fix previous commit in case of access to non existent backend (e.g. rootDSE); add...

diff --git a/doc/man/man8/slapacl.8 b/doc/man/man8/slapacl.8
index 7e1900e7729d19358b9a8911a9f7963f3bebaf0e..fc369a3b989c52ed27bc88aa6fc07f2e438dea6e 100644 (file)
--- a/doc/man/man8/slapacl.8
+++ b/doc/man/man8/slapacl.8
@@ -11,6 +11,7 @@ slapacl \- Check access to a list of attributes.
 .B [\-D authcDN | \-U authcID]
 .B \-b DN
 .B [\-u]
+.B [\-X authzID | \-o authzDN=DN]
 .B [attr[/access][:value]] [...]
 .LP
 .SH DESCRIPTION
@@ -63,6 +64,36 @@ rules (see
 for details); mutually exclusive with
 .BR \-D .
 .TP
+.BI \-X " authzID"
+specify an authorization ID to be mapped to a
+.B DN
+as by means of
+.B authz-regexp
+or
+.B authz-rewrite
+rules (see
+.BR slapd.conf (5)
+for details); mutually exclusive with \fB\-o\fP \fIauthzDN=DN\fP.
+.TP
+.BI \-o " option[=value]"
+Specify an
+.BR option
+with a(n optional)
+.BR value .
+Possible options/values are:
+.LP
+.nf
+              sockurl
+              domain
+              peername
+              sockname
+              ssf
+              transport_ssf
+              tls_ssf
+              sasl_ssf
+              authzDN
+.fi
+.TP
 .BI \-b " DN"
 specify the 
 .B DN 

diff --git a/servers/slapd/slapacl.c b/servers/slapd/slapacl.c
index fdab725ab3ef2df7eed30e334fca3a9e1767d127..2b325f661ad6208ff6d4459b560416a70773faf3 100644 (file)
--- a/servers/slapd/slapacl.c
+++ b/servers/slapd/slapacl.c
@@ -90,10 +90,18 @@ slapacl( int argc, char **argv )
        op->o_sasl_ssf = sasl_ssf;
 
        if ( !BER_BVISNULL( &authcID ) ) {
+               if ( !BER_BVISNULL( &authcDN ) ) {
+                       fprintf( stderr, "both authcID=\"%s\" "
+                                       "and authcDN=\"%s\" provided\n",
+                                       authcID.bv_val, authcDN.bv_val );
+                       rc = 1;
+                       goto destroy;
+               }
+
                rc = slap_sasl_getdn( &conn, op, &authcID, NULL,
                                &authcDN, SLAP_GETDN_AUTHCID );
                if ( rc != LDAP_SUCCESS ) {
-                       fprintf( stderr, "ID: <%s> check failed %d (%s)\n",
+                       fprintf( stderr, "authcID: <%s> check failed %d (%s)\n",
                                        authcID.bv_val, rc,
                                        ldap_err2string( rc ) );
                        rc = 1;
@@ -115,9 +123,47 @@ slapacl( int argc, char **argv )
                authcDN = ndn;
        }
 
+       if ( !BER_BVISNULL( &authzID ) ) {
+               if ( !BER_BVISNULL( &authzDN ) ) {
+                       fprintf( stderr, "both authzID=\"%s\" "
+                                       "and authzDN=\"%s\" provided\n",
+                                       authzID.bv_val, authzDN.bv_val );
+                       rc = 1;
+                       goto destroy;
+               }
+
+               rc = slap_sasl_getdn( &conn, op, &authzID, NULL,
+                               &authzDN, SLAP_GETDN_AUTHZID );
+               if ( rc != LDAP_SUCCESS ) {
+                       fprintf( stderr, "authzID: <%s> check failed %d (%s)\n",
+                                       authzID.bv_val, rc,
+                                       ldap_err2string( rc ) );
+                       rc = 1;
+                       goto destroy;
+               }
+
+       } else if ( !BER_BVISNULL( &authzDN ) ) {
+               struct berval   ndn;
+
+               rc = dnNormalize( 0, NULL, NULL, &authzDN, &ndn, NULL );
+               if ( rc != LDAP_SUCCESS ) {
+                       fprintf( stderr, "autchDN=\"%s\" normalization failed %d (%s)\n",
+                                       authzDN.bv_val, rc,
+                                       ldap_err2string( rc ) );
+                       rc = 1;
+                       goto destroy;
+               }
+               ch_free( authzDN.bv_val );
+               authzDN = ndn;
+       }
+
 
        if ( !BER_BVISNULL( &authcDN ) ) {
-               fprintf( stderr, "DN: \"%s\"\n", authcDN.bv_val );
+               fprintf( stderr, "authcDN: \"%s\"\n", authcDN.bv_val );
+       }
+
+       if ( !BER_BVISNULL( &authzDN ) ) {
+               fprintf( stderr, "authzDN: \"%s\"\n", authzDN.bv_val );
        }
 
        assert( !BER_BVISNULL( &baseDN ) );
@@ -131,12 +177,16 @@ slapacl( int argc, char **argv )
        }
 
        op->o_bd = be;
+       if ( !BER_BVISNULL( &authzDN ) ) {
+               op->o_dn = authzDN;
+               op->o_ndn = authzDN;
+       }
        if ( !BER_BVISNULL( &authcDN ) ) {
-               op->o_dn = authcDN;
-               op->o_ndn = authcDN;
+               op->o_conn->c_dn = authcDN;
+               op->o_conn->c_ndn = authcDN;
        }
 
-       if ( !dryrun ) {
+       if ( !dryrun && be ) {
                ID      id;
 
                if ( !be->be_entry_open ||
@@ -264,7 +314,7 @@ slapacl( int argc, char **argv )
 destroy:;
        ber_memfree( e.e_name.bv_val );
        ber_memfree( e.e_nname.bv_val );
-       if ( !dryrun ) {
+       if ( !dryrun && be ) {
                if ( ep != &e ) {
                        be_entry_release_r( op, ep );
                }

diff --git a/servers/slapd/slapcommon.c b/servers/slapd/slapcommon.c
index e3f94152f3df51233e28f6406d3e794a7c2d6558..ed2903d8e57b9c152600d7e97aa80829af391b3a 100644 (file)
--- a/servers/slapd/slapcommon.c
+++ b/servers/slapd/slapcommon.c
@@ -54,9 +54,8 @@ usage( int tool, const char *progname )
 
        switch( tool ) {
        case SLAPACL:
-               options = "\n\t[-U authcID | -D authcDN]"
-                       " -b DN -o <var>[=<val>] [-u]"
-                       "\n\t[attr[/access][:value]] [...]\n";
+               options = "\n\t[-U authcID | -D authcDN] [-X authzID | -o authzDN=<DN>]"
+                       "\n\t-b DN -o <var>[=<val>] [-u] [attr[/access][:value]] [...]\n";
                break;
 
        case SLAPADD:
@@ -142,6 +141,9 @@ parse_slapacl( void )
        } else if ( strncasecmp( optarg, "sasl_ssf", len ) == 0 ) {
                sasl_ssf = atoi( p );
 
+       } else if ( strncasecmp( optarg, "authzDN", len ) == 0 ) {
+               ber_str2bv( p, 0, 1, &authzDN );
+
        } else {
                return -1;
        }
@@ -214,7 +216,7 @@ slap_tool_init(
                break;
 
        case SLAPACL:
-               options = "b:D:d:f:F:o:uU:v";
+               options = "b:D:d:f:F:o:uU:vX:";
                mode |= SLAP_TOOL_READMAIN | SLAP_TOOL_READONLY;
                break;
 

diff --git a/servers/slapd/slapcommon.h b/servers/slapd/slapcommon.h
index 423f0fbd87974357b432cae6bcd8ee11d8e11392..4dcf7a8cbb15bb68e23ec8705e9bbaef4c2563fc 100644 (file)
--- a/servers/slapd/slapcommon.h
+++ b/servers/slapd/slapcommon.h
@@ -42,8 +42,9 @@ typedef struct tool_vars {
        Filter *tv_filter;
        struct berval tv_sub_ndn;
        FILE    *tv_ldiffp;
-       struct berval tv_authcDN;
        struct berval tv_baseDN;
+       struct berval tv_authcDN;
+       struct berval tv_authzDN;
        struct berval tv_authcID;
        struct berval tv_authzID;
        struct berval tv_mech;
@@ -70,8 +71,9 @@ extern tool_vars tool_globals;
 #define filter tool_globals.tv_filter
 #define sub_ndn tool_globals.tv_sub_ndn
 #define ldiffp tool_globals.tv_ldiffp
-#define authcDN tool_globals.tv_authcDN
 #define baseDN tool_globals.tv_baseDN
+#define authcDN tool_globals.tv_authcDN
+#define authzDN tool_globals.tv_authzDN
 #define authcID tool_globals.tv_authcID
 #define authzID tool_globals.tv_authzID
 #define mech tool_globals.tv_mech