* user is bound as somebody in the same namespace as
* the entry, OR the given dn matches the dn pattern
*/
- if ( strcasecmp( b->a_dn_pat, "anonymous" ) == 0 ) {
+ if ( strcmp( b->a_dn_pat, "anonymous" ) == 0 ) {
if (op->o_ndn != NULL && op->o_ndn[0] != '\0' ) {
continue;
}
- } else if ( strcasecmp( b->a_dn_pat, "self" ) == 0 ) {
+ } else if ( strcmp( b->a_dn_pat, "users" ) == 0 ) {
+ if (op->o_ndn == NULL || op->o_ndn[0] == '\0' ) {
+ continue;
+ }
+
+ } else if ( strcmp( b->a_dn_pat, "self" ) == 0 ) {
if( op->o_ndn == NULL || op->o_ndn[0] == '\0' ) {
continue;
}
continue;
}
- } else if ( strcmp( b->a_dn_pat, ".*" ) != 0 &&
- !regex_matches( b->a_dn_pat, op->o_ndn, e->e_ndn, matches ) )
- {
- continue;
+ } else if ( strcmp( b->a_dn_pat, "*" ) != 0 ) {
+ int ret = regex_matches( b->a_dn_pat,
+ op->o_ndn, e->e_ndn, matches );
+
+ if( ret == 0 ) {
+ continue;
+ }
}
}
Debug( LDAP_DEBUG_ACL, "<= check a_sockurl_pat: %s\n",
b->a_sockurl_pat, 0, 0 );
- if ( strcmp( b->a_sockurl_pat, ".*" ) != 0 &&
+ if ( strcmp( b->a_sockurl_pat, "*" ) != 0 &&
!regex_matches( b->a_sockurl_pat, conn->c_listener_url,
e->e_ndn, matches ) )
{
Debug( LDAP_DEBUG_ACL, "<= check a_domain_pat: %s\n",
b->a_domain_pat, 0, 0 );
- if ( strcmp( b->a_domain_pat, ".*" ) != 0 &&
+ if ( strcmp( b->a_domain_pat, "*" ) != 0 &&
!regex_matches( b->a_domain_pat, conn->c_peer_domain,
e->e_ndn, matches ) )
{
Debug( LDAP_DEBUG_ACL, "<= check a_peername_path: %s\n",
b->a_peername_pat, 0, 0 );
- if ( strcmp( b->a_peername_pat, ".*" ) != 0 &&
+ if ( strcmp( b->a_peername_pat, "*" ) != 0 &&
!regex_matches( b->a_peername_pat, conn->c_peer_name,
e->e_ndn, matches ) )
{
Debug( LDAP_DEBUG_ACL, "<= check a_sockname_path: %s\n",
b->a_sockname_pat, 0, 0 );
- if ( strcmp( b->a_sockname_pat, ".*" ) != 0 &&
+ if ( strcmp( b->a_sockname_pat, "*" ) != 0 &&
!regex_matches( b->a_sockname_pat, conn->c_sock_name,
e->e_ndn, matches ) )
{
}
if ( strcasecmp( argv[i], "*" ) == 0 ) {
- a->acl_dn_pat = ch_strdup( ".*" );
+ if( a->acl_dn_pat != NULL ) {
+ fprintf( stderr,
+ "%s: line %d: dn pattern"
+ " already specified in to clause.\n",
+ fname, lineno );
+ acl_usage();
+ }
+
+ a->acl_dn_pat = ch_strdup( "*" );
continue;
}
split( argv[i], '=', &left, &right );
+
+ if ( strcasecmp( left, "dn" ) == 0 ) {
+ if( a->acl_dn_pat != NULL ) {
+ fprintf( stderr,
+ "%s: line %d: dn pattern"
+ " already specified in to clause.\n",
+ fname, lineno );
+ acl_usage();
+ }
+
+ if ( right == NULL ) {
+ fprintf( stderr,
+ "%s: line %d: missing \"=\" in \"%s\" in to clause\n",
+ fname, lineno, left );
+ acl_usage();
+ }
+
+ if( *right == '\0' ) {
+ a->acl_dn_pat = ch_strdup("^$");
+
+ } else if ( strcmp(right, "*") == 0
+ || strcmp(right, ".*") == 0
+ || strcmp(right, ".*$") == 0
+ || strcmp(right, "^.*") == 0
+ || strcmp(right, "^.*$") == 0 )
+ {
+ a->acl_dn_pat = ch_strdup( "*" );
+
+ } else {
+ a->acl_dn_pat = ch_strdup( right );
+ }
+
+ continue;
+ }
+
if ( right == NULL || *right == '\0' ) {
fprintf( stderr,
"%s: line %d: missing \"=\" in (or value after) \"%s\" in to clause\n",
acl_usage();
}
- } else if ( strcasecmp( left, "dn" ) == 0 ) {
- a->acl_dn_pat = ch_strdup( right );
-
} else if ( strncasecmp( left, "attr", 4 ) == 0 ) {
char **alist;
}
}
- if ( a->acl_dn_pat != NULL ) {
+ if ( a->acl_dn_pat != NULL && strcmp(a->acl_dn_pat, "*") == 0) {
+ free( a->acl_dn_pat );
+ a->acl_dn_pat = NULL;
+ }
+
+ if( a->acl_dn_pat != NULL ) {
int e = regcomp( &a->acl_dn_re, a->acl_dn_pat,
REG_EXTENDED | REG_ICASE );
if ( e ) {
split( argv[i], '=', &left, &right );
if ( strcasecmp( argv[i], "*" ) == 0 ) {
- pat = ch_strdup( ".*" );
+ pat = ch_strdup( "*" );
+
} else if ( strcasecmp( argv[i], "anonymous" ) == 0 ) {
pat = ch_strdup( "anonymous" );
+
} else if ( strcasecmp( argv[i], "self" ) == 0 ) {
pat = ch_strdup( "self" );
+
+ } else if ( strcasecmp( argv[i], "users" ) == 0 ) {
+ pat = ch_strdup( "users" );
+
} else if ( strcasecmp( left, "dn" ) == 0 ) {
- regtest(fname, lineno, right);
- pat = ch_strdup( right );
+ if( right == NULL ) {
+ /* no '=' */
+ pat = ch_strdup( "users" );
+
+ } else if (*right == '\0' ) {
+ /* dn="" */
+ pat = ch_strdup( "anonymous" );
+
+ } else if ( strcmp( right, "*" ) == 0 ) {
+ /* dn=* /
+ /* any or users? any for now */
+ pat = ch_strdup( "users" );
+
+ } else if ( strcmp( right, ".+" ) == 0
+ || strcmp( right, "^.+" ) == 0
+ || strcmp( right, ".+$" ) == 0
+ || strcmp( right, "^.+$" ) == 0 )
+ {
+ pat = ch_strdup( "users" );
+
+ } else if ( strcmp( right, ".*" ) == 0
+ || strcmp( right, "^.*" ) == 0
+ || strcmp( right, ".*$" ) == 0
+ || strcmp( right, "^.*$" ) == 0 )
+ {
+ pat = ch_strdup( "*" );
+
+ } else {
+ regtest(fname, lineno, right);
+ pat = ch_strdup( right );
+ }
+
} else {
pat = NULL;
}
fname, lineno );
} else {
-
#ifdef LDAP_DEBUG
- if (ldap_debug & LDAP_DEBUG_ACL)
- print_acl(be, a);
+ if (ldap_debug & LDAP_DEBUG_ACL)
+ print_acl(be, a);
#endif
if ( a->acl_access == NULL ) {
"<what> ::= * | [dn=<regex>] [filter=<ldapfilter>] [attrs=<attrlist>]\n"
"<attrlist> ::= <attr> | <attr> , <attrlist>\n"
"<attr> ::= <attrname> | entry | children\n"
- "<who> ::= [ * | anonymous | self | dn=<regex> ]\n"
+ "<who> ::= [ * | anonymous | users | self | dn=<regex> ]\n"
"\t[dnattr=<attrname>]\n"
"\t[group[/<objectclass>[/<attrname>]]=<regex>]\n"
"\t[peername=<regex>] [sockname=<regex>]\n"
fprintf( stderr, "\tby" );
if ( b->a_dn_pat != NULL ) {
- if( strcmp(b->a_dn_pat, "anonymous") == 0 ) {
- fprintf( stderr, " anonymous" );
-
- } else if( strcmp(b->a_dn_pat, "self") == 0 ) {
- fprintf( stderr, " self" );
+ if( strcmp(b->a_dn_pat, "*") == 0
+ || strcmp(b->a_dn_pat, "users") == 0
+ || strcmp(b->a_dn_pat, "anonymous") == 0
+ || strcmp(b->a_dn_pat, "self") == 0 )
+ {
+ fprintf( stderr, " %s", b->a_dn_pat );
} else {
fprintf( stderr, " dn=%s", b->a_dn_pat );
projects / openldap / commitdiff