Fix broken ACL macros.
Fix o_dn/o_ndn == NULL vs "".
* user is bound as somebody in the same namespace as
* the entry, OR the given dn matches the dn pattern
*/
- if ( strcasecmp( b->a_dnpat, "self" ) == 0 &&
+ if ( strcasecmp( b->a_dnpat, "anonymous" ) == 0 &&
+ (op->o_ndn == NULL || *(op->o_ndn) == '\0' ) )
+ {
+ Debug( LDAP_DEBUG_ACL,
+ "<= acl_access_allowed: matched by clause #%d access %s\n",
+ i, ACL_GRANT(b->a_access, access)
+ ? "granted" : "denied", 0 );
+
+ return ACL_GRANT(b->a_access, access );
+
+ } else if ( strcasecmp( b->a_dnpat, "self" ) == 0 &&
op->o_ndn != NULL && *(op->o_ndn) && e->e_dn != NULL )
{
if ( strcmp( edn, op->o_ndn ) == 0 ) {
char newbuf[512];
int rc;
+ if(str == NULL) str = "";
+
string_expand(newbuf, sizeof(newbuf), pat, buf, matches);
if (( rc = regcomp(&re, newbuf, REG_EXTENDED|REG_ICASE))) {
char error[512];
split( argv[i], '=', &left, &right );
if ( strcasecmp( argv[i], "*" ) == 0 ) {
b->a_dnpat = ch_strdup( ".*" );
+ } else if ( strcasecmp( argv[i], "anonymous" ) == 0 ) {
+ b->a_dnpat = ch_strdup( "anonymous" );
} else if ( strcasecmp( argv[i], "self" ) == 0 ) {
b->a_dnpat = ch_strdup( "self" );
} else if ( strcasecmp( left, "dn" ) == 0 ) {
/* get <access> */
split( argv[i], '=', &left, &right );
- if ( ACL_IS_INVALID(ACL_SET(str2access( left ),b->a_access)) ) {
+ if ( ACL_IS_INVALID(ACL_SET(b->a_access,str2access( left ))) ) {
fprintf( stderr,
"%s: line %d: expecting <access> got \"%s\"\n",
fname, lineno, left );
"<what> ::= * | [dn=<regex>] [filter=<ldapfilter>] [attrs=<attrlist>]\n"
"<attrlist> ::= <attr> | <attr> , <attrlist>\n"
"<attr> ::= <attrname> | entry | children\n"
- "<who> ::= * | self | dn=<regex> | addr=<regex>\n"
+ "<who> ::= * | anonymous | self | dn=<regex> | addr=<regex>\n"
"\t| domain=<regex> | dnattr=<dnattrname>\n"
#ifdef SLAPD_ACLGROUPS
"\t| group[/<objectclass>[/<attrname>]]=<regex>\n"
fprintf( stderr, "\tby" );
if ( b->a_dnpat != NULL ) {
- fprintf( stderr, " dn=%s", b->a_dnpat );
+ if( strcmp(b->a_dnpat, "anonymous") == 0 ) {
+ fprintf( stderr, " anonymous" );
+ } else if( strcmp(b->a_dnpat, "self") == 0 ) {
+ fprintf( stderr, " self" );
+ } else {
+ fprintf( stderr, " dn=%s", b->a_dnpat );
+ }
} else if ( b->a_addrpat != NULL ) {
fprintf( stderr, " addr=%s", b->a_addrpat );
} else if ( b->a_domainpat != NULL ) {
ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
- if ( op->o_ndn != NULL ) {
- free( op->o_ndn );
- op->o_ndn = NULL;
- }
-
if ( op->o_dn != NULL ) {
free( op->o_dn );
- op->o_dn = NULL;
+ op->o_dn = ch_strdup( "" );
+ }
+
+ if ( op->o_ndn != NULL ) {
+ free( op->o_ndn );
+ op->o_ndn = ch_strdup( "" );
}
/*
return( 1 );
}
if ( be == NULL ) {
- if ( ACL_IS_INVALID(ACL_SET(str2access(cargv[1]),
- global_default_access)) ) {
+ if ( ACL_IS_INVALID(ACL_SET(global_default_access,
+ str2access(cargv[1]))) )
+ {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: bad access \"%s\" expecting [self]{none|compare|read|write}\n",
fname, lineno, cargv[1] );
return( 1 );
}
} else {
- if ( ACL_IS_INVALID(ACL_SET(str2access(cargv[1]),
- be->be_dfltaccess)) ) {
+ if ( ACL_IS_INVALID(ACL_SET(be->be_dfltaccess,
+ str2access(cargv[1]))) )
+ {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: bad access \"%s\", "
"expecting [self]{none|compare|search|read|write}\n",
#define ACL_SELF 0x4000
#define ACL_INVALID -1
-#define ACL_IS(lvl,a) (((a) & (lvl)) == (lvl))
+#define ACL_IS(a,lvl) (((a) & (lvl)) == (lvl))
-#define ACL_IS_NONE(a) ACL_IS(ACL_SELF,(a))
-#define ACL_IS_AUTH(a) ACL_IS(ACL_AUTH,(a))
-#define ACL_IS_COMPARE(a) ACL_IS(ACL_COMPARE,(a))
-#define ACL_IS_SEARCH(a) ACL_IS(ACL_SEARCH,(a))
-#define ACL_IS_READ(a) ACL_IS(ACL_READ,(a))
-#define ACL_IS_WRITE(a) ACL_IS(ACL_WRITE,(a))
-#define ACL_IS_SELF(a) ACL_IS(ACL_SELF,(a))
-#define ACL_IS_INVALID(a) ACL_IS(ACL_INVALID,(a))
+#define ACL_IS_NONE(a) ACL_IS((a),ACL_SELF)
+#define ACL_IS_AUTH(a) ACL_IS((a),ACL_AUTH)
+#define ACL_IS_COMPARE(a) ACL_IS((a),ACL_COMPARE)
+#define ACL_IS_SEARCH(a) ACL_IS((a),ACL_SEARCH)
+#define ACL_IS_READ(a) ACL_IS((a),ACL_READ)
+#define ACL_IS_WRITE(a) ACL_IS((a),ACL_WRITE)
+#define ACL_IS_SELF(a) ACL_IS((a),ACL_SELF)
+#define ACL_IS_INVALID(a) ACL_IS((a),ACL_INVALID)
#define ACL_CLR(a) ((a) = 0)
-#define ACL_SET(lvl,a) ((a) |= (lvl))
-#define ACL_SET_NONE(a) ACL_SET(ACL_SELF,(a))
-#define ACL_SET_AUTH(a) ACL_SET(ACL_AUTH,(a))
-#define ACL_SET_COMPARE(a) ACL_SET(ACL_COMPARE,(a))
-#define ACL_SET_SEARCH(a) ACL_SET(ACL_SEARCH,(a))
-#define ACL_SET_READ(a) ACL_SET(ACL_READ,(a))
-#define ACL_SET_WRITE(a) ACL_SET(ACL_WRITE,(a))
-#define ACL_SET_SELF(a) ACL_SET(ACL_SELF,(a))
-#define ACL_SET_INVALID(a) ACL_SET(ACL_INVALID,(a))
+#define ACL_SET(a,lvl) ((a) |= (lvl))
+#define ACL_SET_NONE(a) ACL_SET((a),ACL_SELF)
+#define ACL_SET_AUTH(a) ACL_SET((a),ACL_AUTH)
+#define ACL_SET_COMPARE(a) ACL_SET((a),ACL_COMPARE)
+#define ACL_SET_SEARCH(a) ACL_SET((a),ACL_SEARCH)
+#define ACL_SET_READ(a) ACL_SET((a),ACL_READ)
+#define ACL_SET_WRITE(a) ACL_SET((a),ACL_WRITE)
+#define ACL_SET_SELF(a) ACL_SET((a),ACL_SELF)
+#define ACL_SET_INVALID(a) ACL_SET((a),ACL_INVALID)
#define ACL_PRIV_MASK 0x00ff
#define ACL_PRIV(a) ((a) & ACL_PRIV_MASK)
-#define ACL_GRANT(lvl,a) (ACL_PRIV(a) >= (lvl))
+#define ACL_GRANT(a,lvl) (ACL_PRIV(a) >= (lvl))
#define ACL_TEST
projects / openldap / commitdiff