From 7c52060c6723c244806d6c112149d82d4f0bb5e5 Mon Sep 17 00:00:00 2001 From: Stuart Lynne Date: Tue, 27 Oct 1998 02:07:12 +0000 Subject: [PATCH] 1. extend aclgroup's to be able to specify objectClassValue and groupAttrName 2. update print_acl() a bit and call it during aclparse if LDAP_DEBUG_ACL --- servers/slapd/acl.c | 7 +--- servers/slapd/aclparse.c | 68 ++++++++++++++++++++++++++------- servers/slapd/back-ldbm/group.c | 31 ++++++++------- servers/slapd/backend.c | 4 +- servers/slapd/filter.c | 26 ++++++------- servers/slapd/slap.h | 4 +- 6 files changed, 91 insertions(+), 49 deletions(-) diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c index 15d02dfd52..a9fcc6a120 100644 --- a/servers/slapd/acl.c +++ b/servers/slapd/acl.c @@ -368,15 +368,10 @@ acl_access_allowed( * entry with objectclass group* and we test to see if odn is one of * the values in the attribute group */ - Debug( LDAP_DEBUG_ARGS, "<= check a_group: %s\n", - b->a_group, 0, 0); - Debug( LDAP_DEBUG_ARGS, "<= check a_group: odn: %s\n", - odn, 0, 0); - /* see if asker is listed in dnattr */ string_expand(buf, sizeof(buf), b->a_group, edn, matches); - if (be_group(be, buf, odn) == 0) { + if (be_group(be, buf, odn, b->a_objectclassvalue, b->a_groupattrname) == 0) { Debug( LDAP_DEBUG_ACL, "<= acl_access_allowed: matched by clause #%d (group) access granted\n", i, 0, 0 ); diff --git a/servers/slapd/aclparse.c b/servers/slapd/aclparse.c index 4e92136f92..e52cbde410 100644 --- a/servers/slapd/aclparse.c +++ b/servers/slapd/aclparse.c @@ -210,8 +210,36 @@ parse_acl( #ifdef SLAPD_ACLGROUPS } else if ( strcasecmp( left, "group" ) == 0 ) { + char *name = NULL; + char *value = NULL; regtest(fname, lineno, right); + + /* format of string is "group/objectClassValue/groupAttrName" + */ + if ((value = strchr(right, '/')) != NULL) { + *value++ = '\0'; + if (value && *value && (name = strchr(value, '/')) != NULL) + *name++ = '\0'; + } + b->a_group = dn_upcase(strdup( right )); + + if (value && *value) { + b->a_objectclassvalue = strdup(value); + *--value = '/'; + } + else + b->a_objectclassvalue = strdup("groupOfNames"); + + if (name && *name) { + b->a_groupattrname = strdup(name); + *--name = '/'; + } + else + b->a_groupattrname = strdup("member"); + + + #endif /* SLAPD_ACLGROUPS */ } else if ( strcasecmp( left, "domain" ) == 0 ) { char *s; @@ -264,6 +292,10 @@ parse_acl( fname, lineno ); } else { + + if (ldap_debug&LDAP_DEBUG_ACL) + print_acl(a); + if ( a->acl_access == NULL ) { fprintf( stderr, @@ -386,15 +418,22 @@ print_access( struct access *b ) { printf( "\tby" ); if ( b->a_dnpat != NULL ) { - printf( " dn=%s", b->a_dnpat ); + fprintf( stderr, " dn=%s", b->a_dnpat ); } else if ( b->a_addrpat != NULL ) { - printf( " addr=%s", b->a_addrpat ); + fprintf( stderr, " addr=%s", b->a_addrpat ); } else if ( b->a_domainpat != NULL ) { - printf( " domain=%s", b->a_domainpat ); + fprintf( stderr, " domain=%s", b->a_domainpat ); } else if ( b->a_dnattr != NULL ) { - printf( " dnattr=%s", b->a_dnattr ); + fprintf( stderr, " dnattr=%s", b->a_dnattr ); } - printf( " %s\n", access2str( b->a_access ) ); + else if ( b->a_group != NULL ) { + fprintf( stderr, " group: %s", b->a_group ); + if ( b->a_objectclassvalue ) + fprintf( stderr, " objectClassValue: %s", b->a_objectclassvalue ); + if ( b->a_groupattrname ) + fprintf( stderr, " groupAttrName: %s", b->a_groupattrname ); + } + fprintf( stderr, "\n" ); } static void @@ -404,33 +443,34 @@ print_acl( struct acl *a ) struct access *b; if ( a == NULL ) { - printf( "NULL\n" ); + fprintf( stderr, "NULL\n" ); } - printf( "access to" ); + fprintf( stderr, "ACL: access to" ); if ( a->acl_filter != NULL ) { - printf( " filter=" ); + fprintf( stderr," filter=" ); filter_print( a->acl_filter ); } if ( a->acl_dnpat != NULL ) { - printf( " dn=" ); - printf( a->acl_dnpat ); + fprintf( stderr, " dn=" ); + fprintf( stderr, a->acl_dnpat ); } if ( a->acl_attrs != NULL ) { int first = 1; - printf( " attrs=" ); + fprintf( stderr, "\n attrs=" ); for ( i = 0; a->acl_attrs[i] != NULL; i++ ) { if ( ! first ) { - printf( "," ); + fprintf( stderr, "," ); } - printf( a->acl_attrs[i] ); + fprintf( stderr, a->acl_attrs[i] ); first = 0; } } - printf( "\n" ); + fprintf( stderr, "\n" ); for ( b = a->acl_access; b != NULL; b = b->a_next ) { print_access( b ); } + fprintf( stderr, "\n" ); } #endif /* LDAP_DEBUG */ diff --git a/servers/slapd/back-ldbm/group.c b/servers/slapd/back-ldbm/group.c index 5cbebd1b0e..42a16e4e42 100644 --- a/servers/slapd/back-ldbm/group.c +++ b/servers/slapd/back-ldbm/group.c @@ -15,7 +15,7 @@ extern Attribute *attr_find(); #ifdef SLAPD_ACLGROUPS -/* return 0 IFF edn is a value in uniqueMember attribute +/* return 0 IFF edn is a value in member attribute * of entry with bdn AND that entry has an objectClass * value of groupOfNames */ @@ -23,7 +23,9 @@ int ldbm_back_group( Backend *be, char *bdn, - char *edn + char *edn, + char *objectclassValue, + char *groupattrName ) { struct ldbminfo *li = (struct ldbminfo *) be->be_private; @@ -35,6 +37,8 @@ ldbm_back_group( Debug( LDAP_DEBUG_TRACE, "=> ldbm_back_group: bdn: %s\n", bdn, 0, 0 ); Debug( LDAP_DEBUG_TRACE, "=> ldbm_back_group: edn: %s\n", edn, 0, 0 ); + Debug( LDAP_DEBUG_TRACE, "=> ldbm_back_group: objectClass: %s attrName: %s\n", + objectclassValue, groupattrName, 0 ); /* can we find bdn entry with reader lock */ if ((e = dn2entry_r(be, bdn, &matched )) == NULL) { @@ -56,32 +60,33 @@ ldbm_back_group( if ((objectClass = attr_find(e->e_attrs, "objectclass")) == NULL) { Debug( LDAP_DEBUG_TRACE, "<= ldbm_back_group: failed to find objectClass\n", 0, 0, 0 ); } - else if ((member = attr_find(e->e_attrs, "member")) == NULL) { - Debug( LDAP_DEBUG_TRACE, "<= ldbm_back_group: failed to find member\n", 0, 0, 0 ); + else if ((member = attr_find(e->e_attrs, groupattrName)) == NULL) { + Debug( LDAP_DEBUG_TRACE, "<= ldbm_back_group: failed to find %s\n", groupattrName, 0, 0 ); } else { struct berval bvObjectClass; struct berval bvMembers; - Debug( LDAP_DEBUG_ARGS, "<= ldbm_back_group: found objectClass and members\n", 0, 0, 0 ); + Debug( LDAP_DEBUG_ARGS, "<= ldbm_back_group: found objectClass and %s\n", groupattrName, 0, 0 ); - bvObjectClass.bv_val = "groupofnames"; + bvObjectClass.bv_val = objectclassValue; bvObjectClass.bv_len = strlen( bvObjectClass.bv_val ); + bvMembers.bv_val = edn; bvMembers.bv_len = strlen( edn ); if (value_find(objectClass->a_vals, &bvObjectClass, SYNTAX_CIS, 1) != 0) { Debug( LDAP_DEBUG_TRACE, - "<= ldbm_back_group: failed to find objectClass in groupOfNames\n", - 0, 0, 0 ); + "<= ldbm_back_group: failed to find %s in objectClass\n", + objectclassValue, 0, 0 ); } else if (value_find(member->a_vals, &bvMembers, SYNTAX_CIS, 1) != 0) { - Debug( LDAP_DEBUG_ACL, "<= ldbm_back_group: %s not in %s: groupOfNames\n", - edn, bdn, 0 ); + Debug( LDAP_DEBUG_ACL, "<= ldbm_back_group: %s not in %s: %s\n", + edn, bdn, groupattrName ); } else { - Debug( LDAP_DEBUG_ACL, "<= ldbm_back_group: %s is in %s: groupOfNames\n", - edn, bdn, 0 ); + Debug( LDAP_DEBUG_ACL, "<= ldbm_back_group: %s is in %s: %s\n", + edn, bdn, groupattrName ); rc = 0; } } @@ -91,5 +96,5 @@ ldbm_back_group( Debug( LDAP_DEBUG_ARGS, "ldbm_back_group: rc: %d\n", rc, 0, 0 ); return(rc); } -#endif +#endif /* SLAPD_ACLGROUPS */ diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c index eab281a624..39fdd279d4 100644 --- a/servers/slapd/backend.c +++ b/servers/slapd/backend.c @@ -282,10 +282,10 @@ be_unbind( #ifdef SLAPD_ACLGROUPS int -be_group(Backend *be, char *bdn, char *edn) +be_group(Backend *be, char *bdn, char *edn, char *objectclassValue, char *groupattrName) { if (be->be_group) - return(be->be_group(be, bdn, edn)); + return(be->be_group(be, bdn, edn, objectclassValue, groupattrName)); else return(1); } diff --git a/servers/slapd/filter.c b/servers/slapd/filter.c index be8a8ea242..f408e68383 100644 --- a/servers/slapd/filter.c +++ b/servers/slapd/filter.c @@ -391,63 +391,63 @@ filter_print( Filter *f ) Filter *p; if ( f == NULL ) { - printf( "NULL" ); + fprintf( stderr, "NULL" ); } switch ( f->f_choice ) { case LDAP_FILTER_EQUALITY: - printf( "(%s=%s)", f->f_ava.ava_type, + fprintf( stderr, "(%s=%s)", f->f_ava.ava_type, f->f_ava.ava_value.bv_val ); break; case LDAP_FILTER_GE: - printf( "(%s>=%s)", f->f_ava.ava_type, + fprintf( stderr, "(%s>=%s)", f->f_ava.ava_type, f->f_ava.ava_value.bv_val ); break; case LDAP_FILTER_LE: - printf( "(%s<=%s)", f->f_ava.ava_type, + fprintf( stderr, "(%s<=%s)", f->f_ava.ava_type, f->f_ava.ava_value.bv_val ); break; case LDAP_FILTER_APPROX: - printf( "(%s~=%s)", f->f_ava.ava_type, + fprintf( stderr, "(%s~=%s)", f->f_ava.ava_type, f->f_ava.ava_value.bv_val ); break; case LDAP_FILTER_SUBSTRINGS: - printf( "(%s=", f->f_sub_type ); + fprintf( stderr, "(%s=", f->f_sub_type ); if ( f->f_sub_initial != NULL ) { - printf( "%s", f->f_sub_initial ); + fprintf( stderr, "%s", f->f_sub_initial ); } if ( f->f_sub_any != NULL ) { for ( i = 0; f->f_sub_any[i] != NULL; i++ ) { - printf( "*%s", f->f_sub_any[i] ); + fprintf( stderr, "*%s", f->f_sub_any[i] ); } } charray_free( f->f_sub_any ); if ( f->f_sub_final != NULL ) { - printf( "*%s", f->f_sub_final ); + fprintf( stderr, "*%s", f->f_sub_final ); } break; case LDAP_FILTER_PRESENT: - printf( "%s=*", f->f_type ); + fprintf( stderr, "%s=*", f->f_type ); break; case LDAP_FILTER_AND: case LDAP_FILTER_OR: case LDAP_FILTER_NOT: - printf( "(%c", f->f_choice == LDAP_FILTER_AND ? '&' : + fprintf( stderr, "(%c", f->f_choice == LDAP_FILTER_AND ? '&' : f->f_choice == LDAP_FILTER_OR ? '|' : '!' ); for ( p = f->f_list; p != NULL; p = p->f_next ) { filter_print( p ); } - printf( ")" ); + fprintf( stderr, ")" ); break; default: - printf( "unknown type %d", f->f_choice ); + fprintf( stderr, "unknown type %d", f->f_choice ); break; } } diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h index f8cba4ce1d..7e2ea45014 100644 --- a/servers/slapd/slap.h +++ b/servers/slapd/slap.h @@ -144,7 +144,9 @@ struct access { long a_access; #ifdef SLAPD_ACLGROUPS - char *a_group; + char *a_group; + char *a_objectclassvalue; + char *a_groupattrname; #endif #define ACL_NONE 0x01 -- 2.39.5