 		"<style> ::= exact | regex | base(Object)\n"
 		"<dnstyle> ::= base(Object) | one(level) | sub(tree) | children | "
 			"exact | regex\n"
@@ -2254,7 +2276,9 @@ acl_usage( void )
 		"\t<name>=ACI\t<pattern>=<attrname>\n"
 #endif /* SLAPD_ACI_ENABLED */
 #endif /* ! SLAP_DYNACL */
-	);
+		"";
+
+	Debug( LDAP_DEBUG_ANY, "%s%s%s\n", access, who, what );
 	exit( EXIT_FAILURE );
 }