From e0ca6e386e832b857e371ce96ff8270a1f4540c8 Mon Sep 17 00:00:00 2001 From: Howard Chu Date: Tue, 22 Feb 2005 12:02:34 +0000 Subject: [PATCH] Added acl_unparse, slap_sasl_getpolicy --- servers/slapd/acl.c | 36 ++++---- servers/slapd/aclparse.c | 185 +++++++++++++++++++++++++------------ servers/slapd/config.c | 89 ++++++++++++++++-- servers/slapd/proto-slap.h | 4 +- servers/slapd/saslauthz.c | 12 +++ servers/slapd/slap.h | 16 ++-- servers/slapd/slapacl.c | 2 +- 7 files changed, 253 insertions(+), 91 deletions(-) diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c index 623f0b18a2..6babdba339 100644 --- a/servers/slapd/acl.c +++ b/servers/slapd/acl.c @@ -394,7 +394,7 @@ vd_access: "=> access_allowed: %s access %s by %s\n", access2str( access ), ACL_GRANT(mask, access) ? "granted" : "denied", - accessmask2str( mask, accessmaskbuf ) ); + accessmask2str( mask, accessmaskbuf, 1 ) ); ret = ACL_GRANT(mask, access); @@ -678,7 +678,7 @@ acl_mask( "=> acl_mask: to %s by \"%s\", (%s) \n", val ? "value" : "all values", op->o_ndn.bv_val ? op->o_ndn.bv_val : "", - accessmask2str( *mask, accessmaskbuf ) ); + accessmask2str( *mask, accessmaskbuf, 1) ); if( state && ( state->as_recorded & ACL_STATE_RECORDED_VD ) @@ -1543,8 +1543,8 @@ dn_match_cleanup:; } } Debug(LDAP_DEBUG_ACL, "<= aci_mask grant %s deny %s\n", - accessmask2str(tgrant,accessmaskbuf), - accessmask2str(tdeny, accessmaskbuf1), 0); + accessmask2str(tgrant,accessmaskbuf, 1), + accessmask2str(tdeny, accessmaskbuf1, 1), 0); } /* If the entry level aci didn't contain anything valid for the @@ -1584,8 +1584,8 @@ dn_match_cleanup:; } } Debug(LDAP_DEBUG_ACL, "<= aci_mask grant %s deny %s\n", - accessmask2str(tgrant,accessmaskbuf), - accessmask2str(tdeny, accessmaskbuf1), 0); + accessmask2str(tgrant,accessmaskbuf, 1), + accessmask2str(tdeny, accessmaskbuf1, 1), 0); } break; @@ -1651,7 +1651,7 @@ dn_match_cleanup:; Debug( LDAP_DEBUG_ACL, "<= acl_mask: [%d] applying %s (%s)\n", - i, accessmask2str( modmask, accessmaskbuf ), + i, accessmask2str( modmask, accessmaskbuf, 1 ), b->a_type == ACL_CONTINUE ? "continue" : b->a_type == ACL_BREAK @@ -1681,7 +1681,7 @@ dn_match_cleanup:; Debug( LDAP_DEBUG_ACL, "<= acl_mask: [%d] mask: %s\n", - i, accessmask2str(*mask, accessmaskbuf), 0 ); + i, accessmask2str(*mask, accessmaskbuf, 1), 0 ); if( b->a_type == ACL_CONTINUE ) { continue; @@ -1699,7 +1699,7 @@ dn_match_cleanup:; Debug( LDAP_DEBUG_ACL, "<= acl_mask: no more clauses, returning %s (stop)\n", - accessmask2str(*mask, accessmaskbuf), 0, 0 ); + accessmask2str(*mask, accessmaskbuf, 1), 0, 0 ); return ACL_STOP; } @@ -2680,13 +2680,17 @@ dynacl_aci_parse( const char *fname, int lineno, slap_style_t sty, const char *r } static int -dynacl_aci_print( void *priv ) +dynacl_aci_unparse( void *priv, struct berval *bv ) { AttributeDescription *ad = ( AttributeDescription * )priv; + char *ptr; assert( ad ); - fprintf( stderr, " aci=%s", ad->ad_cname.bv_val ); + bv->bv_val = ch_malloc( STRLENOF(" aci=") + ad->ad_cname.bv_len + 1 ); + ptr = lutil_strcopy( bv->bv_val, " aci=" ); + ptr = lutil_strcopy( ptr, ad->ad_cname.bv_val ); + bv->bv_len = ptr - bv->bv_val; return 0; } @@ -2736,8 +2740,8 @@ dynacl_aci_mask( } Debug( LDAP_DEBUG_ACL, "<= aci_mask grant %s deny %s\n", - accessmask2str( tgrant, accessmaskbuf ), - accessmask2str( tdeny, accessmaskbuf1 ), 0 ); + accessmask2str( tgrant, accessmaskbuf, 1 ), + accessmask2str( tdeny, accessmaskbuf1, 1 ), 0 ); } /* If the entry level aci didn't contain anything valid for the @@ -2803,8 +2807,8 @@ dynacl_aci_mask( } } Debug( LDAP_DEBUG_ACL, "<= aci_mask grant %s deny %s\n", - accessmask2str( tgrant, accessmaskbuf ), - accessmask2str( tdeny, accessmaskbuf1 ), 0 ); + accessmask2str( tgrant, accessmaskbuf, 1 ), + accessmask2str( tdeny, accessmaskbuf1, 1 ), 0 ); } break; @@ -2844,7 +2848,7 @@ dynacl_aci_mask( static slap_dynacl_t dynacl_aci = { "aci", dynacl_aci_parse, - dynacl_aci_print, + dynacl_aci_unparse, dynacl_aci_mask, NULL, NULL, diff --git a/servers/slapd/aclparse.c b/servers/slapd/aclparse.c index d682ef7c51..1a77a9527f 100644 --- a/servers/slapd/aclparse.c +++ b/servers/slapd/aclparse.c @@ -1699,7 +1699,7 @@ parse_acl( } char * -accessmask2str( slap_mask_t mask, char *buf ) +accessmask2str( slap_mask_t mask, char *buf, int debug ) { int none = 1; char *ptr = buf; @@ -1741,6 +1741,10 @@ accessmask2str( slap_mask_t mask, char *buf ) ptr = lutil_strcopy( ptr, "unknown" ); } + if ( !debug ) { + *ptr = '\0'; + return buf; + } *ptr++ = '('; } @@ -1795,7 +1799,7 @@ accessmask2str( slap_mask_t mask, char *buf ) } if ( none ) { - *ptr++ = '0'; + ptr = buf; } if ( ACL_IS_LEVEL( mask ) ) { @@ -2137,59 +2141,83 @@ str2access( const char *str ) return( ACL_INVALID_ACCESS ); } -#ifdef LDAP_DEBUG +#define ACLBUF_MAXLEN 8192 -static void -print_access( Access *b ) +static char aclbuf[ACLBUF_MAXLEN]; + +static char * +access2text( Access *b, char *ptr ) { char maskbuf[ACCESSMASK_MAXLEN]; - fprintf( stderr, "\tby" ); + ptr = lutil_strcopy( ptr, "\tby" ); if ( !BER_BVISEMPTY( &b->a_dn_pat ) ) { + *ptr++ = ' '; if ( ber_bvccmp( &b->a_dn_pat, '*' ) || - b->a_dn_style == ACL_STYLE_ANONYMOUS /* strcmp( b->a_dn_pat.bv_val, "anonymous" ) == 0 */ || - b->a_dn_style == ACL_STYLE_USERS /* strcmp( b->a_dn_pat.bv_val, "users" ) == 0 */ || - b->a_dn_style == ACL_STYLE_SELF /* strcmp( b->a_dn_pat.bv_val, "self" ) == 0 */ ) + b->a_dn_style == ACL_STYLE_ANONYMOUS || + b->a_dn_style == ACL_STYLE_USERS || + b->a_dn_style == ACL_STYLE_SELF ) { - fprintf( stderr, " %s", b->a_dn_pat.bv_val ); + ptr = lutil_strcopy( ptr, b->a_dn_pat.bv_val ); } else { - fprintf( stderr, " dn.%s=\"%s\"", - style_strings[b->a_dn_style], b->a_dn_pat.bv_val ); + ptr = lutil_strcopy( ptr, "dn." ); + ptr = lutil_strcopy( ptr, style_strings[b->a_dn_style] ); + *ptr++ = '='; + *ptr++ = '"'; + ptr = lutil_strcopy( ptr, b->a_dn_pat.bv_val ); + *ptr++ = '"'; } } if ( b->a_dn_at != NULL ) { - fprintf( stderr, " dnattr=%s", b->a_dn_at->ad_cname.bv_val ); + ptr = lutil_strcopy( ptr, " dnattr=" ); + ptr = lutil_strcopy( ptr, b->a_dn_at->ad_cname.bv_val ); } if ( !BER_BVISEMPTY( &b->a_group_pat ) ) { - fprintf( stderr, " group/%s/%s.%s=\"%s\"", - b->a_group_oc ? b->a_group_oc->soc_cname.bv_val : "groupOfNames", - b->a_group_at ? b->a_group_at->ad_cname.bv_val : "member", - style_strings[b->a_group_style], - b->a_group_pat.bv_val ); + ptr = lutil_strcopy( ptr, " group/" ); + ptr = lutil_strcopy( ptr, b->a_group_oc ? + b->a_group_oc->soc_cname.bv_val : "groupOfNames" ); + *ptr++ = '/'; + ptr = lutil_strcopy( ptr, b->a_group_at ? + b->a_group_at->ad_cname.bv_val : "member" ); + *ptr++ = '.'; + ptr = lutil_strcopy( ptr, style_strings[b->a_group_style] ); + *ptr++ = '='; + *ptr++ = '"'; + ptr = lutil_strcopy( ptr, b->a_group_pat.bv_val ); + *ptr++ = '"'; } if ( !BER_BVISEMPTY( &b->a_peername_pat ) ) { - fprintf( stderr, " peername=\"%s\"", b->a_peername_pat.bv_val ); + ptr = lutil_strcopy( ptr, " peername=\"" ); + ptr = lutil_strcopy( ptr, b->a_peername_pat.bv_val ); + *ptr++ = '"'; } if ( !BER_BVISEMPTY( &b->a_sockname_pat ) ) { - fprintf( stderr, " sockname=\"%s\"", b->a_sockname_pat.bv_val ); + ptr = lutil_strcopy( ptr, " sockname=\"" ); + ptr = lutil_strcopy( ptr, b->a_sockname_pat.bv_val ); + *ptr++ = '"'; } if ( !BER_BVISEMPTY( &b->a_domain_pat ) ) { - fprintf( stderr, " domain=%s", b->a_domain_pat.bv_val ); + ptr = lutil_strcopy( ptr, " domain=" ); + ptr = lutil_strcopy( ptr, b->a_domain_pat.bv_val ); } if ( !BER_BVISEMPTY( &b->a_sockurl_pat ) ) { - fprintf( stderr, " sockurl=\"%s\"", b->a_sockurl_pat.bv_val ); + ptr = lutil_strcopy( ptr, " sockurl=\"" ); + ptr = lutil_strcopy( ptr, b->a_sockurl_pat.bv_val ); + *ptr++ = '"'; } if ( !BER_BVISEMPTY( &b->a_set_pat ) ) { - fprintf( stderr, " set=\"%s\"", b->a_set_pat.bv_val ); + ptr = lutil_strcopy( ptr, " set=\"" ); + ptr = lutil_strcopy( ptr, b->a_set_pat.bv_val ); + *ptr++ = '"'; } #ifdef SLAP_DYNACL @@ -2197,68 +2225,84 @@ print_access( Access *b ) slap_dynacl_t *da; for ( da = b->a_dynacl; da; da = da->da_next ) { - if ( da->da_print ) { - (void)( *da->da_print )( da->da_private ); + if ( da->da_unparse ) { + struct berval bv; + (void)( *da->da_unparse )( da->da_private, &bv ); + ptr = lutil_strcopy( ptr, bv.bv_val ); + ch_free( bv.bv_val ); } } } #else /* ! SLAP_DYNACL */ #ifdef SLAPD_ACI_ENABLED if ( b->a_aci_at != NULL ) { - fprintf( stderr, " aci=%s", b->a_aci_at->ad_cname.bv_val ); + ptr = lutil_strcopy( ptr, " aci=" ); + ptr = lutil_strcopy( ptr, b->a_aci_at->ad_cname.bv_val ); } #endif #endif /* SLAP_DYNACL */ /* Security Strength Factors */ if ( b->a_authz.sai_ssf ) { - fprintf( stderr, " ssf=%u", + ptr += sprintf( ptr, " ssf=%u", b->a_authz.sai_ssf ); } if ( b->a_authz.sai_transport_ssf ) { - fprintf( stderr, " transport_ssf=%u", + ptr += sprintf( ptr, " transport_ssf=%u", b->a_authz.sai_transport_ssf ); } if ( b->a_authz.sai_tls_ssf ) { - fprintf( stderr, " tls_ssf=%u", + ptr += sprintf( ptr, " tls_ssf=%u", b->a_authz.sai_tls_ssf ); } if ( b->a_authz.sai_sasl_ssf ) { - fprintf( stderr, " sasl_ssf=%u", + ptr += sprintf( ptr, " sasl_ssf=%u", b->a_authz.sai_sasl_ssf ); } - fprintf( stderr, " %s%s", - b->a_dn_self ? "self" : "", - accessmask2str( b->a_access_mask, maskbuf ) ); + *ptr++ = ' '; + if ( b->a_dn_self ) ptr = lutil_strcopy( ptr, "self" ); + ptr = lutil_strcopy( ptr, accessmask2str( b->a_access_mask, maskbuf, 0 )); + if ( !maskbuf[0] ) ptr--; if( b->a_type == ACL_BREAK ) { - fprintf( stderr, " break" ); + ptr = lutil_strcopy( ptr, " break" ); } else if( b->a_type == ACL_CONTINUE ) { - fprintf( stderr, " continue" ); + ptr = lutil_strcopy( ptr, " continue" ); } else if( b->a_type != ACL_STOP ) { - fprintf( stderr, " unknown-control" ); + ptr = lutil_strcopy( ptr, " unknown-control" ); + } else { + if ( !maskbuf[0] ) ptr = lutil_strcopy( ptr, " stop" ); } + *ptr++ = '\n'; - fprintf( stderr, "\n" ); + return ptr; } - -static void -print_acl( Backend *be, AccessControl *a ) +void +acl_unparse( AccessControl *a, struct berval *bv ) { + Access *b; + char *ptr; int to = 0; - Access *b; + struct berval abv; - fprintf( stderr, "%s ACL: access to", - be == NULL ? "Global" : "Backend" ); + bv->bv_val = aclbuf; + bv->bv_len = 0; - if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ) { + ptr = bv->bv_val; + + ptr = lutil_strcopy( ptr, "access to" ); + if ( !BER_BVISNULL( &a->acl_dn_pat ) ) { to++; - fprintf( stderr, " dn.%s=\"%s\"\n", - style_strings[a->acl_dn_style], a->acl_dn_pat.bv_val ); + ptr = lutil_strcopy( ptr, " dn." ); + ptr = lutil_strcopy( ptr, style_strings[a->acl_dn_style] ); + *ptr++ = '='; + *ptr++ = '"'; + ptr = lutil_strcopy( ptr, a->acl_dn_pat.bv_val ); + ptr = lutil_strcopy( ptr, "\"\n" ); } if ( a->acl_filter != NULL ) { @@ -2266,7 +2310,10 @@ print_acl( Backend *be, AccessControl *a ) to++; filter2bv( a->acl_filter, &bv ); - fprintf( stderr, " filter=%s\n", bv.bv_val ); + ptr = lutil_strcopy( ptr, " filter=\"" ); + ptr = lutil_strcopy( ptr, bv.bv_val ); + *ptr++ = '"'; + *ptr++ = '\n'; ch_free( bv.bv_val ); } @@ -2275,34 +2322,54 @@ print_acl( Backend *be, AccessControl *a ) AttributeName *an; to++; - fprintf( stderr, " attrs=" ); + ptr = lutil_strcopy( ptr, " attrs=" ); for ( an = a->acl_attrs; an && !BER_BVISNULL( &an->an_name ); an++ ) { - if ( ! first ) fprintf( stderr, "," ); + if ( ! first ) *ptr++ = ','; if (an->an_oc) { - fputc( an->an_oc_exclude ? '!' : '@', stderr); - fputs( an->an_oc->soc_cname.bv_val, stderr ); + *ptr++ = an->an_oc_exclude ? '!' : '@'; + ptr = lutil_strcopy( ptr, an->an_oc->soc_cname.bv_val ); } else { - fputs( an->an_name.bv_val, stderr ); + ptr = lutil_strcopy( ptr, an->an_name.bv_val ); } first = 0; } - fprintf( stderr, "\n" ); + *ptr++ = '\n'; } if ( !BER_BVISEMPTY( &a->acl_attrval ) ) { to++; - fprintf( stderr, " val.%s=\"%s\"\n", - style_strings[a->acl_attrval_style], a->acl_attrval.bv_val ); - + ptr = lutil_strcopy( ptr, " val." ); + ptr = lutil_strcopy( ptr, style_strings[a->acl_attrval_style] ); + *ptr++ = '='; + *ptr++ = '"'; + ptr = lutil_strcopy( ptr, a->acl_attrval.bv_val ); + *ptr++ = '"'; + *ptr++ = '\n'; } - if( !to ) fprintf( stderr, " *\n" ); + if( !to ) { + ptr = lutil_strcopy( ptr, " *\n" ); + } for ( b = a->acl_access; b != NULL; b = b->a_next ) { - print_access( b ); + ptr = access2text( b, ptr ); } + *ptr = '\0'; + bv->bv_len = ptr - bv->bv_val; +} + +#ifdef LDAP_DEBUG + +static void +print_acl( Backend *be, AccessControl *a ) +{ + int to = 0; + Access *b; + struct berval bv; - fprintf( stderr, "\n" ); + acl_unparse( a, &bv ); + fprintf( stderr, "%s ACL: %s\n", + be == NULL ? "Global" : "Backend", bv.bv_val ); } #endif /* LDAP_DEBUG */ diff --git a/servers/slapd/config.c b/servers/slapd/config.c index 2f44de7ca0..b2376705de 100644 --- a/servers/slapd/config.c +++ b/servers/slapd/config.c @@ -60,6 +60,8 @@ char *global_host = NULL; char *global_realm = NULL; char *ldap_srvtab = ""; char **default_passwd_hash = NULL; +char *passwd_salt; +char *logfileName; struct berval default_search_base = BER_BVNULL; struct berval default_search_nbase = BER_BVNULL; @@ -230,7 +232,7 @@ static ConfigTable SystemConfiguration[] = { "( OLcfgAt:6 NAME 'olcAuthRewrite' " "EQUALITY caseIgnoreMatch " "SYNTAX OMsDirectoryString )", NULL, NULL }, - { "authz-policy", "policy", 2, 2, 0, ARG_MAGIC|CFG_AZPOLICY, + { "authz-policy", "policy", 2, 2, 0, ARG_STRING|ARG_MAGIC|CFG_AZPOLICY, &config_generic, "( OLcfgAt:7 NAME 'olcAuthzPolicy' " "EQUALITY caseIgnoreMatch " "SYNTAX OMsDirectoryString )", NULL, NULL }, @@ -302,7 +304,7 @@ static ConfigTable SystemConfiguration[] = { { "localSSF", "ssf", 2, 2, 0, ARG_LONG, &local_ssf, "( OLcfgAt:26 NAME 'olcLocalSSF' " "SYNTAX OMsInteger )", NULL, NULL }, - { "logfile", "file", 2, 2, 0, ARG_MAGIC|CFG_LOGFILE, + { "logfile", "file", 2, 2, 0, ARG_STRING|ARG_MAGIC|CFG_LOGFILE, &config_generic, "( OLcfgAt:27 NAME 'olcLogFile' " "SYNTAX OMsDirectoryString )", NULL, NULL }, { "loglevel", "level", 2, 0, 0, ARG_MAGIC, @@ -336,7 +338,7 @@ static ConfigTable SystemConfiguration[] = { { "overlay", "overlay", 2, 2, 0, ARG_MAGIC, &config_overlay, "( OLcfgAt:34 NAME 'olcOverlay' " "SUP olcDatabase )", NULL, NULL }, - { "password-crypt-salt-format", "salt", 2, 2, 0, ARG_MAGIC|CFG_SALT, + { "password-crypt-salt-format", "salt", 2, 2, 0, ARG_STRING|ARG_MAGIC|CFG_SALT, &config_generic, "( OLcfgAt:35 NAME 'olcPasswordCryptSaltFormat' " "SYNTAX OMsDirectoryString )", NULL, NULL }, { "password-hash", "hash", 2, 2, 0, ARG_MAGIC, @@ -958,17 +960,65 @@ config_generic(ConfigArgs *c) { c->value_int = ldap_pvt_thread_get_concurrency(); break; case CFG_THREADS: - c->value_int = connection_pool_max; break; + c->value_int = connection_pool_max; + break; + case CFG_SALT: + if ( passwd_salt ) + c->value_string = passwd_salt; + else + rc = 1; + break; + case CFG_LIMITS: + rc = 1; break; case CFG_RO: c->value_int = (c->be->be_restrictops & SLAP_RESTRICT_OP_WRITES) != 0; break; + case CFG_AZPOLICY: + c->value_string = (char *)slap_sasl_getpolicy(); + break; + case CFG_AZREGEXP: + rc = 1; + break; +#ifdef HAVE_CYRUS_SASL + case CFG_SASLSECP: + rc = 1; + break; +#endif case CFG_DEPTH: c->value_int = c->be->be_max_deref_depth; break; + case CFG_OID: + rc = 1; + break; case CFG_CHECK: c->value_int = global_schemacheck; break; + case CFG_ACL: { + AccessControl *a; + char *src, *dst, ibuf[11]; + struct berval bv, abv; + for (i=0, a=c->be->be_acl; a; i++,a=a->acl_next) { + abv.bv_len = sprintf( ibuf, "{%x}", i ); + acl_unparse( a, &bv ); + abv.bv_val = ch_malloc( abv.bv_len + bv.bv_len + 1 ); + AC_MEMCPY( abv.bv_val, ibuf, abv.bv_len ); + /* Turn TAB / EOL into plain space */ + for (src=bv.bv_val,dst=abv.bv_val+abv.bv_len; *src; src++) { + if (isspace(*src)) *dst++ = ' '; + else *dst++ = *src; + } + *dst = '\0'; + if (dst[-1] == ' ') { + dst--; + *dst = '\0'; + } + abv.bv_len = dst - abv.bv_val; + ber_bvarray_add( &c->rvalue_vals, &abv ); + } + rc = (!i); + break; + } case CFG_REPLOG: c->value_string = c->be->be_replogfile; break; @@ -981,6 +1031,12 @@ config_generic(ConfigArgs *c) { } } break; + case CFG_LOGFILE: + if ( logfileName ) + c->value_string = logfileName; + else + rc = 1; + break; case CFG_LASTMOD: c->value_int = (SLAP_NOLASTMOD(c->be) == 0); break; @@ -990,6 +1046,22 @@ config_generic(ConfigArgs *c) { case CFG_SSTR_IF_MIN: c->value_int = index_substr_if_minlen; break; +#ifdef SLAPD_MODULES + case CFG_MODLOAD: + case CFG_MODPATH: + rc = 1; + break; +#endif +#ifdef LDAP_SLAPI + case CFG_PLUGIN: + rc = 1; + break; +#endif +#ifdef SLAP_AUTH_REWRITE + case CFG_REWRITE: + rc = 1; + break; +#endif default: rc = 1; } @@ -1030,7 +1102,9 @@ config_generic(ConfigArgs *c) { break; case CFG_SALT: - lutil_salt_format(c->argv[1]); + if ( passwd_salt ) ch_free( passwd_salt ); + passwd_salt = c->value_string; + lutil_salt_format(passwd_salt); break; case CFG_LIMITS: @@ -1046,6 +1120,7 @@ config_generic(ConfigArgs *c) { break; case CFG_AZPOLICY: + ch_free(c->value_string); if (slap_sasl_setpolicy( c->argv[1] )) { Debug(LDAP_DEBUG_ANY, "%s: unable to parse value \"%s\" in" " \"authz-policy \"\n", @@ -1137,7 +1212,9 @@ config_generic(ConfigArgs *c) { break; case CFG_LOGFILE: { - FILE *logfile = fopen(c->argv[1], "w"); + if ( logfileName ) ch_free( logfileName ); + logfileName = c->value_string; + FILE *logfile = fopen(logfileName, "w"); if(logfile) lutil_debug_file(logfile); break; } diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h index 3f1ce341ac..0bb03065ac 100644 --- a/servers/slapd/proto-slap.h +++ b/servers/slapd/proto-slap.h @@ -63,8 +63,9 @@ LDAP_SLAPD_F (char *) access2str LDAP_P(( slap_access_t access )); LDAP_SLAPD_F (slap_access_t) str2access LDAP_P(( const char *str )); #define ACCESSMASK_MAXLEN sizeof("unknown (+wrscan)") -LDAP_SLAPD_F (char *) accessmask2str LDAP_P(( slap_mask_t mask, char* )); +LDAP_SLAPD_F (char *) accessmask2str LDAP_P(( slap_mask_t mask, char*, int debug )); LDAP_SLAPD_F (slap_mask_t) str2accessmask LDAP_P(( const char *str )); +LDAP_SLAPD_F (void) acl_unparse LDAP_P(( AccessControl*, struct berval* )); LDAP_SLAPD_F (void) acl_destroy LDAP_P(( AccessControl*, AccessControl* )); LDAP_SLAPD_F (void) acl_free LDAP_P(( AccessControl *a )); @@ -1171,6 +1172,7 @@ LDAP_SLAPD_F (int) slap_sasl_authorized LDAP_P(( LDAP_SLAPD_F (int) slap_sasl_regexp_config LDAP_P(( const char *match, const char *replace )); LDAP_SLAPD_F (int) slap_sasl_setpolicy LDAP_P(( const char * )); +LDAP_SLAPD_F (const char *) slap_sasl_getpolicy LDAP_P(( void )); #ifdef SLAP_AUTH_REWRITE LDAP_SLAPD_F (int) slap_sasl_rewrite_config LDAP_P(( const char *fname, diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c index 28e44248cd..b99a0edf45 100644 --- a/servers/slapd/saslauthz.c +++ b/servers/slapd/saslauthz.c @@ -87,6 +87,10 @@ struct rewrite_info *sasl_rwinfo = NULL; #define SASL_AUTHZ_TO 0x02 #define SASL_AUTHZ_AND 0x10 +static const char *policy_txt[] = { + "none", "from", "to", "any" +}; + static int authz_policy = SASL_AUTHZ_NONE; static @@ -113,6 +117,14 @@ int slap_sasl_setpolicy( const char *arg ) return rc; } +const char * slap_sasl_getpolicy() +{ + if ( authz_policy == (SASL_AUTHZ_FROM | SASL_AUTHZ_TO | SASL_AUTHZ_AND) ) + return "all"; + else + return policy_txt[authz_policy]; +} + int slap_parse_user( struct berval *id, struct berval *user, struct berval *realm, struct berval *mech ) { diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h index 58745a592e..0adc7cdbd2 100644 --- a/servers/slapd/slap.h +++ b/servers/slapd/slap.h @@ -1186,9 +1186,9 @@ struct slap_op; /* * "dynamic" ACL infrastructure (for ACIs and more) */ -typedef int (*slap_dynacl_parse)( const char *fname, int lineno, slap_style_t, const char *, void **privp ); -typedef int (*slap_dynacl_print)( void *priv ); -typedef int (*slap_dynacl_mask)( +typedef int (slap_dynacl_parse)( const char *fname, int lineno, slap_style_t, const char *, void **privp ); +typedef int (slap_dynacl_unparse)( void *priv, struct berval *bv ); +typedef int (slap_dynacl_mask)( void *priv, struct slap_op *op, Entry *e, @@ -1198,14 +1198,14 @@ typedef int (*slap_dynacl_mask)( regmatch_t *matches, slap_access_t *grant, slap_access_t *deny ); -typedef int (*slap_dynacl_destroy)( void *priv ); +typedef int (slap_dynacl_destroy)( void *priv ); typedef struct slap_dynacl_t { char *da_name; - slap_dynacl_parse da_parse; - slap_dynacl_print da_print; - slap_dynacl_mask da_mask; - slap_dynacl_destroy da_destroy; + slap_dynacl_parse *da_parse; + slap_dynacl_unparse *da_unparse; + slap_dynacl_mask *da_mask; + slap_dynacl_destroy *da_destroy; void *da_private; struct slap_dynacl_t *da_next; diff --git a/servers/slapd/slapacl.c b/servers/slapd/slapacl.c index b890826b58..59d22ecd90 100644 --- a/servers/slapd/slapacl.c +++ b/servers/slapd/slapacl.c @@ -169,7 +169,7 @@ slapacl( int argc, char **argv ) desc->ad_cname.bv_val, val.bv_val ? "=" : "", val.bv_val ? val.bv_val : "", - accessmask2str( mask, accessmaskbuf ) ); + accessmask2str( mask, accessmaskbuf, 1 ) ); } rc = 0; attr = NULL; -- 2.39.5