* entry with objectclass group* and we test to see if odn is one of
* the values in the attribute group
*/
- Debug( LDAP_DEBUG_ARGS, "<= check a_group: %s\n",
- b->a_group, 0, 0);
- Debug( LDAP_DEBUG_ARGS, "<= check a_group: odn: %s\n",
- odn, 0, 0);
-
/* see if asker is listed in dnattr */
string_expand(buf, sizeof(buf), b->a_group, edn, matches);
- if (be_group(be, buf, odn) == 0) {
+ if (be_group(be, buf, odn, b->a_objectclassvalue, b->a_groupattrname) == 0) {
Debug( LDAP_DEBUG_ACL,
"<= acl_access_allowed: matched by clause #%d (group) access granted\n",
i, 0, 0 );
#ifdef SLAPD_ACLGROUPS
} else if ( strcasecmp( left, "group" ) == 0 ) {
+ char *name = NULL;
+ char *value = NULL;
regtest(fname, lineno, right);
+
+ /* format of string is "group/objectClassValue/groupAttrName"
+ */
+ if ((value = strchr(right, '/')) != NULL) {
+ *value++ = '\0';
+ if (value && *value && (name = strchr(value, '/')) != NULL)
+ *name++ = '\0';
+ }
+
b->a_group = dn_upcase(strdup( right ));
+
+ if (value && *value) {
+ b->a_objectclassvalue = strdup(value);
+ *--value = '/';
+ }
+ else
+ b->a_objectclassvalue = strdup("groupOfNames");
+
+ if (name && *name) {
+ b->a_groupattrname = strdup(name);
+ *--name = '/';
+ }
+ else
+ b->a_groupattrname = strdup("member");
+
+
+
#endif /* SLAPD_ACLGROUPS */
} else if ( strcasecmp( left, "domain" ) == 0 ) {
char *s;
fname, lineno );
} else {
+
+ if (ldap_debug&LDAP_DEBUG_ACL)
+ print_acl(a);
+
if ( a->acl_access == NULL ) {
fprintf( stderr,
{
printf( "\tby" );
if ( b->a_dnpat != NULL ) {
- printf( " dn=%s", b->a_dnpat );
+ fprintf( stderr, " dn=%s", b->a_dnpat );
} else if ( b->a_addrpat != NULL ) {
- printf( " addr=%s", b->a_addrpat );
+ fprintf( stderr, " addr=%s", b->a_addrpat );
} else if ( b->a_domainpat != NULL ) {
- printf( " domain=%s", b->a_domainpat );
+ fprintf( stderr, " domain=%s", b->a_domainpat );
} else if ( b->a_dnattr != NULL ) {
- printf( " dnattr=%s", b->a_dnattr );
+ fprintf( stderr, " dnattr=%s", b->a_dnattr );
}
- printf( " %s\n", access2str( b->a_access ) );
+ else if ( b->a_group != NULL ) {
+ fprintf( stderr, " group: %s", b->a_group );
+ if ( b->a_objectclassvalue )
+ fprintf( stderr, " objectClassValue: %s", b->a_objectclassvalue );
+ if ( b->a_groupattrname )
+ fprintf( stderr, " groupAttrName: %s", b->a_groupattrname );
+ }
+ fprintf( stderr, "\n" );
}
static void
struct access *b;
if ( a == NULL ) {
- printf( "NULL\n" );
+ fprintf( stderr, "NULL\n" );
}
- printf( "access to" );
+ fprintf( stderr, "ACL: access to" );
if ( a->acl_filter != NULL ) {
- printf( " filter=" );
+ fprintf( stderr," filter=" );
filter_print( a->acl_filter );
}
if ( a->acl_dnpat != NULL ) {
- printf( " dn=" );
- printf( a->acl_dnpat );
+ fprintf( stderr, " dn=" );
+ fprintf( stderr, a->acl_dnpat );
}
if ( a->acl_attrs != NULL ) {
int first = 1;
- printf( " attrs=" );
+ fprintf( stderr, "\n attrs=" );
for ( i = 0; a->acl_attrs[i] != NULL; i++ ) {
if ( ! first ) {
- printf( "," );
+ fprintf( stderr, "," );
}
- printf( a->acl_attrs[i] );
+ fprintf( stderr, a->acl_attrs[i] );
first = 0;
}
}
- printf( "\n" );
+ fprintf( stderr, "\n" );
for ( b = a->acl_access; b != NULL; b = b->a_next ) {
print_access( b );
}
+ fprintf( stderr, "\n" );
}
#endif /* LDAP_DEBUG */
#ifdef SLAPD_ACLGROUPS
-/* return 0 IFF edn is a value in uniqueMember attribute
+/* return 0 IFF edn is a value in member attribute
* of entry with bdn AND that entry has an objectClass
* value of groupOfNames
*/
ldbm_back_group(
Backend *be,
char *bdn,
- char *edn
+ char *edn,
+ char *objectclassValue,
+ char *groupattrName
)
{
struct ldbminfo *li = (struct ldbminfo *) be->be_private;
Debug( LDAP_DEBUG_TRACE, "=> ldbm_back_group: bdn: %s\n", bdn, 0, 0 );
Debug( LDAP_DEBUG_TRACE, "=> ldbm_back_group: edn: %s\n", edn, 0, 0 );
+ Debug( LDAP_DEBUG_TRACE, "=> ldbm_back_group: objectClass: %s attrName: %s\n",
+ objectclassValue, groupattrName, 0 );
/* can we find bdn entry with reader lock */
if ((e = dn2entry_r(be, bdn, &matched )) == NULL) {
if ((objectClass = attr_find(e->e_attrs, "objectclass")) == NULL) {
Debug( LDAP_DEBUG_TRACE, "<= ldbm_back_group: failed to find objectClass\n", 0, 0, 0 );
}
- else if ((member = attr_find(e->e_attrs, "member")) == NULL) {
- Debug( LDAP_DEBUG_TRACE, "<= ldbm_back_group: failed to find member\n", 0, 0, 0 );
+ else if ((member = attr_find(e->e_attrs, groupattrName)) == NULL) {
+ Debug( LDAP_DEBUG_TRACE, "<= ldbm_back_group: failed to find %s\n", groupattrName, 0, 0 );
}
else {
struct berval bvObjectClass;
struct berval bvMembers;
- Debug( LDAP_DEBUG_ARGS, "<= ldbm_back_group: found objectClass and members\n", 0, 0, 0 );
+ Debug( LDAP_DEBUG_ARGS, "<= ldbm_back_group: found objectClass and %s\n", groupattrName, 0, 0 );
- bvObjectClass.bv_val = "groupofnames";
+ bvObjectClass.bv_val = objectclassValue;
bvObjectClass.bv_len = strlen( bvObjectClass.bv_val );
+
bvMembers.bv_val = edn;
bvMembers.bv_len = strlen( edn );
if (value_find(objectClass->a_vals, &bvObjectClass, SYNTAX_CIS, 1) != 0) {
Debug( LDAP_DEBUG_TRACE,
- "<= ldbm_back_group: failed to find objectClass in groupOfNames\n",
- 0, 0, 0 );
+ "<= ldbm_back_group: failed to find %s in objectClass\n",
+ objectclassValue, 0, 0 );
}
else if (value_find(member->a_vals, &bvMembers, SYNTAX_CIS, 1) != 0) {
- Debug( LDAP_DEBUG_ACL, "<= ldbm_back_group: %s not in %s: groupOfNames\n",
- edn, bdn, 0 );
+ Debug( LDAP_DEBUG_ACL, "<= ldbm_back_group: %s not in %s: %s\n",
+ edn, bdn, groupattrName );
}
else {
- Debug( LDAP_DEBUG_ACL, "<= ldbm_back_group: %s is in %s: groupOfNames\n",
- edn, bdn, 0 );
+ Debug( LDAP_DEBUG_ACL, "<= ldbm_back_group: %s is in %s: %s\n",
+ edn, bdn, groupattrName );
rc = 0;
}
}
Debug( LDAP_DEBUG_ARGS, "ldbm_back_group: rc: %d\n", rc, 0, 0 );
return(rc);
}
-#endif
+#endif /* SLAPD_ACLGROUPS */
#ifdef SLAPD_ACLGROUPS
int
-be_group(Backend *be, char *bdn, char *edn)
+be_group(Backend *be, char *bdn, char *edn, char *objectclassValue, char *groupattrName)
{
if (be->be_group)
- return(be->be_group(be, bdn, edn));
+ return(be->be_group(be, bdn, edn, objectclassValue, groupattrName));
else
return(1);
}
Filter *p;
if ( f == NULL ) {
- printf( "NULL" );
+ fprintf( stderr, "NULL" );
}
switch ( f->f_choice ) {
case LDAP_FILTER_EQUALITY:
- printf( "(%s=%s)", f->f_ava.ava_type,
+ fprintf( stderr, "(%s=%s)", f->f_ava.ava_type,
f->f_ava.ava_value.bv_val );
break;
case LDAP_FILTER_GE:
- printf( "(%s>=%s)", f->f_ava.ava_type,
+ fprintf( stderr, "(%s>=%s)", f->f_ava.ava_type,
f->f_ava.ava_value.bv_val );
break;
case LDAP_FILTER_LE:
- printf( "(%s<=%s)", f->f_ava.ava_type,
+ fprintf( stderr, "(%s<=%s)", f->f_ava.ava_type,
f->f_ava.ava_value.bv_val );
break;
case LDAP_FILTER_APPROX:
- printf( "(%s~=%s)", f->f_ava.ava_type,
+ fprintf( stderr, "(%s~=%s)", f->f_ava.ava_type,
f->f_ava.ava_value.bv_val );
break;
case LDAP_FILTER_SUBSTRINGS:
- printf( "(%s=", f->f_sub_type );
+ fprintf( stderr, "(%s=", f->f_sub_type );
if ( f->f_sub_initial != NULL ) {
- printf( "%s", f->f_sub_initial );
+ fprintf( stderr, "%s", f->f_sub_initial );
}
if ( f->f_sub_any != NULL ) {
for ( i = 0; f->f_sub_any[i] != NULL; i++ ) {
- printf( "*%s", f->f_sub_any[i] );
+ fprintf( stderr, "*%s", f->f_sub_any[i] );
}
}
charray_free( f->f_sub_any );
if ( f->f_sub_final != NULL ) {
- printf( "*%s", f->f_sub_final );
+ fprintf( stderr, "*%s", f->f_sub_final );
}
break;
case LDAP_FILTER_PRESENT:
- printf( "%s=*", f->f_type );
+ fprintf( stderr, "%s=*", f->f_type );
break;
case LDAP_FILTER_AND:
case LDAP_FILTER_OR:
case LDAP_FILTER_NOT:
- printf( "(%c", f->f_choice == LDAP_FILTER_AND ? '&' :
+ fprintf( stderr, "(%c", f->f_choice == LDAP_FILTER_AND ? '&' :
f->f_choice == LDAP_FILTER_OR ? '|' : '!' );
for ( p = f->f_list; p != NULL; p = p->f_next ) {
filter_print( p );
}
- printf( ")" );
+ fprintf( stderr, ")" );
break;
default:
- printf( "unknown type %d", f->f_choice );
+ fprintf( stderr, "unknown type %d", f->f_choice );
break;
}
}
long a_access;
#ifdef SLAPD_ACLGROUPS
- char *a_group;
+ char *a_group;
+ char *a_objectclassvalue;
+ char *a_groupattrname;
#endif
#define ACL_NONE 0x01
projects / openldap / commitdiff