* - can be legally called with op->o_bd == NULL
*/
-#ifdef SLAP_OVERLAY_ACCESS
int
slap_access_always_allowed(
Operation *op,
return ret;
}
-#else /* !SLAP_OVERLAY_ACCESS */
-
-int
-access_allowed_mask(
- Operation *op,
- Entry *e,
- AttributeDescription *desc,
- struct berval *val,
- slap_access_t access,
- AccessControlState *state,
- slap_mask_t *maskp )
-{
- int ret = 1;
- int count;
- AccessControl *a = NULL;
- Backend *be;
- int be_null = 0;
-
-#ifdef LDAP_DEBUG
- char accessmaskbuf[ACCESSMASK_MAXLEN];
-#endif
- slap_mask_t mask;
- slap_control_t control;
- slap_access_t access_level;
- const char *attr;
- regmatch_t matches[MAXREMATCHES];
- int st_same_attr = 0;
- static AccessControlState state_init = ACL_STATE_INIT;
-
- assert( e != NULL );
- assert( desc != NULL );
-
- access_level = ACL_LEVEL( access );
-
- assert( access_level > ACL_NONE );
- if ( maskp ) ACL_INVALIDATE( *maskp );
-
- attr = desc->ad_cname.bv_val;
-
- assert( attr != NULL );
-
- if ( op ) {
- if ( op->o_is_auth_check &&
- ( access_level == ACL_SEARCH || access_level == ACL_READ ) )
- {
- access = ACL_AUTH;
-
- } else if ( get_manageDIT( op ) && access_level == ACL_WRITE &&
- desc == slap_schema.si_ad_entry )
- {
- access = ACL_MANAGE;
- }
- }
-
- if ( state ) {
- if ( state->as_vd_ad == desc ) {
- if ( ( state->as_recorded & ACL_STATE_RECORDED_NV ) &&
- val == NULL )
- {
- return state->as_result;
-
- } else if ( ( state->as_recorded & ACL_STATE_RECORDED_VD ) &&
- val != NULL && state->as_vd_acl == NULL )
- {
- return state->as_result;
- }
- st_same_attr = 1;
- } else {
- *state = state_init;
- }
-
- state->as_vd_ad = desc;
- }
-
- Debug( LDAP_DEBUG_ACL,
- "=> access_allowed: %s access to \"%s\" \"%s\" requested\n",
- access2str( access ), e->e_dn, attr );
-
- if ( op == NULL ) {
- /* no-op call */
- goto done;
- }
-
- be = op->o_bd;
- if ( be == NULL ) {
- be = LDAP_STAILQ_FIRST(&backendDB);
- be_null = 1;
-#ifdef LDAP_DEVEL
- /*
- * FIXME: experimental; use first backend rules
- * iff there is no global_acl (ITS#3100) */
- if ( frontendDB->be_acl == NULL )
-#endif
- {
- op->o_bd = be;
- }
- }
- assert( be != NULL );
-
- /* grant database root access */
- if ( be_isroot( op ) ) {
- Debug( LDAP_DEBUG_ACL, "<= root access granted\n", 0, 0, 0 );
- if ( maskp ) {
- mask = ACL_LVL_MANAGE;
- }
-
- goto done;
- }
-
- /*
- * no-user-modification operational attributes are ignored
- * by ACL_WRITE checking as any found here are not provided
- * by the user
- *
- * NOTE: but they are not ignored for ACL_MANAGE, because
- * if we get here it means a non-root user is trying to
- * manage data, so we need to check its privileges.
- */
- if ( access_level == ACL_WRITE && is_at_no_user_mod( desc->ad_type )
- && desc != slap_schema.si_ad_entry
- && desc != slap_schema.si_ad_children )
- {
- Debug( LDAP_DEBUG_ACL, "NoUserMod Operational attribute:"
- " %s access granted\n",
- attr, 0, 0 );
- goto done;
- }
-
- /* use backend default access if no backend acls */
- if ( be->be_acl == NULL ) {
- Debug( LDAP_DEBUG_ACL,
- "=> access_allowed: backend default %s "
- "access %s to \"%s\"\n",
- access2str( access ),
- be->be_dfltaccess >= access_level ? "granted" : "denied",
- op->o_dn.bv_val ? op->o_dn.bv_val : "(anonymous)" );
- ret = be->be_dfltaccess >= access_level;
-
- if ( maskp ) {
- int i;
-
- mask = ACL_PRIV_LEVEL;
- for ( i = ACL_NONE; i <= be->be_dfltaccess; i++ ) {
- mask |= ACL_ACCESS2PRIV( i );
- }
- }
-
- goto done;
-
-#ifdef notdef
- /* be is always non-NULL */
- /* use global default access if no global acls */
- } else if ( be == NULL && frontendDB->be_acl == NULL ) {
- Debug( LDAP_DEBUG_ACL,
- "=> access_allowed: global default %s access %s to \"%s\"\n",
- access2str( access ),
- frontendDB->be_dfltaccess >= access_level ?
- "granted" : "denied", op->o_dn.bv_val );
- ret = frontendDB->be_dfltaccess >= access_level;
-
- if ( maskp ) {
- int i;
-
- mask = ACL_PRIV_LEVEL;
- for ( i = ACL_NONE; i <= global_default_access; i++ ) {
- mask |= ACL_ACCESS2PRIV( i );
- }
- }
-
- goto done;
-#endif
- }
-
- ret = 0;
- control = ACL_BREAK;
-
- if ( st_same_attr ) {
- assert( state->as_vd_acl != NULL );
-
- a = state->as_vd_acl;
- count = state->as_vd_acl_count;
- if ( !ACL_IS_INVALID( state->as_vd_acl_mask ) ) {
- mask = state->as_vd_acl_mask;
- AC_MEMCPY( matches, state->as_vd_acl_matches, sizeof(matches) );
- goto vd_access;
- }
-
- } else {
- if ( state ) state->as_vi_acl = NULL;
- a = NULL;
- ACL_INIT(mask);
- count = 0;
- memset( matches, '\0', sizeof(matches) );
- }
-
- while ( ( a = slap_acl_get( a, &count, op, e, desc, val,
- MAXREMATCHES, matches, state ) ) != NULL )
- {
- int i;
-
- for ( i = 0; i < MAXREMATCHES && matches[i].rm_so > 0; i++ ) {
- Debug( LDAP_DEBUG_ACL, "=> match[%d]: %d %d ", i,
- (int)matches[i].rm_so, (int)matches[i].rm_eo );
- if ( matches[i].rm_so <= matches[0].rm_eo ) {
- int n;
- for ( n = matches[i].rm_so; n < matches[i].rm_eo; n++ ) {
- Debug( LDAP_DEBUG_ACL, "%c", e->e_ndn[n], 0, 0 );
- }
- }
- Debug( LDAP_DEBUG_ARGS, "\n", 0, 0, 0 );
- }
-
- if ( state ) {
- if ( state->as_vi_acl == a &&
- ( state->as_recorded & ACL_STATE_RECORDED_NV ) )
- {
- Debug( LDAP_DEBUG_ACL,
- "access_allowed: result from state (%s)\n",
- attr, 0, 0 );
- ret = state->as_result;
- goto done;
- } else {
- Debug( LDAP_DEBUG_ACL,
- "access_allowed: no res from state (%s)\n",
- attr, 0, 0 );
- }
- }
-
-vd_access:
- control = slap_acl_mask( a, &mask, op,
- e, desc, val, MAXREMATCHES, matches, count, state );
-
- if ( control != ACL_BREAK ) {
- break;
- }
-
- memset( matches, '\0', sizeof(matches) );
- }
-
- if ( ACL_IS_INVALID( mask ) ) {
- Debug( LDAP_DEBUG_ACL,
- "=> access_allowed: \"%s\" (%s) invalid!\n",
- e->e_dn, attr, 0 );
- ACL_INIT(mask);
-
- } else if ( control == ACL_BREAK ) {
- Debug( LDAP_DEBUG_ACL,
- "=> access_allowed: no more rules\n", 0, 0, 0 );
-
- goto done;
- }
-
- Debug( LDAP_DEBUG_ACL,
- "=> access_allowed: %s access %s by %s\n",
- access2str( access ),
- ACL_GRANT(mask, access) ? "granted" : "denied",
- accessmask2str( mask, accessmaskbuf, 1 ) );
-
- ret = ACL_GRANT(mask, access);
-
-done:
- if ( state != NULL ) {
- /* If not value-dependent, save ACL in case of more attrs */
- if ( !( state->as_recorded & ACL_STATE_RECORDED_VD ) ) {
- state->as_vi_acl = a;
- state->as_result = ret;
- }
- state->as_recorded |= ACL_STATE_RECORDED;
- }
- if ( be_null ) op->o_bd = NULL;
- if ( maskp ) *maskp = mask;
- return ret;
-}
-
-#endif /* !SLAP_OVERLAY_ACCESS */
/*
* slap_acl_get - return the acl applicable to entry e, attribute
return ACL_NONE;
} else if ( strcasecmp( str, "disclose" ) == 0 ) {
-#ifndef SLAP_ACL_HONOR_DISCLOSE
- Debug( LDAP_DEBUG_ACL, "str2access: warning, "
- "\"disclose\" privilege disabled.\n",
- 0, 0, 0 );
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
return ACL_DISCLOSE;
} else if ( strcasecmp( str, "auth" ) == 0 ) {
e = ei->bei_e;
if ( rs->sr_err == DB_NOTFOUND ) {
if ( e != NULL ) {
-#ifdef SLAP_ACL_HONOR_DISCLOSE
/* return referral only if "disclose" is granted on the object */
if ( ! access_allowed( op, e, slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL ) )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
- } else
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
- {
+ } else {
rs->sr_matched = ch_strdup( e->e_dn );
rs->sr_ref = is_entry_referral( e )
? get_entry_referrals( op, e )
}
if (!manageDSAit && is_entry_referral( e ) ) {
-#ifdef SLAP_ACL_HONOR_DISCLOSE
/* return referral only if "disclose" is granted on the object */
if ( !access_allowed( op, e, slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL ) )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
- } else
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
- {
+ } else {
/* entry is a referral, don't allow compare */
rs->sr_ref = get_entry_referrals( op, e );
rs->sr_err = LDAP_REFERRAL;
if ( get_assert( op ) &&
( test_filter( op, e, get_assertion( op )) != LDAP_COMPARE_TRUE ))
{
-#ifdef SLAP_ACL_HONOR_DISCLOSE
if ( !access_allowed( op, e, slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL ) )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
- } else
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
- {
+ } else {
rs->sr_err = LDAP_ASSERTION_FAILED;
}
goto return_results;
if ( !access_allowed( op, e, op->oq_compare.rs_ava->aa_desc,
&op->oq_compare.rs_ava->aa_value, ACL_COMPARE, NULL ) )
{
-#ifdef SLAP_ACL_HONOR_DISCLOSE
/* return error only if "disclose"
* is granted on the object */
if ( !access_allowed( op, e, slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL ) )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
- } else
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
- {
+ } else {
rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
}
goto return_results;
Entry *matched = NULL;
EntryInfo *ei, ei_root = {0};
struct berval realbase = BER_BVNULL;
-#ifdef SLAP_ACL_HONOR_DISCLOSE
slap_mask_t mask;
-#endif
int manageDSAit;
int tentries = 0;
ID lastid = NOID;
if ( matched != NULL ) {
BerVarray erefs = NULL;
-#ifdef SLAP_ACL_HONOR_DISCLOSE
/* return referral only if "disclose"
* is granted on the object */
if ( ! access_allowed( op, matched,
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
- } else
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
- {
+ } else {
ber_dupbv( &matched_dn, &matched->e_name );
erefs = is_entry_referral( matched )
return rs->sr_err;
}
-#ifdef SLAP_ACL_HONOR_DISCLOSE
/* NOTE: __NEW__ "search" access is required
* on searchBase object */
if ( ! access_allowed_mask( op, e, slap_schema.si_ad_entry,
send_ldap_result( op, rs );
return rs->sr_err;
}
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
if ( !manageDSAit && e != &e_root && is_entry_referral( e ) ) {
/* entry is a referral, don't allow add */
bi->bi_connection_init = 0;
bi->bi_connection_destroy = 0;
-#ifdef SLAP_OVERLAY_ACCESS
bi->bi_access_allowed = slap_access_always_allowed;
-#endif /* SLAP_OVERLAY_ACCESS */
return 0;
}
case LDAP_BACK_CFG_IDASSERT_AUTHZFROM: {
struct berval bv;
-#ifdef SLAP_AUTHZ_SYNTAX
struct berval in;
int rc;
Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
return 1;
}
-#else /* !SLAP_AUTHZ_SYNTAX */
- ber_str2bv( c->argv[ 1 ], 0, 1, &bv );
-#endif /* !SLAP_AUTHZ_SYNTAX */
ber_bvarray_add( &li->li_idassert_authz, &bv );
} break;
bi->bi_entry_get_rw = ldif_back_entry_get;
#if 0 /* NOTE: uncomment to completely disable access control */
-#ifdef SLAP_OVERLAY_ACCESS
bi->bi_access_allowed = slap_access_always_allowed;
-#endif /* SLAP_OVERLAY_ACCESS */
#endif
bi->bi_tool_entry_open = ldif_tool_entry_open;
if ( e == NULL ) {
rs->sr_err = LDAP_NO_SUCH_OBJECT;
if ( matched ) {
-#ifdef SLAP_ACL_HONOR_DISCLOSE
if ( !access_allowed_mask( op, matched,
slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL, NULL ) )
{
/* do nothing */ ;
- } else
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
- {
+ } else {
rs->sr_matched = matched->e_dn;
}
}
break;
default:
-#ifdef SLAP_ACL_HONOR_DISCLOSE
if ( !access_allowed_mask( op, e, slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL, NULL ) )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
}
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
break;
}
if ( e == NULL ) {
rs->sr_err = LDAP_NO_SUCH_OBJECT;
if ( matched ) {
-#ifdef SLAP_ACL_HONOR_DISCLOSE
if ( !access_allowed_mask( op, matched,
slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL, NULL ) )
{
/* do nothing */ ;
- } else
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
- {
+ } else {
rs->sr_matched = matched->e_dn;
}
}
rc = monitor_entry_modify( op, rs, e );
}
-#ifdef SLAP_ACL_HONOR_DISCLOSE
if ( rc != LDAP_SUCCESS ) {
if ( !access_allowed_mask( op, e, slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL, NULL ) )
rc = LDAP_NO_SUCH_OBJECT;
}
}
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
rs->sr_err = rc;
send_ldap_result( op, rs );
if ( e == NULL ) {
rs->sr_err = LDAP_NO_SUCH_OBJECT;
if ( matched ) {
-#ifdef SLAP_ACL_HONOR_DISCLOSE
if ( !access_allowed_mask( op, matched,
slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL, NULL ) )
{
/* do nothing */ ;
- } else
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
- {
+ } else {
rs->sr_matched = matched->e_dn;
}
}
{
monitor_cache_release( mi, e );
-#ifdef SLAP_ACL_HONOR_DISCLOSE
if ( !ACL_GRANT( mask, ACL_DISCLOSE ) ) {
rs->sr_err = LDAP_NO_SUCH_OBJECT;
- } else
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
- {
+ } else {
rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
}
* in deleting that row.
*/
-#ifdef SLAP_ACL_HONOR_DISCLOSE
if ( e != NULL ) {
int disclose = 1;
}
}
}
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
send_ldap_result( op, rs );
slap_graduate_commit_csn( op );
break;
default:
-#ifdef SLAP_ACL_HONOR_DISCLOSE
if ( !BER_BVISNULL( &e.e_nname ) &&
! access_allowed( op, &e,
slap_schema.si_ad_entry, NULL,
rs->sr_err = LDAP_NO_SUCH_OBJECT;
rs->sr_text = NULL;
}
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
break;
}
}
done:;
-#ifdef SLAP_ACL_HONOR_DISCLOSE
if ( e != NULL ) {
if ( !access_allowed( op, e, slap_schema.si_ad_entry, NULL,
ACL_DISCLOSE, NULL ) )
}
}
}
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
send_ldap_result( op, rs );
SQLTransact( SQL_NULL_HENV, dbh, CompletionType );
done:;
-#ifdef SLAP_ACL_HONOR_DISCLOSE
if ( e != NULL ) {
if ( !access_allowed( op, e, slap_schema.si_ad_entry, NULL,
ACL_DISCLOSE, NULL ) )
}
}
}
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
send_ldap_result( op, rs );
slap_graduate_commit_csn( op );
}
done:;
-#ifdef SLAP_ACL_HONOR_DISCLOSE
if ( e != NULL ) {
if ( !access_allowed( op, e, slap_schema.si_ad_entry, NULL,
ACL_DISCLOSE, NULL ) )
}
}
}
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
/*
* Commit only if all operations succeed
/* fall thru */
default:
-#ifdef SLAP_ACL_HONOR_DISCLOSE
if ( !BER_BVISNULL( &base_entry.e_nname )
&& !access_allowed( op, &base_entry,
slap_schema.si_ad_entry, NULL,
rs->sr_matched = NULL;
rs->sr_text = NULL;
}
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
send_ldap_result( op, rs );
goto done;
}
-#ifdef SLAP_ACL_HONOR_DISCLOSE
/* NOTE: __NEW__ "search" access is required
* on searchBase object */
{
goto done;
}
}
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
bsi.bsi_e = NULL;
be_orig = op->o_bd;
op->o_bd = frontendDB;
-#ifdef SLAP_OVERLAY_ACCESS
rc = frontendDB->be_group( op, target, gr_ndn,
op_ndn, group_oc, group_at );
-#else /* ! SLAP_OVERLAY_ACCESS */
- rc = fe_acl_group( op, target, gr_ndn,
- op_ndn, group_oc, group_at );
-#endif /* ! SLAP_OVERLAY_ACCESS */
op->o_bd = be_orig;
return rc;
be_orig = op->o_bd;
op->o_bd = frontendDB;
-#ifdef SLAP_OVERLAY_ACCESS
rc = frontendDB->be_attribute( op, target, edn,
entry_at, vals, access );
-#else /* !SLAP_OVERLAY_ACCESS */
- rc = fe_acl_attribute( op, target, edn,
- entry_at, vals, access );
-#endif /* !SLAP_OVERLAY_ACCESS */
op->o_bd = be_orig;
return rc;
return rc;
}
-#ifdef SLAP_OVERLAY_ACCESS
static int
over_access_allowed(
Operation *op,
return rc;
}
-#endif /* SLAP_OVERLAY_ACCESS */
/*
* default return code in case of missing backend function
bi->bi_chk_referrals = over_aux_chk_referrals;
bi->bi_chk_controls = over_aux_chk_controls;
-#ifdef SLAP_OVERLAY_ACCESS
/* these have specific arglists */
bi->bi_access_allowed = over_access_allowed;
bi->bi_acl_group = over_acl_group;
bi->bi_acl_attribute = over_acl_attribute;
-#endif /* SLAP_OVERLAY_ACCESS */
bi->bi_connection_init = over_connection_init;
bi->bi_connection_destroy = over_connection_destroy;
bi->bi_chk_referrals = 0;
-#ifdef SLAP_OVERLAY_ACCESS
bi->bi_access_allowed = slap_access_always_allowed;
-#endif /* SLAP_OVERLAY_ACCESS */
bi->bi_connection_init = 0;
bi->bi_connection_destroy = 0;
}
} else {
-#ifdef SLAP_ACL_HONOR_DISCLOSE
/* return error only if "disclose"
* is granted on the object */
if ( backend_access( op, NULL, &op->o_req_ndn,
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
}
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
}
send_ldap_result( op, rs );
ava.aa_desc, &vals, ACL_COMPARE );
switch ( rs->sr_err ) {
default:
-#ifdef SLAP_ACL_HONOR_DISCLOSE
/* return error only if "disclose"
* is granted on the object */
if ( backend_access( op, NULL, &op->o_req_ndn,
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
}
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
break;
case LDAP_SUCCESS:
}
done:
-#ifdef LDAP_ACL_HONOR_DISCLOSE
if( rc != LDAP_COMPARE_TRUE && rc != LDAP_COMPARE_FALSE ) {
if ( ! access_allowed( op, e,
slap_schema.si_ad_entry, NULL, ACL_DISCLOSE, NULL ) )
rc = LDAP_NO_SUCH_OBJECT;
}
}
-#endif
return rc;
}
ad->ad_type->sat_syntax->ssyn_pretty;
if ( pretty ) {
-#ifdef SLAP_ORDERED_PRETTYNORM
rc = ordered_value_pretty( ad,
&vals[i], &pval, NULL );
-#else /* ! SLAP_ORDERED_PRETTYNORM */
- rc = pretty( ad->ad_type->sat_syntax,
- &vals[i], &pval, NULL );
-#endif /* ! SLAP_ORDERED_PRETTYNORM */
} else if ( validate ) {
/*
* validate value per syntax
*/
-#ifdef SLAP_ORDERED_PRETTYNORM
rc = ordered_value_validate( ad, &vals[i], LDAP_MOD_ADD );
-#else /* ! SLAP_ORDERED_PRETTYNORM */
- rc = validate( ad->ad_type->sat_syntax, &vals[i] );
-#endif /* ! SLAP_ORDERED_PRETTYNORM */
} else {
Debug( LDAP_DEBUG_ANY,
if ( ad->ad_type->sat_equality &&
ad->ad_type->sat_equality->smr_normalize )
{
-#ifdef SLAP_ORDERED_PRETTYNORM
rc = ordered_value_normalize(
SLAP_MR_VALUE_OF_ATTRIBUTE_SYNTAX,
ad,
ad->ad_type->sat_equality,
&vals[i], &nvals[i], NULL );
-#else /* ! SLAP_ORDERED_PRETTYNORM */
- rc = ad->ad_type->sat_equality->smr_normalize(
- SLAP_MR_VALUE_OF_ATTRIBUTE_SYNTAX,
- ad->ad_type->sat_syntax,
- ad->ad_type->sat_equality,
- &vals[i], &nvals[i], NULL );
-#endif /* ! SLAP_ORDERED_PRETTYNORM */
if ( rc ) {
Debug( LDAP_DEBUG_ANY,
frontendDB->bd_info->bi_entry_get_rw = fe_entry_get_rw;
frontendDB->bd_info->bi_entry_release_rw = fe_entry_release_rw;
#endif
-#ifdef SLAP_OVERLAY_ACCESS
frontendDB->bd_info->bi_access_allowed = fe_access_allowed;
frontendDB->bd_info->bi_acl_group = fe_acl_group;
frontendDB->bd_info->bi_acl_attribute = fe_acl_attribute;
-#endif /* SLAP_OVERLAY_ACCESS */
#if 0
/* FIXME: is this too early? */
struct berval pval;
if ( pretty ) {
-#ifdef SLAP_ORDERED_PRETTYNORM
rc = ordered_value_pretty( ad,
&ml->sml_values[nvals], &pval, ctx );
-#else /* ! SLAP_ORDERED_PRETTYNORM */
- rc = pretty( ad->ad_type->sat_syntax,
- &ml->sml_values[nvals], &pval, ctx );
-#endif /* ! SLAP_ORDERED_PRETTYNORM */
} else {
-#ifdef SLAP_ORDERED_PRETTYNORM
rc = ordered_value_validate( ad,
&ml->sml_values[nvals], ml->sml_op );
-#else /* ! SLAP_ORDERED_PRETTYNORM */
- rc = validate( ad->ad_type->sat_syntax,
- &ml->sml_values[nvals] );
-#endif /* ! SLAP_ORDERED_PRETTYNORM */
}
if( rc != 0 ) {
(nvals+1)*sizeof(struct berval), ctx );
for ( nvals = 0; !BER_BVISNULL( &ml->sml_values[nvals] ); nvals++ ) {
-#ifdef SLAP_ORDERED_PRETTYNORM
rc = ordered_value_normalize(
SLAP_MR_VALUE_OF_ATTRIBUTE_SYNTAX,
ad,
ad->ad_type->sat_equality,
&ml->sml_values[nvals], &ml->sml_nvalues[nvals], ctx );
-#else /* ! SLAP_ORDERED_PRETTYNORM */
- rc = ad->ad_type->sat_equality->smr_normalize(
- SLAP_MR_VALUE_OF_ATTRIBUTE_SYNTAX,
- ad->ad_type->sat_syntax,
- ad->ad_type->sat_equality,
- &ml->sml_values[nvals], &ml->sml_nvalues[nvals], ctx );
-#endif /* ! SLAP_ORDERED_PRETTYNORM */
if ( rc ) {
Debug( LDAP_DEBUG_ANY,
"<= str2entry NULL (ssyn_normalize %d)\n",
slap_schema.si_oc_dynamicObject, NULL, 0, &e );
if ( rc == LDAP_SUCCESS && e != NULL ) {
if ( !is_dynamicObject ) {
-#ifdef SLAP_ACL_HONOR_DISCLOSE
/* return referral only if "disclose"
* is granted on the object */
if ( ! access_allowed( op, e,
rc = rs->sr_err = LDAP_NO_SUCH_OBJECT;
send_ldap_result( op, rs );
- } else
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
- {
+ } else {
rc = rs->sr_err = LDAP_CONSTRAINT_VIOLATION;
send_ldap_error( op, rs, rc, "no static subordinate entries allowed for dynamicObject" );
}
if ( BER_BVISEMPTY( &bv_entryTtl )
|| !bvmatch( &bv_entryTtl, &mod->sml_values[ 0 ] ) )
{
-#ifdef SLAP_ACL_HONOR_DISCLOSE
rs->sr_err = backend_attribute( op, NULL, &op->o_req_ndn,
slap_schema.si_ad_entry, NULL, ACL_DISCLOSE );
if ( rs->sr_err == LDAP_INSUFFICIENT_ACCESS ) {
rs->sr_err = LDAP_NO_SUCH_OBJECT;
- } else
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
- {
+ } else {
rs->sr_err = LDAP_NO_SUCH_ATTRIBUTE;
}
goto done;
assert( BER_BVISNULL( &mod->sml_values[ 1 ] ) );
if ( !BER_BVISEMPTY( &bv_entryTtl ) ) {
-#ifdef SLAP_ACL_HONOR_DISCLOSE
rs->sr_err = backend_attribute( op, NULL, &op->o_req_ndn,
slap_schema.si_ad_entry, NULL, ACL_DISCLOSE );
if ( rs->sr_err == LDAP_INSUFFICIENT_ACCESS ) {
rs->sr_err = LDAP_NO_SUCH_OBJECT;
- } else
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
- {
+ } else {
rs->sr_text = "attribute 'entryTtl' cannot have multiple values";
rs->sr_err = LDAP_CONSTRAINT_VIOLATION;
}
case LDAP_MOD_INCREMENT:
if ( BER_BVISEMPTY( &bv_entryTtl ) ) {
-#ifdef SLAP_ACL_HONOR_DISCLOSE
rs->sr_err = backend_attribute( op, NULL, &op->o_req_ndn,
slap_schema.si_ad_entry, NULL, ACL_DISCLOSE );
if ( rs->sr_err == LDAP_INSUFFICIENT_ACCESS ) {
rs->sr_err = LDAP_NO_SUCH_OBJECT;
- } else
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
- {
+ } else {
rs->sr_err = LDAP_NO_SUCH_ATTRIBUTE;
rs->sr_text = "modify/increment: entryTtl: no such attribute";
}
}
if ( rs->sr_err != LDAP_SUCCESS ) {
-#ifdef SLAP_ACL_HONOR_DISCLOSE
rc = backend_attribute( op, NULL, &op->o_req_ndn,
slap_schema.si_ad_entry, NULL, ACL_DISCLOSE );
if ( rc == LDAP_INSUFFICIENT_ACCESS ) {
rs->sr_err = LDAP_NO_SUCH_OBJECT;
}
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
goto done;
}
rs->sr_err = LDAP_OBJECT_CLASS_VIOLATION;
}
-#ifdef SLAP_ACL_HONOR_DISCLOSE
if ( rc != LDAP_SUCCESS ) {
rc = backend_attribute( op, NULL, &op->o_req_ndn,
slap_schema.si_ad_entry, NULL, ACL_DISCLOSE );
rs->sr_err = LDAP_NO_SUCH_OBJECT;
}
}
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
}
}
slap_schema.si_oc_dynamicObject, NULL, 0, &e );
if ( rc == LDAP_SUCCESS && e != NULL ) {
if ( !is_dynamicObject ) {
-#ifdef SLAP_ACL_HONOR_DISCLOSE
/* return referral only if "disclose"
* is granted on the object */
if ( ! access_allowed( op, e,
rs->sr_err = LDAP_NO_SUCH_OBJECT;
send_ldap_result( op, rs );
- } else
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
- {
+ } else {
send_ldap_error( op, rs, LDAP_CONSTRAINT_VIOLATION,
"static entry cannot have dynamicObject as newSuperior" );
}
rs->sr_err = be_entry_get_rw( op, &op->o_req_ndn,
NULL, NULL, 0, &e );
if ( rs->sr_err == LDAP_SUCCESS && e != NULL ) {
-#ifdef SLAP_ACL_HONOR_DISCLOSE
/* return referral only if "disclose"
* is granted on the object */
if ( ! access_allowed( op, e,
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
- } else
-#endif /* SLAP_ACL_HONOR_DISCLOSE */
- {
+ } else {
rs->sr_err = LDAP_OBJECT_CLASS_VIOLATION;
rs->sr_text = "refresh operation only applies to dynamic objects";
}
AccessControlState *state,
slap_mask_t *mask ));
#define access_allowed(op,e,desc,val,access,state) access_allowed_mask(op,e,desc,val,access,state,NULL)
-#ifdef SLAP_OVERLAY_ACCESS
LDAP_SLAPD_F (int) slap_access_allowed LDAP_P((
Operation *op,
Entry *e,
slap_access_t access,
AccessControlState *state,
slap_mask_t *maskp ));
-#endif /* SLAP_OVERLAY_ACCESS */
LDAP_SLAPD_F (int) acl_check_modlist LDAP_P((
Operation *op, Entry *e, Modifications *ml ));
int argc,
char **argv ));
#endif /* SLAP_AUTH_REWRITE */
-#ifdef SLAP_AUTHZ_SYNTAX
LDAP_SLAPD_F (int) authzValidate LDAP_P((
Syntax *syn, struct berval *in ));
#if 0
struct berval *val,
struct berval *normalized,
void *ctx ));
-#endif /* SLAP_AUTHZ_SYNTAX */
/*
* schema.c
return LDAP_SUCCESS;
}
-#ifdef SLAP_AUTHZ_SYNTAX
int
authzValidate(
Syntax *syntax,
return rc;
}
-#endif /* SLAP_AUTHZ_SYNTAX */
static int
slap_parseURI(
int rc;
LDAPURLDesc *ludp;
-#ifdef SLAP_ORDERED_PRETTYNORM
struct berval idx;
-#endif /* SLAP_ORDERED_PRETTYNORM */
assert( uri != NULL && !BER_BVISNULL( uri ) );
BER_BVZERO( base );
rc = LDAP_PROTOCOL_ERROR;
-#ifdef SLAP_ORDERED_PRETTYNORM
idx = *uri;
if ( idx.bv_val[ 0 ] == '{' ) {
char *ptr;
idx.bv_val = ptr;
uri = &idx;
}
-#endif /* SLAP_ORDERED_PRETTYNORM */
/*
* dn[.<dnstyle>]:<dnpattern>
/* NOTE: don't normalize rule if authz syntax is enabled */
rc = slap_parseURI( opx, rule, &base, &op.o_req_ndn,
- &op.ors_scope, &op.ors_filter, &op.ors_filterstr,
-#ifdef SLAP_AUTHZ_SYNTAX
- 0
-#else /* ! SLAP_AUTHZ_SYNTAX */
- 1
-#endif /* ! SLAP_AUTHZ_SYNTAX */
- );
+ &op.ors_scope, &op.ors_filter, &op.ors_filterstr, 0 );
if( rc != LDAP_SUCCESS ) goto CONCLUDED;
#define csnIndexer generalizedTimeIndexer
#define csnFilter generalizedTimeFilter
-#ifdef SLAP_AUTHZ_SYNTAX
/* FIXME: temporary */
#define authzMatch octetStringMatch
-#endif /* SLAP_AUTHZ_SYNTAX */
unsigned int index_substr_if_minlen = SLAP_INDEX_SUBSTR_IF_MINLEN_DEFAULT;
unsigned int index_substr_if_maxlen = SLAP_INDEX_SUBSTR_IF_MAXLEN_DEFAULT;
{"( 1.3.6.1.4.1.4203.1.1.1 DESC 'OpenLDAP void' )" ,
SLAP_SYNTAX_HIDE, inValidate, NULL},
-#ifdef SLAP_AUTHZ_SYNTAX
/* FIXME: OID is unused, but not registered yet */
{"( 1.3.6.1.4.1.4203.666.2.7 DESC 'OpenLDAP authz' )",
SLAP_SYNTAX_HIDE, authzValidate, authzPretty},
-#endif /* SLAP_AUTHZ_SYNTAX */
{NULL, 0, NULL, NULL}
};
NULL, NULL,
"CSNMatch" },
-#ifdef SLAP_AUTHZ_SYNTAX
/* FIXME: OID is unused, but not registered yet */
{"( 1.3.6.1.4.1.4203.666.4.12 NAME 'authzMatch' "
"SYNTAX 1.3.6.1.4.1.4203.666.2.7 )",
NULL, authzNormalize, authzMatch,
NULL, NULL,
NULL},
-#endif /* SLAP_AUTHZ_SYNTAX */
{NULL, SLAP_MR_NONE, NULL,
NULL, NULL, NULL, NULL, NULL,
{ "authzTo", "( 1.3.6.1.4.1.4203.666.1.8 "
"NAME ( 'authzTo' 'saslAuthzTo' ) "
"DESC 'proxy authorization targets' "
-#ifdef SLAP_AUTHZ_SYNTAX
"EQUALITY authzMatch "
"SYNTAX 1.3.6.1.4.1.4203.666.2.7 "
-#else /* ! SLAP_AUTHZ_SYNTAX */
- "EQUALITY caseExactMatch "
- "SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 "
-#endif /* ! SLAP_AUTHZ_SYNTAX */
-#ifdef SLAP_ORDERED_PRETTYNORM
"X-ORDERED 'VALUES' "
-#endif /* SLAP_ORDERED_PRETTYNORM */
"USAGE distributedOperation )",
NULL, SLAP_AT_HIDE,
NULL, NULL,
{ "authzFrom", "( 1.3.6.1.4.1.4203.666.1.9 "
"NAME ( 'authzFrom' 'saslAuthzFrom' ) "
"DESC 'proxy authorization sources' "
-#ifdef SLAP_AUTHZ_SYNTAX
"EQUALITY authzMatch "
"SYNTAX 1.3.6.1.4.1.4203.666.2.7 "
-#else /* ! SLAP_AUTHZ_SYNTAX */
- "EQUALITY caseExactMatch "
- "SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 "
-#endif /* ! SLAP_AUTHZ_SYNTAX */
-#ifdef SLAP_ORDERED_PRETTYNORM
"X-ORDERED 'VALUES' "
-#endif /* SLAP_ORDERED_PRETTYNORM */
"USAGE distributedOperation )",
NULL, SLAP_AT_HIDE,
NULL, NULL,
#define SLAP_SEM_LOAD_CONTROL
#endif
-#define SLAP_ACL_HONOR_DISCLOSE /* partially implemented */
-#define SLAP_ACL_HONOR_MANAGE /* not yet implemented */
-#define SLAP_OVERLAY_ACCESS
+#ifdef LDAP_DEVEL
+#define LDAP_COLLECTIVE_ATTRIBUTES
#define LDAP_COMP_MATCH
-#define LDAP_DYNAMIC_OBJECTS
#define LDAP_SYNC_TIMESTAMP
-#define LDAP_COLLECTIVE_ATTRIBUTES
-#define SLAP_CONTROL_X_TREE_DELETE LDAP_CONTROL_X_TREE_DELETE
+#endif
-#define SLAP_ORDERED_PRETTYNORM
-#define SLAP_AUTHZ_SYNTAX
+#define LDAP_DYNAMIC_OBJECTS
+#define SLAP_CONTROL_X_TREE_DELETE LDAP_CONTROL_X_TREE_DELETE
#ifdef ENABLE_REWRITE
#define SLAP_AUTH_REWRITE 1 /* use librewrite for sasl-regexp */
#endif
-#if defined(LDAP_SLAPI) && !defined(SLAP_OVERLAY_ACCESS)
-#define SLAP_OVERLAY_ACCESS
-#endif
-
/*
* SLAPD Memory allocation macros
*
typedef int (BI_operational) LDAP_P(( struct slap_op *op, struct slap_rep *rs ));
typedef int (BI_has_subordinates) LDAP_P(( struct slap_op *op,
Entry *e, int *hasSubs ));
-#ifdef SLAP_OVERLAY_ACCESS
typedef int (BI_access_allowed) LDAP_P(( struct slap_op *op, Entry *e,
AttributeDescription *desc, struct berval *val, slap_access_t access,
AccessControlState *state, slap_mask_t *maskp ));
typedef int (BI_acl_attribute) LDAP_P(( struct slap_op *op, Entry *target,
struct berval *entry_ndn, AttributeDescription *entry_at,
BerVarray *vals, slap_access_t access ));
-#endif /* SLAP_OVERLAY_ACCESS */
typedef int (BI_conn_func) LDAP_P(( BackendDB *bd, struct slap_conn *c ));
typedef BI_conn_func BI_connection_init;
BI_entry_release_rw *bi_entry_release_rw;
BI_has_subordinates *bi_has_subordinates;
-#ifdef SLAP_OVERLAY_ACCESS
BI_access_allowed *bi_access_allowed;
BI_acl_group *bi_acl_group;
BI_acl_attribute *bi_acl_attribute;
-#endif /* SLAP_OVERLAY_ACCESS */
BI_connection_init *bi_connection_init;
BI_connection_destroy *bi_connection_destroy;
projects / openldap / commitdiff