From: Pierangelo Masarati Date: Sun, 7 Aug 2005 11:36:18 +0000 (+0000) Subject: ACL logging was incomplete (and misleading) X-Git-Tag: OPENLDAP_AC_BP~81 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=c3b977b2dab74ab2a9049968973fe54ded87c493;p=openldap ACL logging was incomplete (and misleading) --- diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c index a6f0a853d0..ba67c1fed4 100644 --- a/servers/slapd/acl.c +++ b/servers/slapd/acl.c @@ -1766,6 +1766,9 @@ slap_acl_mask( continue; } + Debug( LDAP_DEBUG_ACL, "<= check a_group_pat: %s\n", + b->a_group_pat.bv_val, 0, 0 ); + /* b->a_group is an unexpanded entry name, expanded it should be an * entry with objectclass group* and we test to see if odn is one of * the values in the attribute group @@ -1853,6 +1856,9 @@ slap_acl_mask( struct berval bv; char buf[ACL_BUF_SIZE]; + Debug( LDAP_DEBUG_ACL, "<= check a_set_pat: %s\n", + b->a_set_pat.bv_val, 0, 0 ); + if ( b->a_set_style == ACL_STYLE_EXPAND ) { int tmp_nmatch; regmatch_t tmp_matches[2], @@ -1955,6 +1961,9 @@ slap_acl_mask( slap_dynacl_t *da; slap_access_t tgrant, tdeny; + Debug( LDAP_DEBUG_ACL, "<= check a_dynacl\n", + 0, 0, 0 ); + /* this case works different from the others above. * since aci's themselves give permissions, we need * to first check b->a_access_mask, the ACL's access level. @@ -1978,6 +1987,9 @@ slap_acl_mask( for ( da = b->a_dynacl; da; da = da->da_next ) { slap_access_t grant, deny; + Debug( LDAP_DEBUG_ACL, " <= check a_dynacl: %s\n", + da->da_name, 0, 0 ); + (void)( *da->da_mask )( da->da_private, op, e, desc, val, nmatch, matches, &grant, &deny ); tgrant |= grant; @@ -2022,6 +2034,9 @@ slap_acl_mask( BerVarray bvals = NULL; int ret, stop; + Debug( LDAP_DEBUG_ACL, " <= check a_aci_at: %s\n", + b->a_aci_at->ad_cname.bv_val, 0, 0 ); + /* this case works different from the others above. * since aci's themselves give permissions, we need * to first check b->a_access_mask, the ACL's access level.