From 933908f72f23f9bded8df99fa29ac39ded3435ab Mon Sep 17 00:00:00 2001 From: Kurt Zeilenga Date: Wed, 21 Jul 1999 20:54:23 +0000 Subject: [PATCH] ACL CHANGES: by changed to by + (joined with AND) added peername= sockname= url= removed addr= (use peername instead). replace dn_upcase with str2upper and str2lower. Use where needed. --- libraries/liblutil/ntservice.c | 12 +- libraries/liblutil/slapdmsg.mc | 2 +- servers/slapd/acl.c | 183 +++++++++---------- servers/slapd/aclparse.c | 274 ++++++++++++++++++----------- servers/slapd/attr.c | 8 +- servers/slapd/back-passwd/search.c | 7 +- servers/slapd/config.c | 2 +- servers/slapd/connection.c | 55 ++++-- servers/slapd/daemon.c | 101 ++++++----- servers/slapd/dn.c | 29 +-- servers/slapd/monitor.c | 9 +- servers/slapd/proto-slap.h | 8 +- servers/slapd/slap.h | 25 ++- 13 files changed, 419 insertions(+), 296 deletions(-) diff --git a/libraries/liblutil/ntservice.c b/libraries/liblutil/ntservice.c index 5672dedc12..f07fb7cb20 100644 --- a/libraries/liblutil/ntservice.c +++ b/libraries/liblutil/ntservice.c @@ -315,7 +315,7 @@ void *getRegParam( char *svc, char *value ) return (void*)NULL; } -void LogSlapdStartedEvent( char *svc, int slap_debug, char *configfile, short port, int udp ) +void LogSlapdStartedEvent( char *svc, int slap_debug, char *configfile, char *urls ) { char *Inserts[5]; WORD i = 0, j; @@ -326,12 +326,11 @@ void LogSlapdStartedEvent( char *svc, int slap_debug, char *configfile, short po Inserts[i] = (char *)malloc( 20 ); itoa( slap_debug, Inserts[i++], 10 ); Inserts[i++] = ldap_pvt_strdup( configfile ); - Inserts[i] = (char *)malloc( 20 ); - itoa( port, Inserts[i++], 10 ); - Inserts[i++] = ldap_pvt_strdup( udp ? "udp" : "tcp" ); + Inserts[i++] = ldap_pvt_strdup( urls ); Inserts[i++] = ldap_pvt_strdup( is_NT_Service ? "svc" : "cmd" ); - ReportEvent( hEventLog, EVENTLOG_INFORMATION_TYPE, 0, MSG_SLAPD_STARTED, NULL, i, 0, Inserts, NULL ); + ReportEvent( hEventLog, EVENTLOG_INFORMATION_TYPE, 0, + MSG_SLAPD_STARTED, NULL, i, 0, Inserts, NULL ); for ( j = 0; j < i; j++ ) ldap_memfree( Inserts[j] ); @@ -345,7 +344,8 @@ void LogSlapdStoppedEvent( char *svc ) HANDLE hEventLog; hEventLog = RegisterEventSource( NULL, svc ); - ReportEvent( hEventLog, EVENTLOG_INFORMATION_TYPE, 0, MSG_SLAPD_STOPPED, NULL, 0, 0, NULL, NULL ); + ReportEvent( hEventLog, EVENTLOG_INFORMATION_TYPE, 0, + MSG_SLAPD_STOPPED, NULL, 0, 0, NULL, NULL ); DeregisterEventSource( hEventLog ); } diff --git a/libraries/liblutil/slapdmsg.mc b/libraries/liblutil/slapdmsg.mc index 2c6c88367c..694a93efb6 100644 --- a/libraries/liblutil/slapdmsg.mc +++ b/libraries/liblutil/slapdmsg.mc @@ -15,7 +15,7 @@ Severity=Informational SymbolicName=MSG_SLAPD_STARTED Facility=Application Language=English -OpenLDAP SLAPD service started. debuglevel=%1, conffile=%2, port=%3, ip=%4, mode=%5 +OpenLDAP SLAPD service started. debuglevel=%1, conffile=%2, urls=%3, mode=%4 . diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c index 5d1eedb440..cd3dad0018 100644 --- a/servers/slapd/acl.c +++ b/servers/slapd/acl.c @@ -123,15 +123,17 @@ acl_get_applicable( /* check for a backend-specific acl that matches the entry */ for ( i = 1, a = be->be_acl; a != NULL; a = a->acl_next, i++ ) { - if (a->acl_dnpat != NULL) { + if (a->acl_dn_pat != NULL) { Debug( LDAP_DEBUG_TRACE, "=> dnpat: [%d] %s nsub: %d\n", - i, a->acl_dnpat, (int) a->acl_dnre.re_nsub); + i, a->acl_dn_pat, (int) a->acl_dn_re.re_nsub); - if (regexec(&a->acl_dnre, edn, nmatch, matches, 0)) + if (regexec(&a->acl_dn_re, edn, nmatch, matches, 0)) { continue; - else + + } else { Debug( LDAP_DEBUG_TRACE, "=> acl_get:[%d] backend ACL match\n", i, 0, 0); + } } if ( a->acl_filter != NULL ) { @@ -154,12 +156,13 @@ acl_get_applicable( /* check for a global acl that matches the entry */ for ( i = 1, a = global_acl; a != NULL; a = a->acl_next, i++ ) { - if (a->acl_dnpat != NULL) { - Debug( LDAP_DEBUG_TRACE, "=> dnpat: [%d] %s nsub: %d\n", - i, a->acl_dnpat, (int) a->acl_dnre.re_nsub); + if (a->acl_dn_pat != NULL) { + Debug( LDAP_DEBUG_TRACE, "=> dn pat: [%d] %s nsub: %d\n", + i, a->acl_dn_pat, (int) a->acl_dn_re.re_nsub); - if (regexec(&a->acl_dnre, edn, nmatch, matches, 0)) { + if (regexec(&a->acl_dn_re, edn, nmatch, matches, 0)) { continue; + } else { Debug( LDAP_DEBUG_TRACE, "=> acl_get: [%d] global ACL match\n", i, 0, 0); @@ -213,8 +216,6 @@ acl_access_allowed( { int i; Access *b; - Attribute *at; - struct berval bv; int default_access; Debug( LDAP_DEBUG_ACL, @@ -243,83 +244,97 @@ acl_access_allowed( return( default_access >= access ); } - if ( op->o_ndn != NULL ) { - bv.bv_val = op->o_ndn; - bv.bv_len = strlen( bv.bv_val ); - } - for ( i = 1, b = a->acl_access; b != NULL; b = b->a_next, i++ ) { - if ( b->a_dnpat != NULL ) { - Debug( LDAP_DEBUG_TRACE, "<= check a_dnpat: %s\n", - b->a_dnpat, 0, 0); + /* AND clauses */ + if ( b->a_dn_pat != NULL ) { + Debug( LDAP_DEBUG_TRACE, "<= check a_dn_pat: %s\n", + b->a_dn_pat, 0, 0); /* * if access applies to the entry itself, and the * user is bound as somebody in the same namespace as * the entry, OR the given dn matches the dn pattern */ - if ( strcasecmp( b->a_dnpat, "anonymous" ) == 0 && - (op->o_ndn == NULL || *(op->o_ndn) == '\0' ) ) + if ( strcasecmp( b->a_dn_pat, "anonymous" ) == 0 ) { + if (op->o_ndn != NULL && op->o_ndn[0] != '\0' ) { + continue; + } + + } else if ( strcasecmp( b->a_dn_pat, "self" ) == 0 ) { + if( op->o_ndn == NULL || op->o_ndn[0] == '\0' ) { + continue; + } + + if ( e->e_dn == NULL || strcmp( edn, op->o_ndn ) != 0 ) { + continue; + } + + } else if ( strcmp( b->a_dn_pat, ".*" ) != 0 && + !regex_matches( b->a_dn_pat, op->o_ndn, edn, matches ) ) { - Debug( LDAP_DEBUG_ACL, - "<= acl_access_allowed: matched by clause #%d access %s\n", - i, ACL_GRANT(b->a_access, access) - ? "granted" : "denied", 0 ); + continue; + } + } - return ACL_GRANT(b->a_access, access ); + if ( b->a_url_pat != NULL ) { + Debug( LDAP_DEBUG_ARGS, "<= check a_url_pat: %s\n", + b->a_url_pat, 0, 0 ); - } else if ( strcasecmp( b->a_dnpat, "self" ) == 0 && - op->o_ndn != NULL && *(op->o_ndn) && e->e_dn != NULL ) + if ( strcmp( b->a_url_pat, ".*" ) != 0 && + !regex_matches( b->a_url_pat, conn->c_listener_url, + edn, matches ) ) { - if ( strcmp( edn, op->o_ndn ) == 0 ) { - Debug( LDAP_DEBUG_ACL, - "<= acl_access_allowed: matched by clause #%d access %s\n", - i, ACL_GRANT(b->a_access, access) - ? "granted" : "denied", 0 ); + continue; + } + } - return ACL_GRANT(b->a_access, access ); - } - } else { - if ( regex_matches( b->a_dnpat, op->o_ndn, edn, matches ) ) { - Debug( LDAP_DEBUG_ACL, - "<= acl_access_allowed: matched by clause #%d access %s\n", - i, ACL_GRANT(b->a_access, access) - ? "granted" : "denied", 0 ); + if ( b->a_domain_pat != NULL ) { + Debug( LDAP_DEBUG_ARGS, "<= check a_domain_pat: %s\n", + b->a_domain_pat, 0, 0 ); - return ACL_GRANT(b->a_access, access ); - } + if ( strcmp( b->a_domain_pat, ".*" ) != 0 && + !regex_matches( b->a_domain_pat, conn->c_peer_domain, + edn, matches ) ) + { + continue; } } - if ( b->a_addrpat != NULL ) { - if ( regex_matches( b->a_addrpat, conn->c_client_addr, + + if ( b->a_peername_pat != NULL ) { + Debug( LDAP_DEBUG_ARGS, "<= check a_peername_path: %s\n", + b->a_peername_pat, 0, 0 ); + + if ( strcmp( b->a_peername_pat, ".*" ) != 0 && + !regex_matches( b->a_peername_pat, conn->c_peer_name, edn, matches ) ) { - Debug( LDAP_DEBUG_ACL, - "<= acl_access_allowed: matched by clause #%d access %s\n", - i, ACL_GRANT(b->a_access, access) - ? "granted" : "denied", 0 ); - - return ACL_GRANT(b->a_access, access ); + continue; } } - if ( b->a_domainpat != NULL ) { - Debug( LDAP_DEBUG_ARGS, "<= check a_domainpath: %s\n", - b->a_domainpat, 0, 0 ); - if ( regex_matches( b->a_domainpat, conn->c_client_name, - edn, matches ) ) - { - Debug( LDAP_DEBUG_ACL, - "<= acl_access_allowed: matched by clause #%d access %s\n", - i, ACL_GRANT(b->a_access, access) - ? "granted" : "denied", 0 ); - return ACL_GRANT(b->a_access, access ); + if ( b->a_sockname_pat != NULL ) { + Debug( LDAP_DEBUG_ARGS, "<= check a_sockname_path: %s\n", + b->a_sockname_pat, 0, 0 ); + + if ( strcmp( b->a_sockname_pat, ".*" ) != 0 && + !regex_matches( b->a_sockname_pat, conn->c_sock_name, + edn, matches ) ) + { + continue; } } - if ( b->a_dnattr != NULL && op->o_ndn != NULL ) { - Debug( LDAP_DEBUG_ARGS, "<= check a_dnattr: %s\n", - b->a_dnattr, 0, 0); - /* see if asker is listed in dnattr */ - if ( (at = attr_find( e->e_attrs, b->a_dnattr )) != NULL && + + if ( b->a_dn_at != NULL && op->o_ndn != NULL ) { + Attribute *at; + struct berval bv; + + Debug( LDAP_DEBUG_ARGS, "<= check a_dn_at: %s\n", + b->a_dn_at, 0, 0); + + bv.bv_val = op->o_ndn; + bv.bv_len = strlen( bv.bv_val ); + + /* see if asker is listed in dnattr */ + if ( (at = attr_find( e->e_attrs, b->a_dn_at )) != NULL && value_find( at->a_vals, &bv, at->a_syntax, 3 ) == 0 ) { if ( ACL_IS_SELF(b->a_access) && @@ -328,30 +343,15 @@ acl_access_allowed( continue; } - Debug( LDAP_DEBUG_ACL, - "<= acl_acces_allowed: matched by clause #%d access %s\n", - i, ACL_GRANT(b->a_access, access) - ? "granted" : "denied", 0 ); - - return ACL_GRANT(b->a_access, access ); - } - /* asker not listed in dnattr - check for self access */ - if ( ! ACL_IS_SELF(b->a_access) || val == NULL || + } else if ( ! ACL_IS_SELF(b->a_access) || val == NULL || value_cmp( &bv, val, at->a_syntax, 2 ) != 0 ) { continue; } - - Debug( LDAP_DEBUG_ACL, - "<= acl_access_allowed: matched by clause #%d (self) access %s\n", - i, ACL_GRANT(b->a_access, access) - ? "granted" : "denied", 0 ); - - return ACL_GRANT(b->a_access, access ); } - if ( b->a_group != NULL && op->o_ndn != NULL ) { + if ( b->a_group_pat != NULL && op->o_ndn != NULL ) { char buf[1024]; /* b->a_group is an unexpanded entry name, expanded it should be an @@ -359,18 +359,23 @@ acl_access_allowed( * the values in the attribute group */ /* see if asker is listed in dnattr */ - string_expand(buf, sizeof(buf), b->a_group, edn, matches); + string_expand(buf, sizeof(buf), b->a_group_pat, edn, matches); (void) dn_normalize_case(buf); if (backend_group(be, e, buf, op->o_ndn, - b->a_group_oc, b->a_group_at) == 0) + b->a_group_oc, b->a_group_at) != 0) { - Debug( LDAP_DEBUG_ACL, - "<= acl_access_allowed: matched by clause #%d (group) access granted\n", - i, 0, 0 ); - return ACL_GRANT(b->a_access, access ); + continue; } } + + Debug( LDAP_DEBUG_ACL, + "<= acl_access_allowed: matched by clause #%d access %s\n", + i, + ACL_GRANT(b->a_access, access) ? "granted" : "denied", + 0 ); + + return ACL_GRANT(b->a_access, access ); } Debug( LDAP_DEBUG_ACL, diff --git a/servers/slapd/aclparse.c b/servers/slapd/aclparse.c index f527199b08..0aaf463d1f 100644 --- a/servers/slapd/aclparse.c +++ b/servers/slapd/aclparse.c @@ -109,18 +109,7 @@ parse_acl( } if ( strcasecmp( argv[i], "*" ) == 0 ) { - int e; - if ((e = regcomp( &a->acl_dnre, ".*", - REG_EXTENDED|REG_ICASE))) - { - char buf[512]; - regerror(e, &a->acl_dnre, buf, sizeof(buf)); - fprintf( stderr, - "%s: line %d: regular expression \"%s\" bad because of %s\n", - fname, lineno, right, buf ); - acl_usage(); - } - a->acl_dnpat = ch_strdup( ".*" ); + a->acl_dn_pat = ch_strdup( ".*" ); continue; } @@ -140,27 +129,30 @@ parse_acl( fname, lineno, right ); acl_usage(); } + } else if ( strcasecmp( left, "dn" ) == 0 ) { int e; - if ((e = regcomp(&a->acl_dnre, right, + + if ((e = regcomp(&a->acl_dn_re, right, REG_EXTENDED|REG_ICASE))) { char buf[512]; - regerror(e, &a->acl_dnre, buf, sizeof(buf)); + regerror(e, &a->acl_dn_re, buf, sizeof(buf)); fprintf( stderr, "%s: line %d: regular expression \"%s\" bad because of %s\n", fname, lineno, right, buf ); acl_usage(); } else { - a->acl_dnpat = dn_upcase(ch_strdup( right )); + a->acl_dn_pat = ch_strdup( right ); } - } else if ( strncasecmp( left, "attr", 4 ) - == 0 ) { + + } else if ( strncasecmp( left, "attr", 4 ) == 0 ) { char **alist; alist = str2charray( right, "," ); charray_merge( &a->acl_attrs, alist ); charray_free( alist ); + } else { fprintf( stderr, "%s: line %d: expecting got \"%s\"\n", @@ -191,87 +183,148 @@ parse_acl( } /* get */ - split( argv[i], '=', &left, &right ); - if ( strcasecmp( argv[i], "*" ) == 0 ) { - b->a_dnpat = ch_strdup( ".*" ); - } else if ( strcasecmp( argv[i], "anonymous" ) == 0 ) { - b->a_dnpat = ch_strdup( "anonymous" ); - } else if ( strcasecmp( argv[i], "self" ) == 0 ) { - b->a_dnpat = ch_strdup( "self" ); - } else if ( strcasecmp( left, "dn" ) == 0 ) { - regtest(fname, lineno, right); - b->a_dnpat = dn_upcase( ch_strdup( right ) ); - } else if ( strcasecmp( left, "dnattr" ) == 0 ) { - b->a_dnattr = ch_strdup( right ); - - } else if ( strncasecmp( left, "group", sizeof("group")-1 ) == 0 ) { - char *name = NULL; - char *value = NULL; - - /* format of string is "group/objectClassValue/groupAttrName" */ - if ((value = strchr(left, '/')) != NULL) { - *value++ = '\0'; - if (value && *value - && (name = strchr(value, '/')) != NULL) - { - *name++ = '\0'; + for ( ; i < argc; i++ ) { + char* pat; + split( argv[i], '=', &left, &right ); + + if ( strcasecmp( argv[i], "*" ) == 0 ) { + pat = ch_strdup( ".*" ); + } else if ( strcasecmp( argv[i], "anonymous" ) == 0 ) { + pat = ch_strdup( "anonymous" ); + } else if ( strcasecmp( argv[i], "self" ) == 0 ) { + pat = ch_strdup( "self" ); + } else if ( strcasecmp( left, "dn" ) == 0 ) { + regtest(fname, lineno, right); + pat = ch_strdup( right ); + } + + if( pat != NULL ) { + if( b->a_dn_pat != NULL ) { + fprintf( stderr, + "%s: line %d: dn pattern already specified.\n", + fname, lineno ); + acl_usage(); + } + + b->a_dn_pat = pat; + continue; + } + + if ( strcasecmp( left, "dnattr" ) == 0 ) { + if( b->a_dn_pat != NULL ) { + fprintf( stderr, + "%s: line %d: dnaddr already specified.\n", + fname, lineno ); + acl_usage(); } + + b->a_dn_at = ch_strdup( right ); + continue; } - regtest(fname, lineno, right); - b->a_group = dn_upcase(ch_strdup( right )); + if ( strncasecmp( left, "group", sizeof("group")-1 ) == 0 ) { + char *name = NULL; + char *value = NULL; - if (value && *value) { - b->a_group_oc = ch_strdup(value); - *--value = '/'; - } else { - b->a_group_oc = ch_strdup("groupOfNames"); + if( b->a_group_pat != NULL ) { + fprintf( stderr, + "%s: line %d: group pattern already specified.\n", + fname, lineno ); + acl_usage(); + } + + /* format of string is "group/objectClassValue/groupAttrName" */ + if ((value = strchr(left, '/')) != NULL) { + *value++ = '\0'; + if (value && *value + && (name = strchr(value, '/')) != NULL) + { + *name++ = '\0'; + } + } - if (name && *name) { - b->a_group_at = ch_strdup(name); - *--name = '/'; + regtest(fname, lineno, right); + b->a_group_pat = ch_strdup( right ); + if (value && *value) { + b->a_group_oc = ch_strdup(value); + *--value = '/'; } else { - b->a_group_at = ch_strdup("member"); + b->a_group_oc = ch_strdup("groupOfNames"); + + if (name && *name) { + b->a_group_at = ch_strdup(name); + *--name = '/'; + + } else { + b->a_group_at = ch_strdup("member"); + } } + continue; } - } else if ( strcasecmp( left, "domain" ) == 0 ) { - char *s; - regtest(fname, lineno, right); - b->a_domainpat = ch_strdup( right ); + if ( strcasecmp( left, "peername" ) == 0 ) { + if( b->a_peername_pat != NULL ) { + fprintf( stderr, + "%s: line %d: peername pattern already specified.\n", + fname, lineno ); + acl_usage(); + } - /* normalize the domain */ - for ( s = b->a_domainpat; *s; s++ ) { - *s = TOLOWER( (unsigned char) *s ); + regtest(fname, lineno, right); + b->a_peername_pat = ch_strdup( right ); + continue; } - } else if ( strcasecmp( left, "addr" ) == 0 ) { - regtest(fname, lineno, right); - b->a_addrpat = ch_strdup( right ); - } else { - fprintf( stderr, - "%s: line %d: expecting got \"%s\"\n", - fname, lineno, left ); - acl_usage(); - } - if ( ++i == argc ) { - fprintf( stderr, - "%s: line %d: premature eol: expecting \n", - fname, lineno ); - acl_usage(); - } + if ( strcasecmp( left, "sockname" ) == 0 ) { + if( b->a_sockname_pat != NULL ) { + fprintf( stderr, + "%s: line %d: sockname pattern already specified.\n", + fname, lineno ); + acl_usage(); + } - /* get */ - split( argv[i], '=', &left, &right ); - if ( ACL_IS_INVALID(ACL_SET(b->a_access,str2access( left ))) ) { - fprintf( stderr, - "%s: line %d: expecting got \"%s\"\n", - fname, lineno, left ); - acl_usage(); - } - access_append( &a->acl_access, b ); + regtest(fname, lineno, right); + b->a_sockname_pat = ch_strdup( right ); + continue; + } + if ( strcasecmp( left, "domain" ) == 0 ) { + if( b->a_domain_pat != NULL ) { + fprintf( stderr, + "%s: line %d: domain pattern already specified.\n", + fname, lineno ); + acl_usage(); + } + + regtest(fname, lineno, right); + b->a_domain_pat = ch_strdup( right ); + continue; + } + + if ( strcasecmp( left, "url" ) == 0 ) { + if( b->a_url_pat != NULL ) { + fprintf( stderr, + "%s: line %d: url pattern already specified.\n", + fname, lineno ); + acl_usage(); + } + + regtest(fname, lineno, right); + b->a_url_pat = ch_strdup( right ); + continue; + } + + /* get */ + if ( ACL_IS_INVALID(ACL_SET(b->a_access, str2access( left ))) ) { + fprintf( stderr, + "%s: line %d: expecting got \"%s\"\n", + fname, lineno, left ); + acl_usage(); + } + access_append( &a->acl_access, b ); + break; + } } else { fprintf( stderr, "%s: line %d: expecting \"to\" or \"by\" got \"%s\"\n", @@ -377,9 +430,10 @@ acl_usage( void ) " ::= * | [dn=] [filter=] [attrs=]\n" " ::= | , \n" " ::= | entry | children\n" - " ::= * | anonymous | self | dn= | addr=\n" - "\t| domain= | dnattr=\n" - "\t| group[/[/]]=\n" + " ::= * | anonymous | self | dn=\n" + "\t| dnattr= | group[/[/]]=\n" + "\t| peername= | sockname=\n" + "\t| domain= | sockurl=\n" " ::= [self]{none|auth|compare|search|read|write}\n" ); exit( 1 ); @@ -424,29 +478,49 @@ print_access( Access *b ) { fprintf( stderr, "\tby" ); - if ( b->a_dnpat != NULL ) { - if( strcmp(b->a_dnpat, "anonymous") == 0 ) { + if ( b->a_dn_pat != NULL ) { + if( strcmp(b->a_dn_pat, "anonymous") == 0 ) { fprintf( stderr, " anonymous" ); - } else if( strcmp(b->a_dnpat, "self") == 0 ) { + + } else if( strcmp(b->a_dn_pat, "self") == 0 ) { fprintf( stderr, " self" ); + } else { - fprintf( stderr, " dn=%s", b->a_dnpat ); + fprintf( stderr, " dn=%s", b->a_dn_pat ); } - } else if ( b->a_addrpat != NULL ) { - fprintf( stderr, " addr=%s", b->a_addrpat ); - } else if ( b->a_domainpat != NULL ) { - fprintf( stderr, " domain=%s", b->a_domainpat ); - } else if ( b->a_dnattr != NULL ) { - fprintf( stderr, " dnattr=%s", b->a_dnattr ); - } else if ( b->a_group != NULL ) { - fprintf( stderr, " group: %s", b->a_group ); + } + + if ( b->a_dn_at != NULL ) { + fprintf( stderr, " dnattr=%s", b->a_dn_at ); + } + + if ( b->a_group_pat != NULL ) { + fprintf( stderr, " group: %s", b->a_group_pat ); + if ( b->a_group_oc ) { fprintf( stderr, " objectClass: %s", b->a_group_oc ); + if ( b->a_group_at ) { fprintf( stderr, " attributeType: %s", b->a_group_at ); } } } + + if ( b->a_peername_pat != NULL ) { + fprintf( stderr, " peername=%s", b->a_peername_pat ); + } + if ( b->a_sockname_pat != NULL ) { + fprintf( stderr, " sockname=%s", b->a_sockname_pat ); + } + + if ( b->a_domain_pat != NULL ) { + fprintf( stderr, " domain=%s", b->a_domain_pat ); + } + + if ( b->a_url_pat != NULL ) { + fprintf( stderr, " url=%s", b->a_url_pat ); + } + fprintf( stderr, "\n" ); } @@ -464,9 +538,9 @@ print_acl( AccessControl *a ) fprintf( stderr," filter=" ); filter_print( a->acl_filter ); } - if ( a->acl_dnpat != NULL ) { + if ( a->acl_dn_pat != NULL ) { fprintf( stderr, " dn=" ); - fprintf( stderr, a->acl_dnpat ); + fprintf( stderr, a->acl_dn_pat ); } if ( a->acl_attrs != NULL ) { int first = 1; diff --git a/servers/slapd/attr.c b/servers/slapd/attr.c index 014fe649de..8e3112200b 100644 --- a/servers/slapd/attr.c +++ b/servers/slapd/attr.c @@ -40,15 +40,9 @@ attr_free( Attribute *a ) char * attr_normalize( char *s ) { - char *save; - assert( s != NULL ); - for ( save = s; *s; s++ ) { - *s = TOLOWER( (unsigned char) *s ); - } - - return( save ); + return( str2lower( s ) ); } /* diff --git a/servers/slapd/back-passwd/search.c b/servers/slapd/back-passwd/search.c index 231d664869..cb1b9f4b29 100644 --- a/servers/slapd/back-passwd/search.c +++ b/servers/slapd/back-passwd/search.c @@ -183,9 +183,7 @@ passwd_back_search( goto done; } - for( s = user; *s ; s++ ) { - *s = TOLOWER( *s ); - } + user = str2lower( user ); if ( (pw = getpwnam( user )) == NULL ) { matched = parent; @@ -270,8 +268,7 @@ pw2entry( Backend *be, struct passwd *pw, char *rdn ) strncpy(buf, val.bv_val, i); s = buf+i; strcpy(s, pw->pw_name); - if (islower(*s)) - *s = toupper(*s); + *s = TOUPPER(*s); strcat(s, val.bv_val+i+1); val.bv_val = buf; } diff --git a/servers/slapd/config.c b/servers/slapd/config.c index f05fd08691..5ffb42cfff 100644 --- a/servers/slapd/config.c +++ b/servers/slapd/config.c @@ -222,7 +222,7 @@ read_config( char *fname ) char *dn = ch_strdup( cargv[1] ); (void) dn_normalize( dn ); charray_add( &be->be_suffix, dn ); - (void) dn_upcase( dn ); + (void) str2upper( dn ); charray_add( &be->be_nsuffix, dn ); free( dn ); } diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c index a5476ad0b3..036dde765f 100644 --- a/servers/slapd/connection.c +++ b/servers/slapd/connection.c @@ -271,14 +271,21 @@ static void connection_return( Connection *c ) long connection_init( ber_socket_t s, - const char* name, - const char* addr, + const char* url, + const char* dnsname, + const char* peername, + const char* sockname, int use_tls ) { unsigned long id; Connection *c; + assert( connections != NULL ); + assert( dnsname != NULL ); + assert( peername != NULL ); + assert( sockname != NULL ); + #ifndef HAVE_TLS assert( !use_tls ); #endif @@ -341,8 +348,12 @@ long connection_init( if( c->c_struct_state == SLAP_C_UNINITIALIZED ) { c->c_dn = NULL; c->c_cdn = NULL; - c->c_client_name = NULL; - c->c_client_addr = NULL; + + c->c_listener_url = NULL; + c->c_peer_domain = NULL; + c->c_peer_name = NULL; + c->c_sock_name = NULL; + c->c_ops = NULL; c->c_pending_ops = NULL; c->c_authmech = NULL; @@ -363,15 +374,19 @@ long connection_init( assert( c->c_struct_state == SLAP_C_UNUSED ); assert( c->c_dn == NULL ); assert( c->c_cdn == NULL ); - assert( c->c_client_name == NULL ); - assert( c->c_client_addr == NULL ); + assert( c->c_listener_url == NULL ); + assert( c->c_peer_domain == NULL ); + assert( c->c_peer_name == NULL ); + assert( c->c_sock_name == NULL ); assert( c->c_ops == NULL ); assert( c->c_pending_ops == NULL ); assert( c->c_authmech == NULL ); assert( c->c_authstate == NULL ); - c->c_client_name = ch_strdup( name == NULL ? "" : name ); - c->c_client_addr = ch_strdup( addr ); + c->c_listener_url = ch_strdup( url ); + c->c_peer_domain = ch_strdup( dnsname ); + c->c_peer_name = ch_strdup( peername ); + c->c_sock_name = ch_strdup( sockname ); c->c_n_ops_received = 0; c->c_n_ops_executing = 0; @@ -389,8 +404,8 @@ long connection_init( if( ber_pvt_sb_set_nonblock( c->c_sb, 1 ) < 0 ) { Debug( LDAP_DEBUG_ANY, - "connection_init(%d, %s, %s): set nonblocking failed\n", - s, c->c_client_name, c->c_client_addr); + "connection_init(%d, %s): set nonblocking failed\n", + s, c->c_peer_name,0 ); } id = c->c_connid = conn_nextid++; @@ -439,13 +454,21 @@ connection_destroy( Connection *c ) free(c->c_cdn); c->c_cdn = NULL; } - if(c->c_client_name != NULL) { - free(c->c_client_name); - c->c_client_name = NULL; + if(c->c_listener_url != NULL) { + free(c->c_listener_url); + c->c_listener_url = NULL; + } + if(c->c_peer_domain != NULL) { + free(c->c_peer_domain); + c->c_peer_domain = NULL; + } + if(c->c_peer_name != NULL) { + free(c->c_peer_name); + c->c_peer_name = NULL; } - if(c->c_client_addr != NULL) { - free(c->c_client_addr); - c->c_client_addr = NULL; + if(c->c_sock_name != NULL) { + free(c->c_sock_name); + c->c_sock_name = NULL; } if(c->c_authmech != NULL ) { free(c->c_authmech); diff --git a/servers/slapd/daemon.c b/servers/slapd/daemon.c index a007fa1f5e..3de1106ecf 100644 --- a/servers/slapd/daemon.c +++ b/servers/slapd/daemon.c @@ -26,6 +26,7 @@ ber_socket_t dtblsize; typedef struct slap_listener { char* sl_url; + char* sl_name; #ifdef HAVE_TLS int sl_is_tls; #endif @@ -204,6 +205,7 @@ open_listener( Listener l; Listener *li; LDAPURLDesc *lud; + char *s; rc = ldap_url_parse( url, &lud ); @@ -235,6 +237,8 @@ open_listener( } #endif + port = lud->lud_port; + (void) memset( (void*) &l.sl_addr, '\0', sizeof(l.sl_addr) ); l.sl_addr.sin_family = AF_INET; @@ -248,20 +252,12 @@ open_listener( } else { /* host or address was specified */ - if( isdigit( lud->lud_host[0] ) ) { #ifdef HAVE_WINSOCK - if(!(l.sl_addr.sin_addr.S_un.S_addr = inet_addr(lud->lud_host))) + if((l.sl_addr.sin_addr.S_un.S_addr = inet_addr(lud->lud_host)) == INADDR_NONE) #else - if(!inet_aton(lud->lud_host, &l.sl_addr.sin_addr)) + if(!inet_aton(lud->lud_host, &l.sl_addr.sin_addr)) #endif - { - Debug( LDAP_DEBUG_ANY, "invalid address (%s) in URL: %s", - lud->lud_host, url, 0); - ldap_free_urldesc( lud ); - return NULL; - } - - } else { + { struct hostent *he = gethostbyname( lud->lud_host ); if( he == NULL ) { Debug( LDAP_DEBUG_ANY, "invalid host (%s) in URL: %s", @@ -348,6 +344,11 @@ open_listener( l.sl_url = ch_strdup( url ); + l.sl_name = ch_malloc( sizeof("IP=255.255.255.255:65336") ); + s = inet_ntoa( l.sl_addr.sin_addr ); + sprintf( l.sl_name, "IP=%s:%d", + s != NULL ? s : "unknown" , port ); + li = ch_malloc( sizeof( Listener ) ); *li = l; @@ -505,9 +506,6 @@ slapd_daemon_task( struct timeval zero; struct timeval *tvp; - char *client_name; - char *client_addr; - if( global_idletimeout > 0 && difftime( last_idle_check+global_idletimeout/SLAPD_IDLE_CHECK_LIMIT, now ) < 0 ) @@ -624,6 +622,11 @@ slapd_daemon_task( socklen_t len = sizeof(from); long id; + char *dnsname; + char *peeraddr; + + char peername[sizeof("IP:255.255.255.255:65336")]; + if ( slap_listeners[l]->sl_sd == AC_SOCKET_INVALID ) continue; @@ -669,47 +672,50 @@ slapd_daemon_task( (long) s, 0, 0 ); len = sizeof(from); - if ( getpeername( s, (struct sockaddr *) &from, &len ) == 0 ) { - client_addr = inet_ntoa( from.sin_addr ); -#if defined(SLAPD_RLOOKUPS) || defined(HAVE_TCPD) - hp = gethostbyaddr( (char *) - &(from.sin_addr.s_addr), - sizeof(from.sin_addr.s_addr), AF_INET ); + if ( getpeername( s, (struct sockaddr *) &from, &len ) != 0 ) { + int err = errno; + Debug( LDAP_DEBUG_ANY, + "daemon: getpeername( %ld ) failed: errno=%d (%s)\n", + (long) s, err, + err >= 0 && err < sys_nerr ? + sys_errlist[err] : "unknown" ); + slapd_close(s); + continue; + } - if(hp) { - char *p; - client_name = hp->h_name; + peeraddr = inet_ntoa( from.sin_addr ); + sprintf( peername, "IP:%s:%d", + peeraddr != NULL ? peeraddr : "unknown", + (unsigned) ntohs( from.sin_port ) ); - /* normalize the domain */ - for ( p = client_name; *p; p++ ) { - *p = TOLOWER( (unsigned char) *p ); - } +#if defined(SLAPD_RLOOKUPS) || defined(HAVE_TCPD) + hp = gethostbyaddr( (char *) + &(from.sin_addr.s_addr), + sizeof(from.sin_addr.s_addr), AF_INET ); - } else { - client_name = NULL; - } -#else - client_name = NULL; -#endif + if(hp) { + dnsname = str2lower( hp->h_name ); } else { - client_name = NULL;; - client_addr = NULL; + dnsname = NULL; } +#else + dnsname = NULL; +#endif #ifdef HAVE_TCPD - if(!hosts_ctl("slapd", - client_name != NULL ? client_name : STRING_UNKNOWN, - client_addr != NULL ? client_addr : STRING_UNKNOWN, - STRING_UNKNOWN)) + if( !hosts_ctl("slapd", + dnsname != NULL ? dnsname : STRING_UNKNOWN, + peeraddr != NULL ? peeraddr : STRING_UNKNOWN, + STRING_UNKNOWN )) { /* DENY ACCESS */ Statslog( LDAP_DEBUG_ANY, "fd=%ld connection from %s (%s) denied.\n", (long) s, - client_name == NULL ? "unknown" : client_name, - client_addr == NULL ? "unknown" : client_addr, + dnsname != NULL ? dnsname : "unknown", + peeraddr != NULL ? peeraddr : "unknown", 0, 0 ); slapd_close(s); @@ -717,7 +723,10 @@ slapd_daemon_task( } #endif /* HAVE_TCPD */ - if( (id = connection_init(s, client_name, client_addr, + if( (id = connection_init(s, + slap_listeners[l]->sl_url, + dnsname, peername, + slap_listeners[l]->sl_name, #ifdef HAVE_TLS slap_listeners[l]->sl_is_tls #else @@ -728,8 +737,8 @@ slapd_daemon_task( Debug( LDAP_DEBUG_ANY, "daemon: connection_init(%ld, %s, %s) failed.\n", (long) s, - client_name == NULL ? "unknown" : client_name, - client_addr == NULL ? "unknown" : client_addr); + peername, + slap_listeners[l]->sl_name ); slapd_close(s); continue; } @@ -737,8 +746,8 @@ slapd_daemon_task( Statslog( LDAP_DEBUG_STATS, "daemon: conn=%d fd=%ld connection from %s (%s) accepted.\n", id, (long) s, - client_name == NULL ? "unknown" : client_name, - client_addr == NULL ? "unknown" : client_addr, + peername, + slap_listeners[l]->sl_name, 0 ); slapd_add( s ); diff --git a/servers/slapd/dn.c b/servers/slapd/dn.c index 4f28d164b8..b9e2497117 100644 --- a/servers/slapd/dn.c +++ b/servers/slapd/dn.c @@ -131,17 +131,11 @@ dn_normalize( char *dn ) char * dn_normalize_case( char *dn ) { - char *s; - /* normalize format */ dn_normalize( dn ); - /* normalize case */ - for ( s = dn; *s; s++ ) { - *s = TOUPPER( (unsigned char) *s ); - } - - return( dn ); + /* and upper case it */ + return( str2upper( dn ) ); } /* @@ -331,16 +325,29 @@ dn_type( char *dn ) } char * -dn_upcase( char *dn ) +str2upper( char *str ) { char *s; /* normalize case */ - for ( s = dn; *s; s++ ) { + for ( s = str; *s; s++ ) { *s = TOUPPER( (unsigned char) *s ); } - return( dn ); + return( str ); +} + +char * +str2lower( char *str ) +{ + char *s; + + /* normalize case */ + for ( s = str; *s; s++ ) { + *s = TOLOWER( (unsigned char) *s ); + } + + return( str ); } diff --git a/servers/slapd/monitor.c b/servers/slapd/monitor.c index 855a2e8dc0..dff72f9690 100644 --- a/servers/slapd/monitor.c +++ b/servers/slapd/monitor.c @@ -104,7 +104,7 @@ monitor_info( Connection *conn, Operation *op ) ": %ld/%ld/%ld " ": %s%s%s%s%s%s " ": %s : %s : %s " - ": %s : %s", + ": %s : %s : %s : %s ", c->c_connid, (long) c->c_protocol, @@ -123,8 +123,11 @@ monitor_info( Connection *conn, Operation *op ) c->c_bind_in_progress ? "S" : "", c->c_cdn ? c->c_cdn : "", - c->c_client_addr ? c->c_client_addr : "unknown", - c->c_client_name ? c->c_client_name : "unknown", + + c->c_listener_url, + c->c_peer_domain, + c->c_peer_name, + c->c_sock_name, buf2, buf3 diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h index 44d5d8fba5..3e90384d7e 100644 --- a/servers/slapd/proto-slap.h +++ b/servers/slapd/proto-slap.h @@ -148,7 +148,10 @@ int connections_timeout_idle LDAP_P((time_t)); long connection_init LDAP_P(( ber_socket_t s, - const char* name, const char* addr, + const char* url, + const char* dnsname, + const char* peername, + const char* sockname, int use_tls )); void connection_closing LDAP_P(( Connection *c )); @@ -174,7 +177,8 @@ char * dn_parent LDAP_P(( Backend *be, char *dn )); char * dn_rdn LDAP_P(( Backend *be, char *dn )); int dn_issuffix LDAP_P(( char *dn, char *suffix )); int dn_type LDAP_P(( char *dn )); -char * dn_upcase LDAP_P(( char *dn )); +char * str2upper LDAP_P(( char *str )); +char * str2lower LDAP_P(( char *str )); char * rdn_attr_value LDAP_P(( char * rdn )); char * rdn_attr_type LDAP_P(( char * rdn )); void build_new_dn LDAP_P(( char ** new_dn, char *e_dn, char * p_dn, diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h index ee971e115c..1eee373e03 100644 --- a/servers/slapd/slap.h +++ b/servers/slapd/slap.h @@ -230,13 +230,17 @@ typedef struct slap_access { int a_access; - char *a_dnpat; - char *a_addrpat; - char *a_domainpat; - char *a_dnattr; + char *a_dn_pat; + char *a_dn_at; + + char *a_peername_pat; + char *a_sockname_pat; + + char *a_domain_pat; + char *a_url_pat; /* ACL Groups */ - char *a_group; + char *a_group_pat; char *a_group_oc; char *a_group_at; @@ -247,8 +251,8 @@ typedef struct slap_access { typedef struct slap_acl { /* "to" part: the entries this acl applies to */ Filter *acl_filter; - regex_t acl_dnre; - char *acl_dnpat; + regex_t acl_dn_re; + char *acl_dn_pat; char **acl_attrs; /* "by" part: list of who has what access to the entries */ @@ -579,8 +583,11 @@ typedef struct slap_conn { time_t c_starttime; /* when the connection was opened */ time_t c_activitytime; /* when the connection was last used */ unsigned long c_connid; /* id of this connection for stats*/ - char *c_client_addr; /* address of client */ - char *c_client_name; /* name of client */ + + char *c_listener_url; /* listener URL */ + char *c_peer_domain; /* DNS name of client */ + char *c_peer_name; /* peer name (trans=addr:port) */ + char *c_sock_name; /* sock name (trans=addr:port) */ /* only can be changed by binding thread */ int c_bind_in_progress; /* multi-op bind in progress */ -- 2.39.5