From e0fd9ebf141b8b51931b1dfae7dddd5a8cf29c8f Mon Sep 17 00:00:00 2001 From: Pierangelo Masarati Date: Mon, 4 Apr 2005 11:19:21 +0000 Subject: [PATCH] cleanup previous commits --- servers/slapd/acl.c | 96 +++++--------------------------------------- servers/slapd/slap.h | 24 +++++------ 2 files changed, 23 insertions(+), 97 deletions(-) diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c index dfae7d5c5a..b26162e052 100644 --- a/servers/slapd/acl.c +++ b/servers/slapd/acl.c @@ -113,7 +113,7 @@ static int aci_mask( slap_access_t *grant, slap_access_t *deny, slap_aci_scope_t scope); -#endif +#endif /* SLAPD_ACI_ENABLED */ static int regex_matches( struct berval *pat, char *str, char *buf, @@ -1030,7 +1030,7 @@ acl_mask( char accessmaskbuf[ACCESSMASK_MAXLEN]; #if !defined( SLAP_DYNACL ) && defined( SLAPD_ACI_ENABLED ) char accessmaskbuf1[ACCESSMASK_MAXLEN]; -#endif /* SLAPD_ACI_ENABLED */ +#endif /* !SLAP_DYNACL && SLAPD_ACI_ENABLED */ #endif /* DEBUG */ const char *attr; @@ -1109,7 +1109,8 @@ acl_mask( * is maintaned in a_dn_pat. */ - if ( op->o_conn && !BER_BVISNULL( &op->o_conn->c_ndn ) ) { + if ( op->o_conn && !BER_BVISNULL( &op->o_conn->c_ndn ) ) + { ndn = op->o_conn->c_ndn; } else { ndn = op->o_ndn; @@ -1376,7 +1377,8 @@ acl_mask( if ( b->a_realdn_at != NULL ) { struct berval ndn; - if ( op->o_conn && !BER_BVISNULL( &op->o_conn->c_ndn ) ) { + if ( op->o_conn && !BER_BVISNULL( &op->o_conn->c_ndn ) ) + { ndn = op->o_conn->c_ndn; } else { ndn = op->o_ndn; @@ -1390,87 +1392,6 @@ acl_mask( } } -#if 0 - if ( b->a_dn_at != NULL ) { - Attribute *at; - struct berval bv; - int rc, match = 0; - const char *text; - const char *attr = b->a_dn_at->ad_cname.bv_val; - - assert( attr != NULL ); - - if ( op->o_ndn.bv_len == 0 ) { - continue; - } - - Debug( LDAP_DEBUG_ACL, "<= check a_dn_at: %s\n", - attr, 0, 0); - bv = op->o_ndn; - - /* see if asker is listed in dnattr */ - for( at = attrs_find( e->e_attrs, b->a_dn_at ); - at != NULL; - at = attrs_find( at->a_next, b->a_dn_at ) ) - { - if( value_find_ex( b->a_dn_at, - SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH | - SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH, - at->a_nvals, - &bv, op->o_tmpmemctx ) == 0 ) - { - /* found it */ - match = 1; - break; - } - } - - if ( match ) { - /* have a dnattr match. if this is a self clause then - * the target must also match the op dn. - */ - if ( b->a_dn_self ) { - /* check if the target is an attribute. */ - if ( val == NULL ) continue; - - /* target is attribute, check if the attribute value - * is the op dn. - */ - rc = value_match( &match, b->a_dn_at, - b->a_dn_at->ad_type->sat_equality, 0, - val, &bv, &text ); - /* on match error or no match, fail the ACL clause */ - if (rc != LDAP_SUCCESS || match != 0 ) - continue; - } - - } else { - /* no dnattr match, check if this is a self clause */ - if ( ! b->a_dn_self ) - continue; - - ACL_RECORD_VALUE_STATE; - - /* this is a self clause, check if the target is an - * attribute. - */ - if ( val == NULL ) - continue; - - /* target is attribute, check if the attribute value - * is the op dn. - */ - rc = value_match( &match, b->a_dn_at, - b->a_dn_at->ad_type->sat_equality, 0, - val, &bv, &text ); - - /* on match error or no match, fail the ACL clause */ - if (rc != LDAP_SUCCESS || match != 0 ) - continue; - } - } -#endif - if ( !BER_BVISEMPTY( &b->a_group_pat ) ) { struct berval bv; struct berval ndn = BER_BVNULL; @@ -2878,6 +2799,11 @@ aci_mask( } #ifdef SLAP_DYNACL +/* + * FIXME: there is a silly dependence that makes it difficult + * to move ACIs in a run-time loadable module under the "dynacl" + * umbrella, because sets share some helpers with ACIs. + */ static int dynacl_aci_parse( const char *fname, int lineno, slap_style_t sty, const char *right, void **privp ) { diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h index 7daa0bfe05..2f855c9ef6 100644 --- a/servers/slapd/slap.h +++ b/servers/slapd/slap.h @@ -191,7 +191,7 @@ LDAP_BEGIN_DECL #ifdef SLAPD_ACI_ENABLED #define SLAPD_ACI_SYNTAX "1.3.6.1.4.1.4203.666.2.1" -#endif +#endif /* SLAPD_ACI_ENABLED */ /* change this to "OpenLDAPset" */ #define SLAPD_ACI_SET_ATTR "template" @@ -862,7 +862,7 @@ struct slap_internal_schema { AttributeDescription *si_ad_saslAuthzFrom; #ifdef SLAPD_ACI_ENABLED AttributeDescription *si_ad_aci; -#endif +#endif /* SLAPD_ACI_ENABLED */ /* dynamic entries */ AttributeDescription *si_ad_entryTtl; @@ -1232,6 +1232,7 @@ typedef struct slap_dynacl_t { typedef struct slap_dn_access { /* DN pattern */ AuthorizationInformation a_dnauthz; +#define a_pat a_dnauthz.sai_dn slap_style_t a_style; int a_level; @@ -1315,25 +1316,18 @@ typedef struct slap_access { /* DN pattern */ slap_dn_access a_dn; #define a_dn_pat a_dn.a_dnauthz.sai_dn -#define a_dn_style a_dn.a_style -#define a_dn_level a_dn.a_level -#define a_dn_self_level a_dn.a_self_level #define a_dn_at a_dn.a_at #define a_dn_self a_dn.a_self -#define a_dn_expand a_dn.a_expand /* real DN pattern */ slap_dn_access a_realdn; #define a_realdn_pat a_realdn.a_dnauthz.sai_dn -#define a_realdn_style a_realdn.a_style -#define a_realdn_level a_realdn.a_level -#define a_realdn_self_level a_realdn.a_self_level #define a_realdn_at a_realdn.a_at #define a_realdn_self a_realdn.a_self -#define a_realdn_expand a_realdn.a_expand + /* used for ssf stuff + * NOTE: the ssf stuff in a_realdn is ignored */ #define a_authz a_dn.a_dnauthz -#define a_pat a_dnauthz.sai_dn /* connection related stuff */ slap_style_t a_peername_style; @@ -1358,8 +1352,14 @@ typedef struct slap_access { slap_dynacl_t *a_dynacl; #else /* ! SLAP_DYNACL */ #ifdef SLAPD_ACI_ENABLED + /* NOTE: ACIs have been moved under the "dynacl" interface, + * which is currently built only when LDAP_DEVEL is defined. + * + * In any case, SLAPD_ACI_ENABLED, set by --enable-aci, + * is required to enable ACI support. + */ AttributeDescription *a_aci_at; -#endif +#endif /* SLAPD_ACI_ENABLED */ #endif /* SLAP_DYNACL */ /* ACL Groups */ -- 2.39.5