From eb70b602ee13015d44d3ecbccb614fd07a0bf5bc Mon Sep 17 00:00:00 2001 From: Kurt Zeilenga Date: Tue, 30 May 2000 21:34:55 +0000 Subject: [PATCH] Rework ACI codes to use OpenLDAPaci. Add needed schema elements. Needs work. Volunteers welcomed. --- servers/slapd/acl.c | 21 --------------------- servers/slapd/oc.c | 3 +-- servers/slapd/proto-slap.h | 2 -- servers/slapd/root_dse.c | 14 -------------- servers/slapd/schema/core.schema | 16 ---------------- servers/slapd/schema/openldap.schema | 6 ++++++ servers/slapd/schema_init.c | 23 +++++++++++++++++++---- servers/slapd/schema_prep.c | 8 ++++---- servers/slapd/slap.h | 8 ++++---- 9 files changed, 34 insertions(+), 67 deletions(-) diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c index 0778bf5d41..31b1b80e9c 100644 --- a/servers/slapd/acl.c +++ b/servers/slapd/acl.c @@ -53,12 +53,6 @@ static int aci_mask( regmatch_t *matches, slap_access_t *grant, slap_access_t *deny ); - -char *supportedACIMechs[] = { - "1.3.6.1.4.1.4203.666.7.1", /* experimental IETF aci family */ - "1.3.6.1.4.1.4203.666.7.2", /* experimental OpenLDAP aci family */ - NULL -}; #endif static int regex_matches( @@ -1128,12 +1122,6 @@ aci_mask( /* check that the aci family is supported */ if (aci_get_part(aci, 0, '#', &bv) < 0) return(0); - for (i = 0; supportedACIMechs[i] != NULL; i++) { - if (aci_strbvcmp( supportedACIMechs[i], &bv ) == 0) - break; - } - if (supportedACIMechs[i] == NULL) - return(0); /* check that the scope is "entry" */ if (aci_get_part(aci, 1, '#', &bv) < 0 @@ -1231,15 +1219,6 @@ aci_mask( return(0); } -char * -get_supported_acimech( - int index ) -{ - if (index < 0 || index >= (sizeof(supportedACIMechs) / sizeof(char *))) - return(NULL); - return(supportedACIMechs[index]); -} - #endif /* SLAPD_ACI_ENABLED */ static void diff --git a/servers/slapd/oc.c b/servers/slapd/oc.c index 1361706687..c2a5c510d5 100644 --- a/servers/slapd/oc.c +++ b/servers/slapd/oc.c @@ -116,7 +116,7 @@ static char *oc_op_usermod_attrs[] = { * which slapd supports modification of. * * Currently none. - * Likely candidate, "aci" + * Likely candidate, "OpenLDAPaci" */ NULL }; @@ -139,7 +139,6 @@ static char *oc_op_attrs[] = { "supportedControl", "supportedSASLMechanisms", "supportedLDAPversion", - "supportedACIMechanisms", "subschemaSubentry", /* NO USER MOD */ NULL diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h index d51f1f25f3..0f883d16e1 100644 --- a/servers/slapd/proto-slap.h +++ b/servers/slapd/proto-slap.h @@ -66,8 +66,6 @@ LIBSLAPD_F (int) acl_check_modlist LDAP_P(( LIBSLAPD_F (void) acl_append( AccessControl **l, AccessControl *a ); -LIBSLAPD_F (char *) get_supported_acimech LDAP_P((int index)); - /* * aclparse.c */ diff --git a/servers/slapd/root_dse.c b/servers/slapd/root_dse.c index 16c10f133c..7fd02e5eb9 100644 --- a/servers/slapd/root_dse.c +++ b/servers/slapd/root_dse.c @@ -33,9 +33,6 @@ root_dse_info( Entry **entry, const char **text ) AttributeDescription *ad_supportedExtension = slap_schema.si_ad_supportedExtension; AttributeDescription *ad_supportedLDAPVersion = slap_schema.si_ad_supportedLDAPVersion; AttributeDescription *ad_supportedSASLMechanisms = slap_schema.si_ad_supportedSASLMechanisms; -# ifdef SLAPD_ACI_ENABLED - AttributeDescription *ad_supportedACIMechanisms = slap_schema.si_ad_supportedACIMechanisms; -# endif AttributeDescription *ad_ref = slap_schema.si_ad_ref; #else char *ad_objectClass = "objectClass"; @@ -44,9 +41,6 @@ root_dse_info( Entry **entry, const char **text ) char *ad_supportedExtension = "supportedExtension"; char *ad_supportedLDAPVersion = "supportedLDAPVersion"; char *ad_supportedSASLMechanisms = "supportedSASLMechanisms"; -# ifdef SLAPD_ACI_ENABLED - char *ad_supportedACIMechanisms = "supportedACIMechanisms"; -# endif char *ad_ref = "ref"; #endif @@ -109,14 +103,6 @@ root_dse_info( Entry **entry, const char **text ) } } -#ifdef SLAPD_ACI_ENABLED - /* supportedACIMechanisms */ - for ( i=0; (val.bv_val = get_supported_acimech(i)) != NULL; i++ ) { - val.bv_len = strlen( val.bv_val ); - attr_merge( e, ad_supportedACIMechanisms, vals ); - } -#endif - if ( default_referral != NULL ) { attr_merge( e, ad_ref, default_referral ); } diff --git a/servers/slapd/schema/core.schema b/servers/slapd/schema/core.schema index f2abdbcb72..f2303a7401 100644 --- a/servers/slapd/schema/core.schema +++ b/servers/slapd/schema/core.schema @@ -581,19 +581,3 @@ objectclass ( 1.3.6.1.4.1.4203.666.3.2 DESC 'OpenLDAP Root DSE object' SUP top STRUCTURAL MAY cn ) -# -# IETF LDAPext WG Access Control Model -# likely to change! -attributetype ( supportedACIMechanismsOID NAME 'supportedACIMechanisms' - DESC 'list of access control mechanisms supported by this directory server' - SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 USAGE dSAOperation ) - -attributetype ( aCIMechanismOID NAME 'aCIMechanism' - DESC 'list of access control mechanism supported in this subtree' - SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 USAGE dSAOperation ) - -attributetype ( ldapACIOID NAME 'ldapACI' - DESC 'LDAP access control information' - EQUALITY caseIgnoreMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 - USAGE directoryOperation ) diff --git a/servers/slapd/schema/openldap.schema b/servers/slapd/schema/openldap.schema index 0f67dd6ba1..64f8c8af45 100644 --- a/servers/slapd/schema/openldap.schema +++ b/servers/slapd/schema/openldap.schema @@ -33,6 +33,12 @@ attributetype ( 1.3.6.1.4.1.4203.666.1.4 NAME 'children' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 SINGLE-VALUE NO-USER-MODIFICATION USAGE dSAOperation ) +attributetype ( 1.3.6.1.4.1.4203.666.1.5 NAME 'OpenLDAPaci' + DESC 'OpenLDAP access control information' + EQUALITY OpenLDAPaciMatch + SYNTAX 1.3.6.1.4.1.4203.666.2.1 + USAGE directoryOperation ) + # # From U-Mich # diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c index 7d3c5e4b8e..4ad571a850 100644 --- a/servers/slapd/schema_init.c +++ b/servers/slapd/schema_init.c @@ -852,10 +852,12 @@ struct syntax_defs_rec syntax_defs[] = { /* OpenLDAP Experimental Syntaxes */ {"( 1.3.6.1.4.1.4203.666.2.1 DESC 'OpenLDAP Experimental ACI' )", 0, NULL, NULL, NULL}, - {"( 1.3.6.1.4.1.4203.666.2.2 DESC 'OpenLDAP void' " X_HIDE ")" , - SLAP_SYNTAX_HIDE, NULL, NULL, NULL}, - {"( 1.3.6.1.4.1.4203.666.2.3 DESC 'OpenLDAP DN' " X_HIDE ")" , - SLAP_SYNTAX_HIDE, NULL, NULL, NULL}, + {"( 1.3.6.1.4.1.4203.666.2.2 DESC 'OpenLDAP authPassword' )", + 0, NULL, NULL, NULL}, + {"( 1.3.6.1.4.1.4203.666.2.3 DESC 'OpenLDAP void' " X_HIDE ")" , + SLAP_SYNTAX_HIDE, inValidate, NULL, NULL}, + {"( 1.3.6.1.4.1.4203.666.2.4 DESC 'OpenLDAP DN' " X_HIDE ")" , + SLAP_SYNTAX_HIDE, inValidate, NULL, NULL}, {NULL, 0, NULL, NULL, NULL} }; @@ -926,6 +928,9 @@ struct mrule_defs_rec { #define integerFirstComponentMatch NULL #define objectIdentifierFirstComponentMatch NULL +#define OpenLDAPaciMatch NULL +#define authPasswordMatch NULL + struct mrule_defs_rec mrule_defs[] = { {"( 2.5.13.0 NAME 'objectIdentifierMatch' " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )", @@ -1063,6 +1068,16 @@ struct mrule_defs_rec mrule_defs[] = { SLAP_MR_SUBSTR, NULL, NULL, caseIgnoreIA5SubstringsMatch, NULL, NULL}, + {"( 1.3.6.1.4.1.4203.666.4.1 NAME 'authPasswordMatch' " + "SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )", + SLAP_MR_EQUALITY, + NULL, NULL, authPasswordMatch, NULL, NULL}, + + {"( 1.3.6.1.4.1.4203.666.4.2 NAME 'OpenLDAPaciMatch' " + "SYNTAX 1.3.6.1.4.1.4203.666.2.1 )", + SLAP_MR_EQUALITY, + NULL, NULL, OpenLDAPaciMatch, NULL, NULL}, + {NULL, SLAP_MR_NONE, NULL, NULL, NULL} }; diff --git a/servers/slapd/schema_prep.c b/servers/slapd/schema_prep.c index 11469fe64e..d2bac90a64 100644 --- a/servers/slapd/schema_prep.c +++ b/servers/slapd/schema_prep.c @@ -79,10 +79,6 @@ struct slap_schema_ad_map { offsetof(struct slap_internal_schema, si_ad_supportedExtension) }, { "supportedLDAPVersion", NULL, offsetof(struct slap_internal_schema, si_ad_supportedLDAPVersion) }, -#ifdef SLAPD_ACI_ENABLED - { "supportedACIMechanisms", NULL, - offsetof(struct slap_internal_schema, si_ad_supportedACIMechanisms) }, -#endif { "supportedSASLMechanisms", NULL, offsetof(struct slap_internal_schema, si_ad_supportedSASLMechanisms) }, @@ -107,6 +103,10 @@ struct slap_schema_ad_map { offsetof(struct slap_internal_schema, si_ad_entry) }, { "children", NULL, offsetof(struct slap_internal_schema, si_ad_children) }, +#ifdef SLAPD_ACI_ENABLED + { "OpenLDAPaci", NULL, + offsetof(struct slap_internal_schema, si_ad_aci) }, +#endif { "userPassword", NULL, offsetof(struct slap_internal_schema, si_ad_userPassword) }, diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h index 6fe90a994c..16635cca07 100644 --- a/servers/slapd/slap.h +++ b/servers/slapd/slap.h @@ -101,7 +101,7 @@ LDAP_BEGIN_DECL #define SLAPD_ROLE_CLASS "organizationalRole" #define SLAPD_ACI_SYNTAX "1.3.6.1.4.1.4203.666.2.1" -#define SLAPD_ACI_ATTR "aci" +#define SLAPD_ACI_ATTR "OpenLDAPaci" LIBSLAPD_F (int) slap_debug; @@ -355,9 +355,6 @@ struct slap_internal_schema { AttributeDescription *si_ad_supportedControl; AttributeDescription *si_ad_supportedExtension; AttributeDescription *si_ad_supportedLDAPVersion; -#ifdef SLAPD_ACI_ENABLED - AttributeDescription *si_ad_supportedACIMechanisms; -#endif AttributeDescription *si_ad_supportedSASLMechanisms; /* subschema subentry attributes */ @@ -374,6 +371,9 @@ struct slap_internal_schema { /* Access Control Internals */ AttributeDescription *si_ad_entry; AttributeDescription *si_ad_children; +#ifdef SLAPD_ACI_ENABLED + AttributeDescription *si_ad_aci; +#endif /* Other */ AttributeDescription *si_ad_userPassword; -- 2.39.5