From 549c89f8176c3e5ef3bf02851d569b5bb4db7878 Mon Sep 17 00:00:00 2001 From: Kurt Zeilenga Date: Sun, 4 Jul 1999 19:53:00 +0000 Subject: [PATCH] Regarding previous commit: Fix broken ACL macros. Fix o_dn/o_ndn == NULL vs "". --- servers/slapd/acl.c | 14 +++++++++++++- servers/slapd/aclparse.c | 14 +++++++++++--- servers/slapd/bind.c | 12 ++++++------ servers/slapd/config.c | 10 ++++++---- servers/slapd/slap.h | 38 +++++++++++++++++++------------------- 5 files changed, 55 insertions(+), 33 deletions(-) diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c index 85cdda5515..7b52efc315 100644 --- a/servers/slapd/acl.c +++ b/servers/slapd/acl.c @@ -260,7 +260,17 @@ acl_access_allowed( * user is bound as somebody in the same namespace as * the entry, OR the given dn matches the dn pattern */ - if ( strcasecmp( b->a_dnpat, "self" ) == 0 && + if ( strcasecmp( b->a_dnpat, "anonymous" ) == 0 && + (op->o_ndn == NULL || *(op->o_ndn) == '\0' ) ) + { + Debug( LDAP_DEBUG_ACL, + "<= acl_access_allowed: matched by clause #%d access %s\n", + i, ACL_GRANT(b->a_access, access) + ? "granted" : "denied", 0 ); + + return ACL_GRANT(b->a_access, access ); + + } else if ( strcasecmp( b->a_dnpat, "self" ) == 0 && op->o_ndn != NULL && *(op->o_ndn) && e->e_dn != NULL ) { if ( strcmp( edn, op->o_ndn ) == 0 ) { @@ -512,6 +522,8 @@ regex_matches( char newbuf[512]; int rc; + if(str == NULL) str = ""; + string_expand(newbuf, sizeof(newbuf), pat, buf, matches); if (( rc = regcomp(&re, newbuf, REG_EXTENDED|REG_ICASE))) { char error[512]; diff --git a/servers/slapd/aclparse.c b/servers/slapd/aclparse.c index 65d0450317..b2588e287d 100644 --- a/servers/slapd/aclparse.c +++ b/servers/slapd/aclparse.c @@ -194,6 +194,8 @@ parse_acl( split( argv[i], '=', &left, &right ); if ( strcasecmp( argv[i], "*" ) == 0 ) { b->a_dnpat = ch_strdup( ".*" ); + } else if ( strcasecmp( argv[i], "anonymous" ) == 0 ) { + b->a_dnpat = ch_strdup( "anonymous" ); } else if ( strcasecmp( argv[i], "self" ) == 0 ) { b->a_dnpat = ch_strdup( "self" ); } else if ( strcasecmp( left, "dn" ) == 0 ) { @@ -263,7 +265,7 @@ parse_acl( /* get */ split( argv[i], '=', &left, &right ); - if ( ACL_IS_INVALID(ACL_SET(str2access( left ),b->a_access)) ) { + if ( ACL_IS_INVALID(ACL_SET(b->a_access,str2access( left ))) ) { fprintf( stderr, "%s: line %d: expecting got \"%s\"\n", fname, lineno, left ); @@ -379,7 +381,7 @@ acl_usage( void ) " ::= * | [dn=] [filter=] [attrs=]\n" " ::= | , \n" " ::= | entry | children\n" - " ::= * | self | dn= | addr=\n" + " ::= * | anonymous | self | dn= | addr=\n" "\t| domain= | dnattr=\n" #ifdef SLAPD_ACLGROUPS "\t| group[/[/]]=\n" @@ -433,7 +435,13 @@ print_access( struct access *b ) fprintf( stderr, "\tby" ); if ( b->a_dnpat != NULL ) { - fprintf( stderr, " dn=%s", b->a_dnpat ); + if( strcmp(b->a_dnpat, "anonymous") == 0 ) { + fprintf( stderr, " anonymous" ); + } else if( strcmp(b->a_dnpat, "self") == 0 ) { + fprintf( stderr, " self" ); + } else { + fprintf( stderr, " dn=%s", b->a_dnpat ); + } } else if ( b->a_addrpat != NULL ) { fprintf( stderr, " addr=%s", b->a_addrpat ); } else if ( b->a_domainpat != NULL ) { diff --git a/servers/slapd/bind.c b/servers/slapd/bind.c index 9d721a71e0..28133792e3 100644 --- a/servers/slapd/bind.c +++ b/servers/slapd/bind.c @@ -69,14 +69,14 @@ do_bind( ldap_pvt_thread_mutex_unlock( &conn->c_mutex ); - if ( op->o_ndn != NULL ) { - free( op->o_ndn ); - op->o_ndn = NULL; - } - if ( op->o_dn != NULL ) { free( op->o_dn ); - op->o_dn = NULL; + op->o_dn = ch_strdup( "" ); + } + + if ( op->o_ndn != NULL ) { + free( op->o_ndn ); + op->o_ndn = ch_strdup( "" ); } /* diff --git a/servers/slapd/config.c b/servers/slapd/config.c index 1dfbdf2a98..7f38737a9b 100644 --- a/servers/slapd/config.c +++ b/servers/slapd/config.c @@ -425,16 +425,18 @@ read_config( char *fname ) return( 1 ); } if ( be == NULL ) { - if ( ACL_IS_INVALID(ACL_SET(str2access(cargv[1]), - global_default_access)) ) { + if ( ACL_IS_INVALID(ACL_SET(global_default_access, + str2access(cargv[1]))) ) + { Debug( LDAP_DEBUG_ANY, "%s: line %d: bad access \"%s\" expecting [self]{none|compare|read|write}\n", fname, lineno, cargv[1] ); return( 1 ); } } else { - if ( ACL_IS_INVALID(ACL_SET(str2access(cargv[1]), - be->be_dfltaccess)) ) { + if ( ACL_IS_INVALID(ACL_SET(be->be_dfltaccess, + str2access(cargv[1]))) ) + { Debug( LDAP_DEBUG_ANY, "%s: line %d: bad access \"%s\", " "expecting [self]{none|compare|search|read|write}\n", diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h index 6d9608f8ca..85c924c82e 100644 --- a/servers/slapd/slap.h +++ b/servers/slapd/slap.h @@ -188,32 +188,32 @@ struct access { #define ACL_SELF 0x4000 #define ACL_INVALID -1 -#define ACL_IS(lvl,a) (((a) & (lvl)) == (lvl)) +#define ACL_IS(a,lvl) (((a) & (lvl)) == (lvl)) -#define ACL_IS_NONE(a) ACL_IS(ACL_SELF,(a)) -#define ACL_IS_AUTH(a) ACL_IS(ACL_AUTH,(a)) -#define ACL_IS_COMPARE(a) ACL_IS(ACL_COMPARE,(a)) -#define ACL_IS_SEARCH(a) ACL_IS(ACL_SEARCH,(a)) -#define ACL_IS_READ(a) ACL_IS(ACL_READ,(a)) -#define ACL_IS_WRITE(a) ACL_IS(ACL_WRITE,(a)) -#define ACL_IS_SELF(a) ACL_IS(ACL_SELF,(a)) -#define ACL_IS_INVALID(a) ACL_IS(ACL_INVALID,(a)) +#define ACL_IS_NONE(a) ACL_IS((a),ACL_SELF) +#define ACL_IS_AUTH(a) ACL_IS((a),ACL_AUTH) +#define ACL_IS_COMPARE(a) ACL_IS((a),ACL_COMPARE) +#define ACL_IS_SEARCH(a) ACL_IS((a),ACL_SEARCH) +#define ACL_IS_READ(a) ACL_IS((a),ACL_READ) +#define ACL_IS_WRITE(a) ACL_IS((a),ACL_WRITE) +#define ACL_IS_SELF(a) ACL_IS((a),ACL_SELF) +#define ACL_IS_INVALID(a) ACL_IS((a),ACL_INVALID) #define ACL_CLR(a) ((a) = 0) -#define ACL_SET(lvl,a) ((a) |= (lvl)) -#define ACL_SET_NONE(a) ACL_SET(ACL_SELF,(a)) -#define ACL_SET_AUTH(a) ACL_SET(ACL_AUTH,(a)) -#define ACL_SET_COMPARE(a) ACL_SET(ACL_COMPARE,(a)) -#define ACL_SET_SEARCH(a) ACL_SET(ACL_SEARCH,(a)) -#define ACL_SET_READ(a) ACL_SET(ACL_READ,(a)) -#define ACL_SET_WRITE(a) ACL_SET(ACL_WRITE,(a)) -#define ACL_SET_SELF(a) ACL_SET(ACL_SELF,(a)) -#define ACL_SET_INVALID(a) ACL_SET(ACL_INVALID,(a)) +#define ACL_SET(a,lvl) ((a) |= (lvl)) +#define ACL_SET_NONE(a) ACL_SET((a),ACL_SELF) +#define ACL_SET_AUTH(a) ACL_SET((a),ACL_AUTH) +#define ACL_SET_COMPARE(a) ACL_SET((a),ACL_COMPARE) +#define ACL_SET_SEARCH(a) ACL_SET((a),ACL_SEARCH) +#define ACL_SET_READ(a) ACL_SET((a),ACL_READ) +#define ACL_SET_WRITE(a) ACL_SET((a),ACL_WRITE) +#define ACL_SET_SELF(a) ACL_SET((a),ACL_SELF) +#define ACL_SET_INVALID(a) ACL_SET((a),ACL_INVALID) #define ACL_PRIV_MASK 0x00ff #define ACL_PRIV(a) ((a) & ACL_PRIV_MASK) -#define ACL_GRANT(lvl,a) (ACL_PRIV(a) >= (lvl)) +#define ACL_GRANT(a,lvl) (ACL_PRIV(a) >= (lvl)) #define ACL_TEST -- 2.39.5