slap_access_t *grant,
slap_access_t *deny,
slap_aci_scope_t scope);
-#endif
+#endif /* SLAPD_ACI_ENABLED */
static int regex_matches(
struct berval *pat, char *str, char *buf,
char accessmaskbuf[ACCESSMASK_MAXLEN];
#if !defined( SLAP_DYNACL ) && defined( SLAPD_ACI_ENABLED )
char accessmaskbuf1[ACCESSMASK_MAXLEN];
-#endif /* SLAPD_ACI_ENABLED */
+#endif /* !SLAP_DYNACL && SLAPD_ACI_ENABLED */
#endif /* DEBUG */
const char *attr;
* is maintaned in a_dn_pat.
*/
- if ( op->o_conn && !BER_BVISNULL( &op->o_conn->c_ndn ) ) {
+ if ( op->o_conn && !BER_BVISNULL( &op->o_conn->c_ndn ) )
+ {
ndn = op->o_conn->c_ndn;
} else {
ndn = op->o_ndn;
if ( b->a_realdn_at != NULL ) {
struct berval ndn;
- if ( op->o_conn && !BER_BVISNULL( &op->o_conn->c_ndn ) ) {
+ if ( op->o_conn && !BER_BVISNULL( &op->o_conn->c_ndn ) )
+ {
ndn = op->o_conn->c_ndn;
} else {
ndn = op->o_ndn;
}
}
-#if 0
- if ( b->a_dn_at != NULL ) {
- Attribute *at;
- struct berval bv;
- int rc, match = 0;
- const char *text;
- const char *attr = b->a_dn_at->ad_cname.bv_val;
-
- assert( attr != NULL );
-
- if ( op->o_ndn.bv_len == 0 ) {
- continue;
- }
-
- Debug( LDAP_DEBUG_ACL, "<= check a_dn_at: %s\n",
- attr, 0, 0);
- bv = op->o_ndn;
-
- /* see if asker is listed in dnattr */
- for( at = attrs_find( e->e_attrs, b->a_dn_at );
- at != NULL;
- at = attrs_find( at->a_next, b->a_dn_at ) )
- {
- if( value_find_ex( b->a_dn_at,
- SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
- SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
- at->a_nvals,
- &bv, op->o_tmpmemctx ) == 0 )
- {
- /* found it */
- match = 1;
- break;
- }
- }
-
- if ( match ) {
- /* have a dnattr match. if this is a self clause then
- * the target must also match the op dn.
- */
- if ( b->a_dn_self ) {
- /* check if the target is an attribute. */
- if ( val == NULL ) continue;
-
- /* target is attribute, check if the attribute value
- * is the op dn.
- */
- rc = value_match( &match, b->a_dn_at,
- b->a_dn_at->ad_type->sat_equality, 0,
- val, &bv, &text );
- /* on match error or no match, fail the ACL clause */
- if (rc != LDAP_SUCCESS || match != 0 )
- continue;
- }
-
- } else {
- /* no dnattr match, check if this is a self clause */
- if ( ! b->a_dn_self )
- continue;
-
- ACL_RECORD_VALUE_STATE;
-
- /* this is a self clause, check if the target is an
- * attribute.
- */
- if ( val == NULL )
- continue;
-
- /* target is attribute, check if the attribute value
- * is the op dn.
- */
- rc = value_match( &match, b->a_dn_at,
- b->a_dn_at->ad_type->sat_equality, 0,
- val, &bv, &text );
-
- /* on match error or no match, fail the ACL clause */
- if (rc != LDAP_SUCCESS || match != 0 )
- continue;
- }
- }
-#endif
-
if ( !BER_BVISEMPTY( &b->a_group_pat ) ) {
struct berval bv;
struct berval ndn = BER_BVNULL;
}
#ifdef SLAP_DYNACL
+/*
+ * FIXME: there is a silly dependence that makes it difficult
+ * to move ACIs in a run-time loadable module under the "dynacl"
+ * umbrella, because sets share some helpers with ACIs.
+ */
static int
dynacl_aci_parse( const char *fname, int lineno, slap_style_t sty, const char *right, void **privp )
{
#ifdef SLAPD_ACI_ENABLED
#define SLAPD_ACI_SYNTAX "1.3.6.1.4.1.4203.666.2.1"
-#endif
+#endif /* SLAPD_ACI_ENABLED */
/* change this to "OpenLDAPset" */
#define SLAPD_ACI_SET_ATTR "template"
AttributeDescription *si_ad_saslAuthzFrom;
#ifdef SLAPD_ACI_ENABLED
AttributeDescription *si_ad_aci;
-#endif
+#endif /* SLAPD_ACI_ENABLED */
/* dynamic entries */
AttributeDescription *si_ad_entryTtl;
typedef struct slap_dn_access {
/* DN pattern */
AuthorizationInformation a_dnauthz;
+#define a_pat a_dnauthz.sai_dn
slap_style_t a_style;
int a_level;
/* DN pattern */
slap_dn_access a_dn;
#define a_dn_pat a_dn.a_dnauthz.sai_dn
-#define a_dn_style a_dn.a_style
-#define a_dn_level a_dn.a_level
-#define a_dn_self_level a_dn.a_self_level
#define a_dn_at a_dn.a_at
#define a_dn_self a_dn.a_self
-#define a_dn_expand a_dn.a_expand
/* real DN pattern */
slap_dn_access a_realdn;
#define a_realdn_pat a_realdn.a_dnauthz.sai_dn
-#define a_realdn_style a_realdn.a_style
-#define a_realdn_level a_realdn.a_level
-#define a_realdn_self_level a_realdn.a_self_level
#define a_realdn_at a_realdn.a_at
#define a_realdn_self a_realdn.a_self
-#define a_realdn_expand a_realdn.a_expand
+ /* used for ssf stuff
+ * NOTE: the ssf stuff in a_realdn is ignored */
#define a_authz a_dn.a_dnauthz
-#define a_pat a_dnauthz.sai_dn
/* connection related stuff */
slap_style_t a_peername_style;
slap_dynacl_t *a_dynacl;
#else /* ! SLAP_DYNACL */
#ifdef SLAPD_ACI_ENABLED
+ /* NOTE: ACIs have been moved under the "dynacl" interface,
+ * which is currently built only when LDAP_DEVEL is defined.
+ *
+ * In any case, SLAPD_ACI_ENABLED, set by --enable-aci,
+ * is required to enable ACI support.
+ */
AttributeDescription *a_aci_at;
-#endif
+#endif /* SLAPD_ACI_ENABLED */
#endif /* SLAP_DYNACL */
/* ACL Groups */
projects / openldap / commitdiff