if ( strcmp( edn, op->o_ndn ) == 0 ) {
Debug( LDAP_DEBUG_ACL,
"<= acl_access_allowed: matched by clause #%d access %s\n",
- i, (b->a_access & ~ACL_SELF) >=
- access ? "granted" : "denied", 0 );
+ i, ACL_GRANT(b->a_access, access)
+ ? "granted" : "denied", 0 );
- return( (b->a_access & ~ACL_SELF) >= access );
+ return ACL_GRANT(b->a_access, access );
}
} else {
if ( regex_matches( b->a_dnpat, odn, edn, matches ) ) {
Debug( LDAP_DEBUG_ACL,
"<= acl_access_allowed: matched by clause #%d access %s\n",
- i, (b->a_access & ~ACL_SELF) >= access ?
- "granted" : "denied", 0 );
+ i, ACL_GRANT(b->a_access, access)
+ ? "granted" : "denied", 0 );
- return( (b->a_access & ~ACL_SELF) >= access );
+ return ACL_GRANT(b->a_access, access );
}
}
}
{
Debug( LDAP_DEBUG_ACL,
"<= acl_access_allowed: matched by clause #%d access %s\n",
- i, (b->a_access & ~ACL_SELF) >= access ?
- "granted" : "denied", 0 );
+ i, ACL_GRANT(b->a_access, access)
+ ? "granted" : "denied", 0 );
- return( (b->a_access & ~ACL_SELF) >= access );
+ return ACL_GRANT(b->a_access, access );
}
}
if ( b->a_domainpat != NULL ) {
{
Debug( LDAP_DEBUG_ACL,
"<= acl_access_allowed: matched by clause #%d access %s\n",
- i, (b->a_access & ~ACL_SELF) >= access ?
- "granted" : "denied", 0 );
+ i, ACL_GRANT(b->a_access, access)
+ ? "granted" : "denied", 0 );
- return( (b->a_access & ~ACL_SELF) >= access );
+ return ACL_GRANT(b->a_access, access );
}
}
if ( b->a_dnattr != NULL && op->o_ndn != NULL ) {
if ( (at = attr_find( e->e_attrs, b->a_dnattr )) != NULL &&
value_find( at->a_vals, &bv, at->a_syntax, 3 ) == 0 )
{
- if ( (b->a_access & ACL_SELF) &&
+ if ( ACL_IS_SELF(b->a_access) &&
(val == NULL || value_cmp( &bv, val, at->a_syntax, 2 )) )
{
continue;
Debug( LDAP_DEBUG_ACL,
"<= acl_acces_allowed: matched by clause #%d access %s\n",
- i, (b->a_access & ~ACL_SELF) >= access ?
- "granted" : "denied", 0 );
+ i, ACL_GRANT(b->a_access, access)
+ ? "granted" : "denied", 0 );
- return( (b->a_access & ~ACL_SELF) >= access );
+ return ACL_GRANT(b->a_access, access );
}
/* asker not listed in dnattr - check for self access */
- if ( ! (b->a_access & ACL_SELF) || val == NULL ||
+ if ( ! ACL_IS_SELF(b->a_access) || val == NULL ||
value_cmp( &bv, val, at->a_syntax, 2 ) != 0 )
{
continue;
Debug( LDAP_DEBUG_ACL,
"<= acl_access_allowed: matched by clause #%d (self) access %s\n",
- i, (b->a_access & ~ACL_SELF) >= access ? "granted"
- : "denied", 0 );
+ i, ACL_GRANT(b->a_access, access)
+ ? "granted" : "denied", 0 );
- return( (b->a_access & ~ACL_SELF) >= access );
+ return ACL_GRANT(b->a_access, access );
}
#ifdef SLAPD_ACLGROUPS
if ( b->a_group != NULL && op->o_ndn != NULL ) {
(void) dn_normalize_case(buf);
if (backend_group(be, e, buf, odn,
- b->a_objectclassvalue, b->a_groupattrname) == 0)
+ b->a_group_oc, b->a_group_at) == 0)
{
Debug( LDAP_DEBUG_ACL,
"<= acl_access_allowed: matched by clause #%d (group) access granted\n",
i, 0, 0 );
- return( (b->a_access & ~ACL_SELF) >= access );
+ return ACL_GRANT(b->a_access, access );
}
}
#endif /* SLAPD_ACLGROUPS */
} else if ( strncasecmp( left, "group", sizeof("group")-1 ) == 0 ) {
char *name = NULL;
char *value = NULL;
- regtest(fname, lineno, right);
/* format of string is "group/objectClassValue/groupAttrName"
*/
*name++ = '\0';
}
+ regtest(fname, lineno, right);
b->a_group = dn_upcase(ch_strdup( right ));
if (value && *value) {
- b->a_objectclassvalue = ch_strdup(value);
+ b->a_group_oc = ch_strdup(value);
*--value = '/';
}
else
- b->a_objectclassvalue = ch_strdup("groupOfNames");
+ b->a_group_oc = ch_strdup("groupOfNames");
if (name && *name) {
- b->a_groupattrname = ch_strdup(name);
+ b->a_group_at = ch_strdup(name);
*--name = '/';
}
else
- b->a_groupattrname = ch_strdup("member");
+ b->a_group_at = ch_strdup("member");
/* get <access> */
split( argv[i], '=', &left, &right );
- if ( (b->a_access = str2access( left )) == -1 ) {
+ if ( ACL_IS_INVALID(ACL_SET(str2access( left ),b->a_access)) ) {
fprintf( stderr,
"%s: line %d: expecting <access> got \"%s\"\n",
fname, lineno, left );
{
static char buf[12];
- if ( access & ACL_SELF ) {
+ if ( ACL_IS_SELF( access ) ) {
strcpy( buf, "self" );
} else {
buf[0] = '\0';
}
- if ( access & ACL_NONE ) {
+ if ( ACL_IS_NONE(access) ) {
strcat( buf, "none" );
- } else if ( access & ACL_COMPARE ) {
+#ifdef SLAPD_ACLAUTH
+ } else if ( ACL_IS_AUTH(access) ) {
+ strcat( buf, "auth" );
+#endif
+ } else if ( ACL_IS_COMPARE(access) ) {
strcat( buf, "compare" );
- } else if ( access & ACL_SEARCH ) {
+ } else if ( ACL_IS_SEARCH(access) ) {
strcat( buf, "search" );
- } else if ( access & ACL_READ ) {
+ } else if ( ACL_IS_READ(access) ) {
strcat( buf, "read" );
- } else if ( access & ACL_WRITE ) {
+ } else if ( ACL_IS_WRITE(access) ) {
strcat( buf, "write" );
} else {
strcat( buf, "unknown" );
{
int access;
- access = 0;
+ ACL_CLR(access);
+
if ( strncasecmp( str, "self", 4 ) == 0 ) {
- access |= ACL_SELF;
+ ACL_SET_SELF(access);
str += 4;
}
if ( strcasecmp( str, "none" ) == 0 ) {
- access |= ACL_NONE;
+ ACL_SET_NONE(access);
+#ifdef SLAPD_ACLAUTH
+ } else if ( strcasecmp( str, "auth" ) == 0 ) {
+ ACL_SET_AUTH(access);
+#endif
} else if ( strcasecmp( str, "compare" ) == 0 ) {
- access |= ACL_COMPARE;
+ ACL_SET_COMPARE(access);
} else if ( strcasecmp( str, "search" ) == 0 ) {
- access |= ACL_SEARCH;
+ ACL_SET_SEARCH(access);
} else if ( strcasecmp( str, "read" ) == 0 ) {
- access |= ACL_READ;
+ ACL_SET_READ(access);
} else if ( strcasecmp( str, "write" ) == 0 ) {
- access |= ACL_WRITE;
+ ACL_SET_WRITE(access);
} else {
- access = -1;
+ ACL_SET_INVALID(access);
}
return( access );
static void
acl_usage( void )
{
- fprintf( stderr, "\n<access clause> ::= access to <what> [ by <who> <access> ]+ \n" );
- fprintf( stderr, "<what> ::= * | [dn=<regex>] [filter=<ldapfilter>] [attrs=<attrlist>]\n" );
- fprintf( stderr, "<attrlist> ::= <attr> | <attr> , <attrlist>\n" );
- fprintf( stderr, "<attr> ::= <attrname> | entry | children\n" );
- fprintf( stderr, "<who> ::= * | self | dn=<regex> | addr=<regex> |\n\tdomain=<regex> | dnattr=<dnattrname>\n" );
- fprintf( stderr, "<access> ::= [self]{none | compare | search | read | write }\n" );
+ fprintf( stderr, "\n"
+ "<access clause> ::= access to <what> [ by <who> <access> ]+ \n"
+ "<what> ::= * | [dn=<regex>] [filter=<ldapfilter>] [attrs=<attrlist>]\n"
+ "<attrlist> ::= <attr> | <attr> , <attrlist>\n"
+ "<attr> ::= <attrname> | entry | children\n"
+ "<who> ::= * | self | dn=<regex> | addr=<regex>\n"
+ "\t| domain=<regex> | dnattr=<dnattrname>\n"
+#ifdef SLAPD_ACLGROUPS
+ "\t| group[/<objectclass>[/<attrname>]]=<regex>\n"
+#endif
+#ifdef SLAPD_ACLAUTH
+ "<access> ::= [self]{none|auth|compare|search|read|write}\n"
+#else
+ "<access> ::= [self]{none|auth|compare|search|read|write}\n"
+#endif
+ );
exit( 1 );
}
#ifdef SLAPD_ACLGROUPS
else if ( b->a_group != NULL ) {
fprintf( stderr, " group: %s", b->a_group );
- if ( b->a_objectclassvalue )
- fprintf( stderr, " objectClassValue: %s", b->a_objectclassvalue );
- if ( b->a_groupattrname )
- fprintf( stderr, " groupAttrName: %s", b->a_groupattrname );
+ if ( b->a_group_oc )
+ fprintf( stderr, " objectClass: %s", b->a_group_oc );
+ if ( b->a_group_at )
+ fprintf( stderr, " attributeType: %s", b->a_group_at );
}
#endif
fprintf( stderr, "\n" );
/* check for deleted */
+#ifdef SLAPD_ACLAUTH
+ if ( ! access_allowed( be, conn, op, e,
+ "entry", NULL, ACL_AUTH ) )
+ {
+ send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS, "", "" );
+ rc = 1;
+ goto return_results;
+ }
+#endif
+
switch ( method ) {
case LDAP_AUTH_SIMPLE:
if ( cred->bv_len == 0 ) {
goto return_results;
}
+#ifdef SLAPD_ACLAUTH
+ if ( ! access_allowed( be, conn, op, e,
+ "userpassword", NULL, ACL_AUTH ) )
+ {
+ send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS, "", "" );
+ rc = 1;
+ goto return_results;
+ }
+#endif
+
if ( (a = attr_find( e->e_attrs, "userpassword" )) == NULL ) {
send_ldap_result( conn, op, LDAP_INAPPROPRIATE_AUTH,
NULL, NULL );
#ifdef HAVE_KERBEROS
case LDAP_AUTH_KRBV41:
+#ifdef SLAPD_ACLAUTH
+ if ( ! access_allowed( be, conn, op, e,
+ "krbname", NULL, ACL_AUTH ) )
+ {
+ send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS, "", "" );
+ rc = 1;
+ goto return_results;
+ }
+#endif
if ( krbv4_ldap_auth( be, cred, &ad ) != LDAP_SUCCESS ) {
send_ldap_result( conn, op, LDAP_INVALID_CREDENTIALS,
NULL, NULL );
* no krbName values present: check against DN
*/
if ( strcasecmp( dn, krbname ) == 0 ) {
- rc = 0; /* XXX wild ass guess */
+ rc = 0;
break;
}
send_ldap_result( conn, op, LDAP_INAPPROPRIATE_AUTH,
ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
+ if ( op->o_ndn != NULL ) {
+ free( op->o_ndn );
+ op->o_ndn = NULL;
+ }
+
+ if ( op->o_dn != NULL ) {
+ free( op->o_dn );
+ op->o_dn = NULL;
+ }
+
/*
* Parse the bind request. It looks like this:
*
return( 1 );
}
if ( be == NULL ) {
- if ( (global_default_access =
- str2access( cargv[1] )) == -1 ) {
+ if ( ACL_IS_INVALID(ACL_SET(str2access(cargv[1]),
+ global_default_access)) ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: bad access \"%s\" expecting [self]{none|compare|read|write}\n",
fname, lineno, cargv[1] );
return( 1 );
}
} else {
- if ( (be->be_dfltaccess =
- str2access( cargv[1] )) == -1 ) {
+ if ( ACL_IS_INVALID(ACL_SET(str2access(cargv[1]),
+ be->be_dfltaccess)) ) {
Debug( LDAP_DEBUG_ANY,
-"%s: line %d: bad access \"%s\" expecting [self]{none|compare|read|write}\n",
+ "%s: line %d: bad access \"%s\", "
+ "expecting [self]{none|compare|search|read|write}\n",
fname, lineno, cargv[1] );
return( 1 );
}
/* the "by" part */
struct access {
-#define ACL_NONE 0x01
-#define ACL_COMPARE 0x02
-#define ACL_SEARCH 0x04
-#define ACL_READ 0x08
-#define ACL_WRITE 0x10
-#define ACL_SELF 0x40
+#define ACL_NONE 0x0001
+/* #define SLAPD_ACLAUTH 1 */
+#ifdef SLAPD_ACLAUTH
+#define ACL_AUTH 0x0002
+#endif
+#define ACL_COMPARE 0x0004
+#define ACL_SEARCH 0x0008
+#define ACL_READ 0x0010
+#define ACL_WRITE 0x0020
+#define ACL_SELF 0x4000
+#define ACL_INVALID -1
+
+#define ACL_IS(lvl,a) (((a) & (lvl)) == (lvl))
+
+#define ACL_IS_NONE(a) ACL_IS(ACL_SELF,(a))
+#define ACL_IS_AUTH(a) ACL_IS(ACL_AUTH,(a))
+#define ACL_IS_COMPARE(a) ACL_IS(ACL_COMPARE,(a))
+#define ACL_IS_SEARCH(a) ACL_IS(ACL_SEARCH,(a))
+#define ACL_IS_READ(a) ACL_IS(ACL_READ,(a))
+#define ACL_IS_WRITE(a) ACL_IS(ACL_WRITE,(a))
+#define ACL_IS_SELF(a) ACL_IS(ACL_SELF,(a))
+#define ACL_IS_INVALID(a) ACL_IS(ACL_INVALID,(a))
+
+
+#define ACL_CLR(a) ((a) = 0)
+#define ACL_SET(lvl,a) ((a) |= (lvl))
+#define ACL_SET_NONE(a) ACL_SET(ACL_SELF,(a))
+#define ACL_SET_AUTH(a) ACL_SET(ACL_AUTH,(a))
+#define ACL_SET_COMPARE(a) ACL_SET(ACL_COMPARE,(a))
+#define ACL_SET_SEARCH(a) ACL_SET(ACL_SEARCH,(a))
+#define ACL_SET_READ(a) ACL_SET(ACL_READ,(a))
+#define ACL_SET_WRITE(a) ACL_SET(ACL_WRITE,(a))
+#define ACL_SET_SELF(a) ACL_SET(ACL_SELF,(a))
+#define ACL_SET_INVALID(a) ACL_SET(ACL_INVALID,(a))
+
+#define ACL_PRIV_MASK 0x00ff
+#define ACL_PRIV(a) ((a) & ACL_PRIV_MASK)
+#define ACL_GRANT(lvl,a) (ACL_PRIV(a) >= (lvl))
+#define ACL_TEST
+
+
int a_access;
char *a_dnpat;
#ifdef SLAPD_ACLGROUPS
char *a_group;
- char *a_objectclassvalue;
- char *a_groupattrname;
+ char *a_group_oc;
+ char *a_group_at;
#endif
struct access *a_next;
};
projects / openldap / commitdiff