X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Faclparse.c;h=a4b8ed850f1456d1fa1edd3ebc8cb2e1dce5eb6f;hb=21be582df7e13ae2c8d44e1f7f02478eb9ec0762;hp=5893faa2000a420d18bf279912e11c18f45e434e;hpb=da03eb03908d6992aaada9465e2b80a393929967;p=openldap
diff --git a/servers/slapd/aclparse.c b/servers/slapd/aclparse.c
index 5893faa200..a4b8ed850f 100644
--- a/servers/slapd/aclparse.c
+++ b/servers/slapd/aclparse.c
@@ -2,7 +2,7 @@
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software .
*
- * Copyright 1998-2005 The OpenLDAP Foundation.
+ * Copyright 1998-2006 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -1622,11 +1622,18 @@ parse_acl(
{
char *name = NULL,
*opts = NULL;
-
+
+#if 1 /* tolerate legacy "aci" */
if ( strcasecmp( left, "aci" ) == 0 ) {
+ Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+ "undocumented deprecated \"aci\" directive "
+ "is superseded by \"dynacl/aci\".\n",
+ fname, lineno, 0 );
name = "aci";
- } else if ( strncasecmp( left, "dynacl/", STRLENOF( "dynacl/" ) ) == 0 ) {
+ } else
+#endif /* tolerate legacy "aci" */
+ if ( strncasecmp( left, "dynacl/", STRLENOF( "dynacl/" ) ) == 0 ) {
name = &left[ STRLENOF( "dynacl/" ) ];
opts = strchr( name, '/' );
if ( opts ) {
@@ -1646,61 +1653,7 @@ parse_acl(
continue;
}
}
-#else /* ! SLAP_DYNACL */
-
-#ifdef SLAPD_ACI_ENABLED
- if ( strcasecmp( left, "aci" ) == 0 ) {
- if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
- Debug( LDAP_DEBUG_ANY, "%s: line %d: "
- "inappropriate style \"%s\" in by clause.\n",
- fname, lineno, style );
- return acl_usage();
- }
-
- if( b->a_aci_at != NULL ) {
- Debug( LDAP_DEBUG_ANY,
- "%s: line %d: ACI attribute already specified.\n",
- fname, lineno, 0 );
- return acl_usage();
- }
-
- if ( right != NULL && *right != '\0' ) {
- rc = slap_str2ad( right, &b->a_aci_at, &text );
-
- if( rc != LDAP_SUCCESS ) {
- char buf[ SLAP_TEXT_BUFLEN ];
-
- snprintf( buf, sizeof( buf ),
- "aci \"%s\": %s.",
- right, text );
- Debug( LDAP_DEBUG_ANY,
- "%s: line %d: %s\n",
- fname, lineno, buf );
- return acl_usage();
- }
-
- } else {
- b->a_aci_at = slap_ad_aci;
- }
-
- if( !is_at_syntax( b->a_aci_at->ad_type,
- SLAPD_ACI_SYNTAX) )
- {
- char buf[ SLAP_TEXT_BUFLEN ];
-
- snprintf( buf, sizeof( buf ),
- "ACI \"%s\": inappropriate syntax: %s.",
- right,
- b->a_aci_at->ad_type->sat_syntax_oid );
- Debug( LDAP_DEBUG_ANY, "%s: line %d: %s\n",
- fname, lineno, buf );
- return acl_usage();
- }
-
- continue;
- }
-#endif /* SLAPD_ACI_ENABLED */
-#endif /* ! SLAP_DYNACL */
+#endif /* SLAP_DYNACL */
if ( strcasecmp( left, "ssf" ) == 0 ) {
if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
@@ -1983,44 +1936,49 @@ parse_acl(
}
if ( be != NULL ) {
- if ( !BER_BVISNULL( &be->be_nsuffix[ 1 ] ) ) {
+ if ( be->be_nsuffix == NULL ) {
Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
- "scope checking only applies to single-valued "
- "suffix databases\n",
+ "scope checking needs suffix before ACLs.\n",
fname, lineno, 0 );
/* go ahead, since checking is not authoritative */
- }
-
- switch ( check_scope( be, a ) ) {
- case ACL_SCOPE_UNKNOWN:
+ } else if ( !BER_BVISNULL( &be->be_nsuffix[ 1 ] ) ) {
Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
- "cannot assess the validity of the ACL scope within "
- "backend naming context\n",
- fname, lineno, 0 );
- break;
-
- case ACL_SCOPE_WARN:
- Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
- "ACL could be out of scope within backend naming context\n",
+ "scope checking only applies to single-valued "
+ "suffix databases\n",
fname, lineno, 0 );
- break;
+ /* go ahead, since checking is not authoritative */
+ } else {
+ switch ( check_scope( be, a ) ) {
+ case ACL_SCOPE_UNKNOWN:
+ Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
+ "cannot assess the validity of the ACL scope within "
+ "backend naming context\n",
+ fname, lineno, 0 );
+ break;
- case ACL_SCOPE_PARTIAL:
- Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
- "ACL appears to be partially out of scope within "
- "backend naming context\n",
- fname, lineno, 0 );
- break;
+ case ACL_SCOPE_WARN:
+ Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
+ "ACL could be out of scope within backend naming context\n",
+ fname, lineno, 0 );
+ break;
- case ACL_SCOPE_ERR:
- Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
- "ACL appears to be out of scope within "
- "backend naming context\n",
- fname, lineno, 0 );
- break;
+ case ACL_SCOPE_PARTIAL:
+ Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
+ "ACL appears to be partially out of scope within "
+ "backend naming context\n",
+ fname, lineno, 0 );
+ break;
+
+ case ACL_SCOPE_ERR:
+ Debug( LDAP_DEBUG_ACL, "%s: line %d: warning: "
+ "ACL appears to be out of scope within "
+ "backend naming context\n",
+ fname, lineno, 0 );
+ break;
- default:
- break;
+ default:
+ break;
+ }
}
acl_append( &be->be_acl, a, pos );
@@ -2277,11 +2235,7 @@ acl_usage( void )
"\t[domain[.]=] [sockurl[.