X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Faclparse.c;h=fddae6b13a5eec2f6a9fbe8fdb2e6db8a78150b0;hb=b94a77687075b0eb2d54d087b8b956d197c1023c;hp=39e7f7831260db8e12c5bf461b49f8319dfb7b1c;hpb=e79fbb88cf67006c8be2f87ea9725bf03970861f;p=openldap

diff --git a/servers/slapd/aclparse.c b/servers/slapd/aclparse.c
index 39e7f78312..fddae6b13a 100644
--- a/servers/slapd/aclparse.c
+++ b/servers/slapd/aclparse.c
@@ -2,7 +2,7 @@
 /* $OpenLDAP$ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2004 The OpenLDAP Foundation.
+ * Copyright 1998-2005 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -45,7 +45,11 @@ static char *style_strings[] = {
 	"one",
 	"subtree",
 	"children",
+	"level",
 	"attrof",
+	"anonymous",
+	"users",
+	"self",
 	"ip",
 	"path",
 	NULL
@@ -62,10 +66,7 @@ static void		print_acl(Backend *be, AccessControl *a);
 static void		print_access(Access *b);
 #endif
 
-#ifdef LDAP_DEVEL
-static int
-check_scope( BackendDB *be, AccessControl *a );
-#endif /* LDAP_DEVEL */
+static int		check_scope( BackendDB *be, AccessControl *a );
 
 #ifdef SLAP_DYNACL
 static int
@@ -160,7 +161,6 @@ regtest(const char *fname, int lineno, char *pat) {
 	regfree(&re);
 }
 
-#ifdef LDAP_DEVEL
 /*
  * Experimental
  *
@@ -181,18 +181,24 @@ check_scope( BackendDB *be, AccessControl *a )
 
 	dn = be->be_nsuffix[0];
 
+	if ( BER_BVISEMPTY( &dn ) ) {
+		return ACL_SCOPE_OK;
+	}
+
 	if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
 			a->acl_dn_style != ACL_STYLE_REGEX )
 	{
 		slap_style_t	style = a->acl_dn_style;
 
 		if ( style == ACL_STYLE_REGEX ) {
-			char	dnbuf[SLAP_LDAPDN_MAXLEN + 2];
-			char	rebuf[SLAP_LDAPDN_MAXLEN + 1];
-			regex_t	re;
-			int	rc;
+			char		dnbuf[SLAP_LDAPDN_MAXLEN + 2];
+			char		rebuf[SLAP_LDAPDN_MAXLEN + 1];
+			ber_len_t	rebuflen;
+			regex_t		re;
+			int		rc;
 			
-			/* add trailing '$' */
+			/* add trailing '$' to database suffix to form
+			 * a simple trial regex pattern "<suffix>$" */
 			AC_MEMCPY( dnbuf, be->be_nsuffix[0].bv_val,
 				be->be_nsuffix[0].bv_len );
 			dnbuf[be->be_nsuffix[0].bv_len] = '$';
@@ -202,17 +208,26 @@ check_scope( BackendDB *be, AccessControl *a )
 				return ACL_SCOPE_WARN;
 			}
 
-			/* remove trailing '$' */
-			AC_MEMCPY( rebuf, a->acl_dn_pat.bv_val,
-				a->acl_dn_pat.bv_len + 1 );
-			if ( a->acl_dn_pat.bv_val[a->acl_dn_pat.bv_len - 1] == '$' ) {
-				rebuf[a->acl_dn_pat.bv_len - 1] = '\0';
+			/* remove trailing ')$', if any, from original
+			 * regex pattern */
+			rebuflen = a->acl_dn_pat.bv_len;
+			AC_MEMCPY( rebuf, a->acl_dn_pat.bv_val, rebuflen + 1 );
+			if ( rebuf[rebuflen - 1] == '$' ) {
+				rebuf[--rebuflen] = '\0';
+			}
+			while ( rebuflen > be->be_nsuffix[0].bv_len && rebuf[rebuflen - 1] == ')' ) {
+				rebuf[--rebuflen] = '\0';
+			}
+			if ( rebuflen == be->be_nsuffix[0].bv_len ) {
+				rc = ACL_SCOPE_WARN;
+				goto regex_done;
 			}
 
 			/* not a clear indication of scoping error, though */
 			rc = regexec( &re, rebuf, 0, NULL, 0 )
 				? ACL_SCOPE_WARN : ACL_SCOPE_OK;
 
+regex_done:;
 			regfree( &re );
 			return rc;
 		}
@@ -226,8 +241,8 @@ check_scope( BackendDB *be, AccessControl *a )
 			/* base is blatantly wrong */
 			if ( style == ACL_STYLE_BASE ) return ACL_SCOPE_ERR;
 
-			/* one can be wrong if there is more
-			 * than one level between the suffix
+			/* a style of one can be wrong if there is
+			 * more than one level between the suffix
 			 * and the pattern */
 			if ( style == ACL_STYLE_ONE ) {
 				int	rdnlen = -1, sep = 0;
@@ -284,7 +299,6 @@ check_scope( BackendDB *be, AccessControl *a )
 
 	return ACL_SCOPE_UNKNOWN;
 }
-#endif /* LDAP_DEVEL */
 
 void
 parse_acl(
@@ -292,8 +306,7 @@ parse_acl(
     const char	*fname,
     int		lineno,
     int		argc,
-    char	**argv
-)
+    char	**argv )
 {
 	int		i;
 	char		*left, *right, *style, *next;
@@ -495,7 +508,7 @@ parse_acl(
 									a->acl_attrs[0].an_desc->ad_cname.bv_val );
 								a->acl_attrval_style = ACL_STYLE_BASE;
 							}
-							
+
 						} else {
 							fprintf( stderr, 
 								"%s: line %d: unknown val.<style> \"%s\" "
@@ -576,14 +589,39 @@ parse_acl(
 
 			/* get <who> */
 			for ( ; i < argc; i++ ) {
-				slap_style_t sty = ACL_STYLE_REGEX;
-				char *style_modifier = NULL;
-				int expand = 0;
+				slap_style_t	sty = ACL_STYLE_REGEX;
+				char		*style_modifier = NULL;
+				char		*style_level = NULL;
+				int		level = 0;
+				int		expand = 0;
+				slap_dn_access	*bdn = &b->a_dn;
+				int		is_realdn = 0;
 
 				split( argv[i], '=', &left, &right );
 				split( left, '.', &left, &style );
 				if ( style ) {
-					split( style, ',', &style, &style_modifier);
+					split( style, ',', &style, &style_modifier );
+
+					if ( strncasecmp( style, "level", STRLENOF( "level" ) ) == 0 ) {
+						split( style, '{', &style, &style_level );
+						if ( style_level != NULL ) {
+							char *p = strchr( style_level, '}' );
+							if ( p == NULL ) {
+								fprintf( stderr,
+									"%s: line %d: premature eol: "
+									"expecting closing '}' in \"level{n}\"\n",
+									fname, lineno );
+								acl_usage();
+							} else if ( p == style_level ) {
+								fprintf( stderr,
+									"%s: line %d: empty level "
+									"in \"level{n}\"\n",
+									fname, lineno );
+								acl_usage();
+							}
+							p[0] = '\0';
+						}
+					}
 				}
 
 				if ( style == NULL || *style == '\0' ||
@@ -606,6 +644,21 @@ parse_acl(
 				} else if ( strcasecmp( style, "children" ) == 0 ) {
 					sty = ACL_STYLE_CHILDREN;
 
+				} else if ( strcasecmp( style, "level" ) == 0 )
+				{
+					char	*next;
+
+					level = strtol( style_level, &next, 10 );
+					if ( next[0] != '\0' ) {
+						fprintf( stderr,
+							"%s: line %d: unable to parse level "
+							"in \"level{n}\"\n",
+							fname, lineno );
+						acl_usage();
+					}
+
+					sty = ACL_STYLE_LEVEL;
+
 				} else if ( strcasecmp( style, "regex" ) == 0 ) {
 					sty = ACL_STYLE_REGEX;
 
@@ -670,38 +723,48 @@ parse_acl(
 						fname, lineno );
 				}
 
-				if ( strcasecmp( argv[i], "*" ) == 0 ) {
+				if ( strncasecmp( left, "real", STRLENOF( "real" ) ) == 0 ) {
+					is_realdn = 1;
+					bdn = &b->a_realdn;
+					left += STRLENOF( "real" );
+				}
+
+				if ( strcasecmp( left, "*" ) == 0 ) {
+					if ( is_realdn ) {
+						acl_usage();
+					}
+
 					ber_str2bv( "*", STRLENOF( "*" ), 1, &bv );
 					sty = ACL_STYLE_REGEX;
 
-				} else if ( strcasecmp( argv[i], "anonymous" ) == 0 ) {
+				} else if ( strcasecmp( left, "anonymous" ) == 0 ) {
 					ber_str2bv("anonymous", STRLENOF( "anonymous" ), 1, &bv);
 					sty = ACL_STYLE_ANONYMOUS;
 
-				} else if ( strcasecmp( argv[i], "users" ) == 0 ) {
+				} else if ( strcasecmp( left, "users" ) == 0 ) {
 					ber_str2bv("users", STRLENOF( "users" ), 1, &bv);
 					sty = ACL_STYLE_USERS;
 
-				} else if ( strcasecmp( argv[i], "self" ) == 0 ) {
+				} else if ( strcasecmp( left, "self" ) == 0 ) {
 					ber_str2bv("self", STRLENOF( "self" ), 1, &bv);
 					sty = ACL_STYLE_SELF;
 
 				} else if ( strcasecmp( left, "dn" ) == 0 ) {
 					if ( sty == ACL_STYLE_REGEX ) {
-						b->a_dn_style = ACL_STYLE_REGEX;
+						bdn->a_style = ACL_STYLE_REGEX;
 						if ( right == NULL ) {
 							/* no '=' */
 							ber_str2bv("users",
 								STRLENOF( "users" ),
 								1, &bv);
-							b->a_dn_style = ACL_STYLE_USERS;
+							bdn->a_style = ACL_STYLE_USERS;
 
 						} else if (*right == '\0' ) {
 							/* dn="" */
 							ber_str2bv("anonymous",
 								STRLENOF( "anonymous" ),
 								1, &bv);
-							b->a_dn_style = ACL_STYLE_ANONYMOUS;
+							bdn->a_style = ACL_STYLE_ANONYMOUS;
 
 						} else if ( strcmp( right, "*" ) == 0 ) {
 							/* dn=* */
@@ -709,7 +772,7 @@ parse_acl(
 							ber_str2bv("users",
 								STRLENOF( "users" ),
 								1, &bv);
-							b->a_dn_style = ACL_STYLE_USERS;
+							bdn->a_style = ACL_STYLE_USERS;
 
 						} else if ( strcmp( right, ".+" ) == 0
 							|| strcmp( right, "^.+" ) == 0
@@ -721,7 +784,7 @@ parse_acl(
 							ber_str2bv("users",
 								STRLENOF( "users" ),
 								1, &bv);
-							b->a_dn_style = ACL_STYLE_USERS;
+							bdn->a_style = ACL_STYLE_USERS;
 
 						} else if ( strcmp( right, ".*" ) == 0
 							|| strcmp( right, "^.*" ) == 0
@@ -757,7 +820,7 @@ parse_acl(
 				}
 
 				if ( !BER_BVISNULL( &bv ) ) {
-					if ( !BER_BVISEMPTY( &b->a_dn_pat ) ) {
+					if ( !BER_BVISEMPTY( &bdn->a_pat ) ) {
 						fprintf( stderr,
 						    "%s: line %d: dn pattern already specified.\n",
 						    fname, lineno );
@@ -771,7 +834,7 @@ parse_acl(
 							expand == 0 )
 					{
 						rc = dnNormalize(0, NULL, NULL,
-							&bv, &b->a_dn_pat, NULL);
+							&bv, &bdn->a_pat, NULL);
 						if ( rc != LDAP_SUCCESS ) {
 							fprintf( stderr,
 								"%s: line %d: bad DN \"%s\" in by DN clause\n",
@@ -781,10 +844,34 @@ parse_acl(
 						free( bv.bv_val );
 
 					} else {
-						b->a_dn_pat = bv;
+						bdn->a_pat = bv;
+					}
+					bdn->a_style = sty;
+					bdn->a_expand = expand;
+					if ( sty == ACL_STYLE_SELF ) {
+						bdn->a_self_level = level;
+
+					} else {
+						if ( level < 0 ) {
+							fprintf( stderr,
+								"%s: line %d: bad negative level \"%d\" "
+								"in by DN clause\n",
+								fname, lineno, level );
+							acl_usage();
+						} else if ( level == 1 ) {
+							fprintf( stderr,
+								"%s: line %d: \"onelevel\" should be used "
+								"instead of \"level{1}\" in by DN clause\n",
+								fname, lineno, 0 );
+						} else if ( level == 0 && sty == ACL_STYLE_LEVEL ) {
+							fprintf( stderr,
+								"%s: line %d: \"base\" should be used "
+								"instead of \"level{0}\" in by DN clause\n",
+								fname, lineno, 0 );
+						}
+
+						bdn->a_level = level;
 					}
-					b->a_dn_style = sty;
-					b->a_dn_expand = expand;
 					continue;
 				}
 
@@ -797,14 +884,14 @@ parse_acl(
 						acl_usage();
 					}
 
-					if( b->a_dn_at != NULL ) {
+					if( bdn->a_at != NULL ) {
 						fprintf( stderr,
 							"%s: line %d: dnattr already specified.\n",
 							fname, lineno );
 						acl_usage();
 					}
 
-					rc = slap_str2ad( right, &b->a_dn_at, &text );
+					rc = slap_str2ad( right, &bdn->a_at, &text );
 
 					if( rc != LDAP_SUCCESS ) {
 						fprintf( stderr,
@@ -814,20 +901,20 @@ parse_acl(
 					}
 
 
-					if( !is_at_syntax( b->a_dn_at->ad_type,
+					if( !is_at_syntax( bdn->a_at->ad_type,
 						SLAPD_DN_SYNTAX ) &&
-						!is_at_syntax( b->a_dn_at->ad_type,
+						!is_at_syntax( bdn->a_at->ad_type,
 						SLAPD_NAMEUID_SYNTAX ))
 					{
 						fprintf( stderr,
 							"%s: line %d: dnattr \"%s\": "
 							"inappropriate syntax: %s\n",
 							fname, lineno, right,
-							b->a_dn_at->ad_type->sat_syntax_oid );
+							bdn->a_at->ad_type->sat_syntax_oid );
 						acl_usage();
 					}
 
-					if( b->a_dn_at->ad_type->sat_equality == NULL ) {
+					if( bdn->a_at->ad_type->sat_equality == NULL ) {
 						fprintf( stderr,
 							"%s: line %d: dnattr \"%s\": "
 							"inappropriate matching (no EQUALITY)\n",
@@ -1039,7 +1126,7 @@ parse_acl(
 						acl_usage();
 					}
 
-					if ( BER_BVISEMPTY( &b->a_peername_pat ) ) {
+					if ( !BER_BVISEMPTY( &b->a_peername_pat ) ) {
 						fprintf( stderr, "%s: line %d: "
 							"peername pattern already specified.\n",
 							fname, lineno );
@@ -1575,9 +1662,13 @@ parse_acl(
 			}
 
 			/* get <access> */
-			if ( strncasecmp( left, "self", 4 ) == 0 ) {
+			if ( strncasecmp( left, "self", STRLENOF( "self" ) ) == 0 ) {
 				b->a_dn_self = 1;
-				ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( &left[4] ) );
+				ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( &left[ STRLENOF( "self" ) ] ) );
+
+			} else if ( strncasecmp( left, "realself", STRLENOF( "realself" ) ) == 0 ) {
+				b->a_realdn_self = 1;
+				ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( &left[ STRLENOF( "realself" ) ] ) );
 
 			} else {
 				ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( left ) );
@@ -1642,7 +1733,14 @@ parse_acl(
 		}
 
 		if ( be != NULL ) {
-#ifdef LDAP_DEVEL
+			if ( !BER_BVISNULL( &be->be_nsuffix[ 1 ] ) ) {
+				fprintf( stderr, "%s: line %d: warning: "
+					"scope checking only applies to single-valued "
+					"suffix databases\n",
+					fname, lineno );
+				/* go ahead, since checking is not authoritative */
+			}
+
 			switch ( check_scope( be, a ) ) {
 			case ACL_SCOPE_UNKNOWN:
 				fprintf( stderr, "%s: line %d: warning: "
@@ -1674,7 +1772,6 @@ parse_acl(
 			default:
 				break;
 			}
-#endif /* LDAP_DEVEL */
 			acl_append( &be->be_acl, a );
 
 		} else {
@@ -1684,7 +1781,7 @@ parse_acl(
 }
 
 char *
-accessmask2str( slap_mask_t mask, char *buf )
+accessmask2str( slap_mask_t mask, char *buf, int debug )
 {
 	int	none = 1;
 	char	*ptr = buf;
@@ -1701,6 +1798,9 @@ accessmask2str( slap_mask_t mask, char *buf )
 		if ( ACL_LVL_IS_NONE(mask) ) {
 			ptr = lutil_strcopy( ptr, "none" );
 
+		} else if ( ACL_LVL_IS_DISCLOSE(mask) ) {
+			ptr = lutil_strcopy( ptr, "disclose" );
+
 		} else if ( ACL_LVL_IS_AUTH(mask) ) {
 			ptr = lutil_strcopy( ptr, "auth" );
 
@@ -1715,10 +1815,18 @@ accessmask2str( slap_mask_t mask, char *buf )
 
 		} else if ( ACL_LVL_IS_WRITE(mask) ) {
 			ptr = lutil_strcopy( ptr, "write" );
+
+		} else if ( ACL_LVL_IS_MANAGE(mask) ) {
+			ptr = lutil_strcopy( ptr, "manage" );
+
 		} else {
 			ptr = lutil_strcopy( ptr, "unknown" );
 		}
 		
+		if ( !debug ) {
+			*ptr = '\0';
+			return buf;
+		}
 		*ptr++ = '(';
 	}
 
@@ -1732,6 +1840,11 @@ accessmask2str( slap_mask_t mask, char *buf )
 		*ptr++ = '=';
 	}
 
+	if ( ACL_PRIV_ISSET(mask, ACL_PRIV_MANAGE) ) {
+		none = 0;
+		*ptr++ = 'm';
+	} 
+
 	if ( ACL_PRIV_ISSET(mask, ACL_PRIV_WRITE) ) {
 		none = 0;
 		*ptr++ = 'w';
@@ -1757,13 +1870,18 @@ accessmask2str( slap_mask_t mask, char *buf )
 		*ptr++ = 'x';
 	} 
 
+	if ( ACL_PRIV_ISSET(mask, ACL_PRIV_DISCLOSE) ) {
+		none = 0;
+		*ptr++ = 'd';
+	} 
+
 	if ( none && ACL_PRIV_ISSET(mask, ACL_PRIV_NONE) ) {
 		none = 0;
 		*ptr++ = 'n';
 	} 
 
 	if ( none ) {
-		*ptr++ = '0';
+		ptr = buf;
 	}
 
 	if ( ACL_IS_LEVEL( mask ) ) {
@@ -1798,7 +1916,10 @@ str2accessmask( const char *str )
 		}
 
 		for( i=1; str[i] != '\0'; i++ ) {
-			if( TOLOWER((unsigned char) str[i]) == 'w' ) {
+			if( TOLOWER((unsigned char) str[i]) == 'm' ) {
+				ACL_PRIV_SET(mask, ACL_PRIV_MANAGE);
+
+			} else if( TOLOWER((unsigned char) str[i]) == 'w' ) {
 				ACL_PRIV_SET(mask, ACL_PRIV_WRITE);
 
 			} else if( TOLOWER((unsigned char) str[i]) == 'r' ) {
@@ -1813,6 +1934,9 @@ str2accessmask( const char *str )
 			} else if( TOLOWER((unsigned char) str[i]) == 'x' ) {
 				ACL_PRIV_SET(mask, ACL_PRIV_AUTH);
 
+			} else if( TOLOWER((unsigned char) str[i]) == 'd' ) {
+				ACL_PRIV_SET(mask, ACL_PRIV_DISCLOSE);
+
 			} else if( str[i] != '0' ) {
 				ACL_INVALIDATE(mask);
 				return mask;
@@ -1825,6 +1949,9 @@ str2accessmask( const char *str )
 	if ( strcasecmp( str, "none" ) == 0 ) {
 		ACL_LVL_ASSIGN_NONE(mask);
 
+	} else if ( strcasecmp( str, "disclose" ) == 0 ) {
+		ACL_LVL_ASSIGN_DISCLOSE(mask);
+
 	} else if ( strcasecmp( str, "auth" ) == 0 ) {
 		ACL_LVL_ASSIGN_AUTH(mask);
 
@@ -1840,6 +1967,9 @@ str2accessmask( const char *str )
 	} else if ( strcasecmp( str, "write" ) == 0 ) {
 		ACL_LVL_ASSIGN_WRITE(mask);
 
+	} else if ( strcasecmp( str, "manage" ) == 0 ) {
+		ACL_LVL_ASSIGN_MANAGE(mask);
+
 	} else {
 		ACL_INVALIDATE( mask );
 	}
@@ -1854,25 +1984,32 @@ acl_usage( void )
 		"<access clause> ::= access to <what> "
 				"[ by <who> <access> [ <control> ] ]+ \n"
 		"<what> ::= * | [dn[.<dnstyle>]=<DN>] [filter=<filter>] [attrs=<attrlist>]\n"
-		"<attrlist> ::= <attr> [val[.<style>]=<value>] | <attr> , <attrlist>\n"
+		"<attrlist> ::= <attr> [val[.<attrstyle>]=<value>] | <attr> , <attrlist>\n"
 		"<attr> ::= <attrname> | entry | children\n",
 		"<who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ]\n"
+			"\t[ realanonymous | realusers | realself | realdn[.<dnstyle>]=<DN> ]\n"
 			"\t[dnattr=<attrname>]\n"
+			"\t[realdnattr=<attrname>]\n"
 			"\t[group[/<objectclass>[/<attrname>]][.<style>]=<group>]\n"
 			"\t[peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>]\n"
 			"\t[domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>]\n"
 #ifdef SLAPD_ACI_ENABLED
-			"\t[aci=<attrname>]\n"
+			"\t[aci=[<attrname>]]\n"
 #endif
+#ifdef SLAP_DYNACL
+			"\t[dynacl/<name>[.<dynstyle>][=<pattern>]]\n"
+#endif /* SLAP_DYNACL */
 			"\t[ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]\n",
+		"<style> ::= exact | regex | base(Object)\n"
 		"<dnstyle> ::= base(Object) | one(level) | sub(tree) | children | "
 			"exact | regex\n"
-		"<style> ::= exact | regex | base(Object)\n"
+		"<attrstyle> ::= exact | regex | base(Object) | one(level) | "
+			"sub(tree) | children\n"
 		"<peernamestyle> ::= exact | regex | ip | path\n"
 		"<domainstyle> ::= exact | regex | base(Object) | sub(tree)\n"
-		"<access> ::= [self]{<level>|<priv>}\n"
-		"<level> ::= none | auth | compare | search | read | write\n"
-		"<priv> ::= {=|+|-}{w|r|s|c|x|0}+\n"
+		"<access> ::= [[real]self]{<level>|<priv>}\n"
+		"<level> ::= none|disclose|auth|compare|search|read|write|manage\n"
+		"<priv> ::= {=|+|-}{0|d|x|c|s|r|w|m}+\n"
 		"<control> ::= [ stop | continue | break ]\n"
 	);
 	exit( EXIT_FAILURE );
@@ -1964,6 +2101,9 @@ access_free( Access *a )
 	if ( !BER_BVISNULL( &a->a_dn_pat ) ) {
 		free( a->a_dn_pat.bv_val );
 	}
+	if ( !BER_BVISNULL( &a->a_realdn_pat ) ) {
+		free( a->a_realdn_pat.bv_val );
+	}
 	if ( !BER_BVISNULL( &a->a_peername_pat ) ) {
 		free( a->a_peername_pat.bv_val );
 	}
@@ -2034,6 +2174,9 @@ access2str( slap_access_t access )
 	if ( access == ACL_NONE ) {
 		return "none";
 
+	} else if ( access == ACL_DISCLOSE ) {
+		return "disclose";
+
 	} else if ( access == ACL_AUTH ) {
 		return "auth";
 
@@ -2048,6 +2191,10 @@ access2str( slap_access_t access )
 
 	} else if ( access == ACL_WRITE ) {
 		return "write";
+
+	} else if ( access == ACL_MANAGE ) {
+		return "manage";
+
 	}
 
 	return "unknown";
@@ -2059,6 +2206,9 @@ str2access( const char *str )
 	if ( strcasecmp( str, "none" ) == 0 ) {
 		return ACL_NONE;
 
+	} else if ( strcasecmp( str, "disclose" ) == 0 ) {
+		return ACL_DISCLOSE;
+
 	} else if ( strcasecmp( str, "auth" ) == 0 ) {
 		return ACL_AUTH;
 
@@ -2073,64 +2223,131 @@ str2access( const char *str )
 
 	} else if ( strcasecmp( str, "write" ) == 0 ) {
 		return ACL_WRITE;
+
+	} else if ( strcasecmp( str, "manage" ) == 0 ) {
+		return ACL_MANAGE;
 	}
 
 	return( ACL_INVALID_ACCESS );
 }
 
-#ifdef LDAP_DEBUG
+#define ACLBUF_MAXLEN	8192
 
-static void
-print_access( Access *b )
+static char aclbuf[ACLBUF_MAXLEN];
+
+static char *
+dnaccess2text( slap_dn_access *bdn, char *ptr, int is_realdn )
 {
-	char maskbuf[ACCESSMASK_MAXLEN];
+	*ptr++ = ' ';
 
-	fprintf( stderr, "\tby" );
+	if ( is_realdn ) {
+		ptr = lutil_strcopy( ptr, "real" );
+	}
 
-	if ( !BER_BVISEMPTY( &b->a_dn_pat ) ) {
-		if ( ber_bvccmp( &b->a_dn_pat, '*' ) ||
-			b->a_dn_style == ACL_STYLE_ANONYMOUS /* strcmp( b->a_dn_pat.bv_val, "anonymous" ) == 0 */ ||
-			b->a_dn_style == ACL_STYLE_USERS /* strcmp( b->a_dn_pat.bv_val, "users" ) == 0 */ ||
-			b->a_dn_style == ACL_STYLE_SELF /* strcmp( b->a_dn_pat.bv_val, "self" ) == 0 */ )
-		{
-			fprintf( stderr, " %s", b->a_dn_pat.bv_val );
+	if ( ber_bvccmp( &bdn->a_pat, '*' ) ||
+		bdn->a_style == ACL_STYLE_ANONYMOUS ||
+		bdn->a_style == ACL_STYLE_USERS ||
+		bdn->a_style == ACL_STYLE_SELF )
+	{
+		if ( is_realdn ) {
+			assert( ! ber_bvccmp( &bdn->a_pat, '*' ) );
+		}
+			
+		ptr = lutil_strcopy( ptr, bdn->a_pat.bv_val );
+		if ( bdn->a_style == ACL_STYLE_SELF && bdn->a_self_level != 0 ) {
+			int n = sprintf( ptr, ".level{%d}", bdn->a_self_level );
+			if ( n > 0 ) {
+				ptr += n;
+			} /* else ? */
+		}
 
-		} else {
-			fprintf( stderr, " dn.%s=\"%s\"",
-				style_strings[b->a_dn_style], b->a_dn_pat.bv_val );
+	} else {
+		ptr = lutil_strcopy( ptr, "dn." );
+		ptr = lutil_strcopy( ptr, style_strings[bdn->a_style] );
+		if ( bdn->a_style == ACL_STYLE_LEVEL ) {
+			int n = sprintf( ptr, "{%d}", bdn->a_level );
+			if ( n > 0 ) {
+				ptr += n;
+			} /* else ? */
+		}
+		if ( bdn->a_expand ) {
+			ptr = lutil_strcopy( ptr, ",expand" );
+		}
+		*ptr++ = '=';
+		*ptr++ = '"';
+		ptr = lutil_strcopy( ptr, bdn->a_pat.bv_val );
+		*ptr++ = '"';
+	}
+
+	if ( bdn->a_at != NULL ) {
+		*ptr++ = ' ';
+		if ( is_realdn ) {
+			ptr = lutil_strcopy( ptr, "real" );
 		}
+		ptr = lutil_strcopy( ptr, "dnattr=" );
+		ptr = lutil_strcopy( ptr, bdn->a_at->ad_cname.bv_val );
+	}
+
+	return ptr;
+}
+
+static char *
+access2text( Access *b, char *ptr )
+{
+	char maskbuf[ACCESSMASK_MAXLEN];
+
+	ptr = lutil_strcopy( ptr, "\tby" );
+
+	if ( !BER_BVISEMPTY( &b->a_dn_pat ) ) {
+		ptr = dnaccess2text( &b->a_dn, ptr, 0 );
 	}
 
-	if ( b->a_dn_at != NULL ) {
-		fprintf( stderr, " dnattr=%s", b->a_dn_at->ad_cname.bv_val );
+	if ( !BER_BVISEMPTY( &b->a_realdn_pat ) ) {
+		ptr = dnaccess2text( &b->a_realdn, ptr, 1 );
 	}
 
 	if ( !BER_BVISEMPTY( &b->a_group_pat ) ) {
-		fprintf( stderr, " group/%s/%s.%s=\"%s\"",
-			b->a_group_oc ? b->a_group_oc->soc_cname.bv_val : "groupOfNames",
-			b->a_group_at ? b->a_group_at->ad_cname.bv_val : "member",
-			style_strings[b->a_group_style],
-			b->a_group_pat.bv_val );
+		ptr = lutil_strcopy( ptr, " group/" );
+		ptr = lutil_strcopy( ptr, b->a_group_oc ?
+			b->a_group_oc->soc_cname.bv_val : "groupOfNames" );
+		*ptr++ = '/';
+		ptr = lutil_strcopy( ptr, b->a_group_at ?
+			b->a_group_at->ad_cname.bv_val : "member" );
+		*ptr++ = '.';
+		ptr = lutil_strcopy( ptr, style_strings[b->a_group_style] );
+		*ptr++ = '=';
+		*ptr++ = '"';
+		ptr = lutil_strcopy( ptr, b->a_group_pat.bv_val );
+		*ptr++ = '"';
 	}
 
 	if ( !BER_BVISEMPTY( &b->a_peername_pat ) ) {
-		fprintf( stderr, " peername=\"%s\"", b->a_peername_pat.bv_val );
+		ptr = lutil_strcopy( ptr, " peername=\"" );
+		ptr = lutil_strcopy( ptr, b->a_peername_pat.bv_val );
+		*ptr++ = '"';
 	}
 
 	if ( !BER_BVISEMPTY( &b->a_sockname_pat ) ) {
-		fprintf( stderr, " sockname=\"%s\"", b->a_sockname_pat.bv_val );
+		ptr = lutil_strcopy( ptr, " sockname=\"" );
+		ptr = lutil_strcopy( ptr, b->a_sockname_pat.bv_val );
+		*ptr++ = '"';
 	}
 
 	if ( !BER_BVISEMPTY( &b->a_domain_pat ) ) {
-		fprintf( stderr, " domain=%s", b->a_domain_pat.bv_val );
+		ptr = lutil_strcopy( ptr, " domain=" );
+		ptr = lutil_strcopy( ptr, b->a_domain_pat.bv_val );
 	}
 
 	if ( !BER_BVISEMPTY( &b->a_sockurl_pat ) ) {
-		fprintf( stderr, " sockurl=\"%s\"", b->a_sockurl_pat.bv_val );
+		ptr = lutil_strcopy( ptr, " sockurl=\"" );
+		ptr = lutil_strcopy( ptr, b->a_sockurl_pat.bv_val );
+		*ptr++ = '"';
 	}
 
 	if ( !BER_BVISEMPTY( &b->a_set_pat ) ) {
-		fprintf( stderr, " set=\"%s\"", b->a_set_pat.bv_val );
+		ptr = lutil_strcopy( ptr, " set=\"" );
+		ptr = lutil_strcopy( ptr, b->a_set_pat.bv_val );
+		*ptr++ = '"';
 	}
 
 #ifdef SLAP_DYNACL
@@ -2138,68 +2355,88 @@ print_access( Access *b )
 		slap_dynacl_t	*da;
 
 		for ( da = b->a_dynacl; da; da = da->da_next ) {
-			if ( da->da_print ) {
-				(void)( *da->da_print )( da->da_private );
+			if ( da->da_unparse ) {
+				struct berval bv;
+				(void)( *da->da_unparse )( da->da_private, &bv );
+				ptr = lutil_strcopy( ptr, bv.bv_val );
+				ch_free( bv.bv_val );
 			}
 		}
 	}
 #else /* ! SLAP_DYNACL */
 #ifdef SLAPD_ACI_ENABLED
 	if ( b->a_aci_at != NULL ) {
-		fprintf( stderr, " aci=%s", b->a_aci_at->ad_cname.bv_val );
+		ptr = lutil_strcopy( ptr, " aci=" );
+		ptr = lutil_strcopy( ptr, b->a_aci_at->ad_cname.bv_val );
 	}
 #endif
 #endif /* SLAP_DYNACL */
 
 	/* Security Strength Factors */
 	if ( b->a_authz.sai_ssf ) {
-		fprintf( stderr, " ssf=%u",
+		ptr += sprintf( ptr, " ssf=%u", 
 			b->a_authz.sai_ssf );
 	}
 	if ( b->a_authz.sai_transport_ssf ) {
-		fprintf( stderr, " transport_ssf=%u",
+		ptr += sprintf( ptr, " transport_ssf=%u",
 			b->a_authz.sai_transport_ssf );
 	}
 	if ( b->a_authz.sai_tls_ssf ) {
-		fprintf( stderr, " tls_ssf=%u",
+		ptr += sprintf( ptr, " tls_ssf=%u",
 			b->a_authz.sai_tls_ssf );
 	}
 	if ( b->a_authz.sai_sasl_ssf ) {
-		fprintf( stderr, " sasl_ssf=%u",
+		ptr += sprintf( ptr, " sasl_ssf=%u",
 			b->a_authz.sai_sasl_ssf );
 	}
 
-	fprintf( stderr, " %s%s",
-		b->a_dn_self ? "self" : "",
-		accessmask2str( b->a_access_mask, maskbuf ) );
+	*ptr++ = ' ';
+	if ( b->a_dn_self ) {
+		ptr = lutil_strcopy( ptr, "self" );
+	} else if ( b->a_realdn_self ) {
+		ptr = lutil_strcopy( ptr, "realself" );
+	}
+	ptr = lutil_strcopy( ptr, accessmask2str( b->a_access_mask, maskbuf, 0 ));
+	if ( !maskbuf[0] ) ptr--;
 
 	if( b->a_type == ACL_BREAK ) {
-		fprintf( stderr, " break" );
+		ptr = lutil_strcopy( ptr, " break" );
 
 	} else if( b->a_type == ACL_CONTINUE ) {
-		fprintf( stderr, " continue" );
+		ptr = lutil_strcopy( ptr, " continue" );
 
 	} else if( b->a_type != ACL_STOP ) {
-		fprintf( stderr, " unknown-control" );
+		ptr = lutil_strcopy( ptr, " unknown-control" );
+	} else {
+		if ( !maskbuf[0] ) ptr = lutil_strcopy( ptr, " stop" );
 	}
+	*ptr++ = '\n';
 
-	fprintf( stderr, "\n" );
+	return ptr;
 }
 
-
-static void
-print_acl( Backend *be, AccessControl *a )
+void
+acl_unparse( AccessControl *a, struct berval *bv )
 {
+	Access *b;
+	char *ptr;
 	int		to = 0;
-	Access	*b;
+	struct berval abv;
+
+	bv->bv_val = aclbuf;
+	bv->bv_len = 0;
 
-	fprintf( stderr, "%s ACL: access to",
-		be == NULL ? "Global" : "Backend" );
+	ptr = bv->bv_val;
 
-	if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ) {
+	ptr = lutil_strcopy( ptr, "to" );
+	if ( !BER_BVISNULL( &a->acl_dn_pat ) ) {
 		to++;
-		fprintf( stderr, " dn.%s=\"%s\"\n",
-			style_strings[a->acl_dn_style], a->acl_dn_pat.bv_val );
+		ptr = lutil_strcopy( ptr, " dn." );
+		ptr = lutil_strcopy( ptr, style_strings[a->acl_dn_style] );
+		*ptr++ = '=';
+		*ptr++ = '"';
+		ptr = lutil_strcopy( ptr, a->acl_dn_pat.bv_val );
+		ptr = lutil_strcopy( ptr, "\"\n" );
 	}
 
 	if ( a->acl_filter != NULL ) {
@@ -2207,7 +2444,10 @@ print_acl( Backend *be, AccessControl *a )
 
 		to++;
 		filter2bv( a->acl_filter, &bv );
-		fprintf( stderr, " filter=%s\n", bv.bv_val );
+		ptr = lutil_strcopy( ptr, " filter=\"" );
+		ptr = lutil_strcopy( ptr, bv.bv_val );
+		*ptr++ = '"';
+		*ptr++ = '\n';
 		ch_free( bv.bv_val );
 	}
 
@@ -2216,31 +2456,54 @@ print_acl( Backend *be, AccessControl *a )
 		AttributeName *an;
 		to++;
 
-		fprintf( stderr, " attrs=" );
+		ptr = lutil_strcopy( ptr, " attrs=" );
 		for ( an = a->acl_attrs; an && !BER_BVISNULL( &an->an_name ); an++ ) {
-			if ( ! first ) fprintf( stderr, "," );
+			if ( ! first ) *ptr++ = ',';
 			if (an->an_oc) {
-				fputc( an->an_oc_exclude ? '!' : '@', stderr);
+				*ptr++ = an->an_oc_exclude ? '!' : '@';
+				ptr = lutil_strcopy( ptr, an->an_oc->soc_cname.bv_val );
+
+			} else {
+				ptr = lutil_strcopy( ptr, an->an_name.bv_val );
 			}
-			fputs( an->an_name.bv_val, stderr );
 			first = 0;
 		}
-		fprintf(  stderr, "\n" );
+		*ptr++ = '\n';
 	}
 
 	if ( !BER_BVISEMPTY( &a->acl_attrval ) ) {
 		to++;
-		fprintf( stderr, " val.%s=\"%s\"\n",
-			style_strings[a->acl_attrval_style], a->acl_attrval.bv_val );
-
+		ptr = lutil_strcopy( ptr, " val." );
+		ptr = lutil_strcopy( ptr, style_strings[a->acl_attrval_style] );
+		*ptr++ = '=';
+		*ptr++ = '"';
+		ptr = lutil_strcopy( ptr, a->acl_attrval.bv_val );
+		*ptr++ = '"';
+		*ptr++ = '\n';
 	}
 
-	if( !to ) fprintf( stderr, " *\n" );
+	if( !to ) {
+		ptr = lutil_strcopy( ptr, " *\n" );
+	}
 
 	for ( b = a->acl_access; b != NULL; b = b->a_next ) {
-		print_access( b );
+		ptr = access2text( b, ptr );
 	}
+	*ptr = '\0';
+	bv->bv_len = ptr - bv->bv_val;
+}
+
+#ifdef LDAP_DEBUG
+
+static void
+print_acl( Backend *be, AccessControl *a )
+{
+	int		to = 0;
+	Access	*b;
+	struct berval bv;
 
-	fprintf( stderr, "\n" );
+	acl_unparse( a, &bv );
+	fprintf( stderr, "%s ACL: access %s\n",
+		be == NULL ? "Global" : "Backend", bv.bv_val );
 }
 #endif /* LDAP_DEBUG */