From eb9a3c18767fe87d2a1f7fbbc6b3d676779eb5b7 Mon Sep 17 00:00:00 2001 From: Kurt Zeilenga Date: Wed, 12 Apr 2006 05:53:26 +0000 Subject: [PATCH] unifdef -DSLAP_ACL_HONOR_DISCLOSE unifdef -DSLAP_ACL_HONOR_MANAGE unifdef -DSLAP_OVERLAY_ACCESS unifdef -DSLAP_ORDERED_PRETTYNORM unifdef -DSLAP_AUTHZ_SYNTAX Move LDAP_COLLECTIVE_ATTRIBUTES, LDAP_COMP_MATCH, and LDAP_SYNC_TIMESTAMP back behind LDAP_DEVEL (as these either too experimental or not yet implemented). --- servers/slapd/acl.c | 276 --------------------------- servers/slapd/aclparse.c | 5 - servers/slapd/back-bdb/compare.c | 20 +- servers/slapd/back-bdb/search.c | 9 +- servers/slapd/back-dnssrv/init.c | 2 - servers/slapd/back-ldap/config.c | 4 - servers/slapd/back-ldif/ldif.c | 2 - servers/slapd/back-monitor/compare.c | 7 +- servers/slapd/back-monitor/modify.c | 7 +- servers/slapd/back-monitor/search.c | 10 +- servers/slapd/back-sql/add.c | 2 - servers/slapd/back-sql/compare.c | 2 - servers/slapd/back-sql/delete.c | 2 - servers/slapd/back-sql/modify.c | 2 - servers/slapd/back-sql/modrdn.c | 2 - servers/slapd/back-sql/search.c | 4 - servers/slapd/backend.c | 10 - servers/slapd/backover.c | 4 - servers/slapd/bconfig.c | 2 - servers/slapd/compare.c | 6 - servers/slapd/entry.c | 17 -- servers/slapd/frontend.c | 2 - servers/slapd/modify.c | 18 -- servers/slapd/overlays/dds.c | 34 +--- servers/slapd/proto-slap.h | 4 - servers/slapd/saslauthz.c | 14 +- servers/slapd/schema_init.c | 6 - servers/slapd/schema_prep.c | 14 -- servers/slapd/slap.h | 21 +- 29 files changed, 21 insertions(+), 487 deletions(-) diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c index 62593991f6..6a2621da43 100644 --- a/servers/slapd/acl.c +++ b/servers/slapd/acl.c @@ -94,7 +94,6 @@ SLAP_SET_GATHER acl_set_gather2; * - can be legally called with op->o_bd == NULL */ -#ifdef SLAP_OVERLAY_ACCESS int slap_access_always_allowed( Operation *op, @@ -462,281 +461,6 @@ done: return ret; } -#else /* !SLAP_OVERLAY_ACCESS */ - -int -access_allowed_mask( - Operation *op, - Entry *e, - AttributeDescription *desc, - struct berval *val, - slap_access_t access, - AccessControlState *state, - slap_mask_t *maskp ) -{ - int ret = 1; - int count; - AccessControl *a = NULL; - Backend *be; - int be_null = 0; - -#ifdef LDAP_DEBUG - char accessmaskbuf[ACCESSMASK_MAXLEN]; -#endif - slap_mask_t mask; - slap_control_t control; - slap_access_t access_level; - const char *attr; - regmatch_t matches[MAXREMATCHES]; - int st_same_attr = 0; - static AccessControlState state_init = ACL_STATE_INIT; - - assert( e != NULL ); - assert( desc != NULL ); - - access_level = ACL_LEVEL( access ); - - assert( access_level > ACL_NONE ); - if ( maskp ) ACL_INVALIDATE( *maskp ); - - attr = desc->ad_cname.bv_val; - - assert( attr != NULL ); - - if ( op ) { - if ( op->o_is_auth_check && - ( access_level == ACL_SEARCH || access_level == ACL_READ ) ) - { - access = ACL_AUTH; - - } else if ( get_manageDIT( op ) && access_level == ACL_WRITE && - desc == slap_schema.si_ad_entry ) - { - access = ACL_MANAGE; - } - } - - if ( state ) { - if ( state->as_vd_ad == desc ) { - if ( ( state->as_recorded & ACL_STATE_RECORDED_NV ) && - val == NULL ) - { - return state->as_result; - - } else if ( ( state->as_recorded & ACL_STATE_RECORDED_VD ) && - val != NULL && state->as_vd_acl == NULL ) - { - return state->as_result; - } - st_same_attr = 1; - } else { - *state = state_init; - } - - state->as_vd_ad = desc; - } - - Debug( LDAP_DEBUG_ACL, - "=> access_allowed: %s access to \"%s\" \"%s\" requested\n", - access2str( access ), e->e_dn, attr ); - - if ( op == NULL ) { - /* no-op call */ - goto done; - } - - be = op->o_bd; - if ( be == NULL ) { - be = LDAP_STAILQ_FIRST(&backendDB); - be_null = 1; -#ifdef LDAP_DEVEL - /* - * FIXME: experimental; use first backend rules - * iff there is no global_acl (ITS#3100) */ - if ( frontendDB->be_acl == NULL ) -#endif - { - op->o_bd = be; - } - } - assert( be != NULL ); - - /* grant database root access */ - if ( be_isroot( op ) ) { - Debug( LDAP_DEBUG_ACL, "<= root access granted\n", 0, 0, 0 ); - if ( maskp ) { - mask = ACL_LVL_MANAGE; - } - - goto done; - } - - /* - * no-user-modification operational attributes are ignored - * by ACL_WRITE checking as any found here are not provided - * by the user - * - * NOTE: but they are not ignored for ACL_MANAGE, because - * if we get here it means a non-root user is trying to - * manage data, so we need to check its privileges. - */ - if ( access_level == ACL_WRITE && is_at_no_user_mod( desc->ad_type ) - && desc != slap_schema.si_ad_entry - && desc != slap_schema.si_ad_children ) - { - Debug( LDAP_DEBUG_ACL, "NoUserMod Operational attribute:" - " %s access granted\n", - attr, 0, 0 ); - goto done; - } - - /* use backend default access if no backend acls */ - if ( be->be_acl == NULL ) { - Debug( LDAP_DEBUG_ACL, - "=> access_allowed: backend default %s " - "access %s to \"%s\"\n", - access2str( access ), - be->be_dfltaccess >= access_level ? "granted" : "denied", - op->o_dn.bv_val ? op->o_dn.bv_val : "(anonymous)" ); - ret = be->be_dfltaccess >= access_level; - - if ( maskp ) { - int i; - - mask = ACL_PRIV_LEVEL; - for ( i = ACL_NONE; i <= be->be_dfltaccess; i++ ) { - mask |= ACL_ACCESS2PRIV( i ); - } - } - - goto done; - -#ifdef notdef - /* be is always non-NULL */ - /* use global default access if no global acls */ - } else if ( be == NULL && frontendDB->be_acl == NULL ) { - Debug( LDAP_DEBUG_ACL, - "=> access_allowed: global default %s access %s to \"%s\"\n", - access2str( access ), - frontendDB->be_dfltaccess >= access_level ? - "granted" : "denied", op->o_dn.bv_val ); - ret = frontendDB->be_dfltaccess >= access_level; - - if ( maskp ) { - int i; - - mask = ACL_PRIV_LEVEL; - for ( i = ACL_NONE; i <= global_default_access; i++ ) { - mask |= ACL_ACCESS2PRIV( i ); - } - } - - goto done; -#endif - } - - ret = 0; - control = ACL_BREAK; - - if ( st_same_attr ) { - assert( state->as_vd_acl != NULL ); - - a = state->as_vd_acl; - count = state->as_vd_acl_count; - if ( !ACL_IS_INVALID( state->as_vd_acl_mask ) ) { - mask = state->as_vd_acl_mask; - AC_MEMCPY( matches, state->as_vd_acl_matches, sizeof(matches) ); - goto vd_access; - } - - } else { - if ( state ) state->as_vi_acl = NULL; - a = NULL; - ACL_INIT(mask); - count = 0; - memset( matches, '\0', sizeof(matches) ); - } - - while ( ( a = slap_acl_get( a, &count, op, e, desc, val, - MAXREMATCHES, matches, state ) ) != NULL ) - { - int i; - - for ( i = 0; i < MAXREMATCHES && matches[i].rm_so > 0; i++ ) { - Debug( LDAP_DEBUG_ACL, "=> match[%d]: %d %d ", i, - (int)matches[i].rm_so, (int)matches[i].rm_eo ); - if ( matches[i].rm_so <= matches[0].rm_eo ) { - int n; - for ( n = matches[i].rm_so; n < matches[i].rm_eo; n++ ) { - Debug( LDAP_DEBUG_ACL, "%c", e->e_ndn[n], 0, 0 ); - } - } - Debug( LDAP_DEBUG_ARGS, "\n", 0, 0, 0 ); - } - - if ( state ) { - if ( state->as_vi_acl == a && - ( state->as_recorded & ACL_STATE_RECORDED_NV ) ) - { - Debug( LDAP_DEBUG_ACL, - "access_allowed: result from state (%s)\n", - attr, 0, 0 ); - ret = state->as_result; - goto done; - } else { - Debug( LDAP_DEBUG_ACL, - "access_allowed: no res from state (%s)\n", - attr, 0, 0 ); - } - } - -vd_access: - control = slap_acl_mask( a, &mask, op, - e, desc, val, MAXREMATCHES, matches, count, state ); - - if ( control != ACL_BREAK ) { - break; - } - - memset( matches, '\0', sizeof(matches) ); - } - - if ( ACL_IS_INVALID( mask ) ) { - Debug( LDAP_DEBUG_ACL, - "=> access_allowed: \"%s\" (%s) invalid!\n", - e->e_dn, attr, 0 ); - ACL_INIT(mask); - - } else if ( control == ACL_BREAK ) { - Debug( LDAP_DEBUG_ACL, - "=> access_allowed: no more rules\n", 0, 0, 0 ); - - goto done; - } - - Debug( LDAP_DEBUG_ACL, - "=> access_allowed: %s access %s by %s\n", - access2str( access ), - ACL_GRANT(mask, access) ? "granted" : "denied", - accessmask2str( mask, accessmaskbuf, 1 ) ); - - ret = ACL_GRANT(mask, access); - -done: - if ( state != NULL ) { - /* If not value-dependent, save ACL in case of more attrs */ - if ( !( state->as_recorded & ACL_STATE_RECORDED_VD ) ) { - state->as_vi_acl = a; - state->as_result = ret; - } - state->as_recorded |= ACL_STATE_RECORDED; - } - if ( be_null ) op->o_bd = NULL; - if ( maskp ) *maskp = mask; - return ret; -} - -#endif /* !SLAP_OVERLAY_ACCESS */ /* * slap_acl_get - return the acl applicable to entry e, attribute diff --git a/servers/slapd/aclparse.c b/servers/slapd/aclparse.c index f44a786b5e..0b018c1094 100644 --- a/servers/slapd/aclparse.c +++ b/servers/slapd/aclparse.c @@ -2453,11 +2453,6 @@ str2access( const char *str ) return ACL_NONE; } else if ( strcasecmp( str, "disclose" ) == 0 ) { -#ifndef SLAP_ACL_HONOR_DISCLOSE - Debug( LDAP_DEBUG_ACL, "str2access: warning, " - "\"disclose\" privilege disabled.\n", - 0, 0, 0 ); -#endif /* SLAP_ACL_HONOR_DISCLOSE */ return ACL_DISCLOSE; } else if ( strcasecmp( str, "auth" ) == 0 ) { diff --git a/servers/slapd/back-bdb/compare.c b/servers/slapd/back-bdb/compare.c index bf8b514615..3e88beff28 100644 --- a/servers/slapd/back-bdb/compare.c +++ b/servers/slapd/back-bdb/compare.c @@ -66,16 +66,13 @@ dn2entry_retry: e = ei->bei_e; if ( rs->sr_err == DB_NOTFOUND ) { if ( e != NULL ) { -#ifdef SLAP_ACL_HONOR_DISCLOSE /* return referral only if "disclose" is granted on the object */ if ( ! access_allowed( op, e, slap_schema.si_ad_entry, NULL, ACL_DISCLOSE, NULL ) ) { rs->sr_err = LDAP_NO_SUCH_OBJECT; - } else -#endif /* SLAP_ACL_HONOR_DISCLOSE */ - { + } else { rs->sr_matched = ch_strdup( e->e_dn ); rs->sr_ref = is_entry_referral( e ) ? get_entry_referrals( op, e ) @@ -103,15 +100,12 @@ dn2entry_retry: } if (!manageDSAit && is_entry_referral( e ) ) { -#ifdef SLAP_ACL_HONOR_DISCLOSE /* return referral only if "disclose" is granted on the object */ if ( !access_allowed( op, e, slap_schema.si_ad_entry, NULL, ACL_DISCLOSE, NULL ) ) { rs->sr_err = LDAP_NO_SUCH_OBJECT; - } else -#endif /* SLAP_ACL_HONOR_DISCLOSE */ - { + } else { /* entry is a referral, don't allow compare */ rs->sr_ref = get_entry_referrals( op, e ); rs->sr_err = LDAP_REFERRAL; @@ -131,14 +125,11 @@ dn2entry_retry: if ( get_assert( op ) && ( test_filter( op, e, get_assertion( op )) != LDAP_COMPARE_TRUE )) { -#ifdef SLAP_ACL_HONOR_DISCLOSE if ( !access_allowed( op, e, slap_schema.si_ad_entry, NULL, ACL_DISCLOSE, NULL ) ) { rs->sr_err = LDAP_NO_SUCH_OBJECT; - } else -#endif /* SLAP_ACL_HONOR_DISCLOSE */ - { + } else { rs->sr_err = LDAP_ASSERTION_FAILED; } goto return_results; @@ -147,16 +138,13 @@ dn2entry_retry: if ( !access_allowed( op, e, op->oq_compare.rs_ava->aa_desc, &op->oq_compare.rs_ava->aa_value, ACL_COMPARE, NULL ) ) { -#ifdef SLAP_ACL_HONOR_DISCLOSE /* return error only if "disclose" * is granted on the object */ if ( !access_allowed( op, e, slap_schema.si_ad_entry, NULL, ACL_DISCLOSE, NULL ) ) { rs->sr_err = LDAP_NO_SUCH_OBJECT; - } else -#endif /* SLAP_ACL_HONOR_DISCLOSE */ - { + } else { rs->sr_err = LDAP_INSUFFICIENT_ACCESS; } goto return_results; diff --git a/servers/slapd/back-bdb/search.c b/servers/slapd/back-bdb/search.c index 59f81ff920..519b65dd6b 100644 --- a/servers/slapd/back-bdb/search.c +++ b/servers/slapd/back-bdb/search.c @@ -319,9 +319,7 @@ bdb_search( Operation *op, SlapReply *rs ) Entry *matched = NULL; EntryInfo *ei, ei_root = {0}; struct berval realbase = BER_BVNULL; -#ifdef SLAP_ACL_HONOR_DISCLOSE slap_mask_t mask; -#endif int manageDSAit; int tentries = 0; ID lastid = NOID; @@ -424,7 +422,6 @@ dn2entry_retry: if ( matched != NULL ) { BerVarray erefs = NULL; -#ifdef SLAP_ACL_HONOR_DISCLOSE /* return referral only if "disclose" * is granted on the object */ if ( ! access_allowed( op, matched, @@ -433,9 +430,7 @@ dn2entry_retry: { rs->sr_err = LDAP_NO_SUCH_OBJECT; - } else -#endif /* SLAP_ACL_HONOR_DISCLOSE */ - { + } else { ber_dupbv( &matched_dn, &matched->e_name ); erefs = is_entry_referral( matched ) @@ -483,7 +478,6 @@ dn2entry_retry: return rs->sr_err; } -#ifdef SLAP_ACL_HONOR_DISCLOSE /* NOTE: __NEW__ "search" access is required * on searchBase object */ if ( ! access_allowed_mask( op, e, slap_schema.si_ad_entry, @@ -504,7 +498,6 @@ dn2entry_retry: send_ldap_result( op, rs ); return rs->sr_err; } -#endif /* SLAP_ACL_HONOR_DISCLOSE */ if ( !manageDSAit && e != &e_root && is_entry_referral( e ) ) { /* entry is a referral, don't allow add */ diff --git a/servers/slapd/back-dnssrv/init.c b/servers/slapd/back-dnssrv/init.c index fc4063492c..4b834cb7e8 100644 --- a/servers/slapd/back-dnssrv/init.c +++ b/servers/slapd/back-dnssrv/init.c @@ -67,9 +67,7 @@ dnssrv_back_initialize( bi->bi_connection_init = 0; bi->bi_connection_destroy = 0; -#ifdef SLAP_OVERLAY_ACCESS bi->bi_access_allowed = slap_access_always_allowed; -#endif /* SLAP_OVERLAY_ACCESS */ return 0; } diff --git a/servers/slapd/back-ldap/config.c b/servers/slapd/back-ldap/config.c index 2bae1a085e..32ef33d6df 100644 --- a/servers/slapd/back-ldap/config.c +++ b/servers/slapd/back-ldap/config.c @@ -1059,7 +1059,6 @@ done_url:; case LDAP_BACK_CFG_IDASSERT_AUTHZFROM: { struct berval bv; -#ifdef SLAP_AUTHZ_SYNTAX struct berval in; int rc; @@ -1072,9 +1071,6 @@ done_url:; Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 ); return 1; } -#else /* !SLAP_AUTHZ_SYNTAX */ - ber_str2bv( c->argv[ 1 ], 0, 1, &bv ); -#endif /* !SLAP_AUTHZ_SYNTAX */ ber_bvarray_add( &li->li_idassert_authz, &bv ); } break; diff --git a/servers/slapd/back-ldif/ldif.c b/servers/slapd/back-ldif/ldif.c index 5c662962bd..bf0ad91d3e 100644 --- a/servers/slapd/back-ldif/ldif.c +++ b/servers/slapd/back-ldif/ldif.c @@ -1249,9 +1249,7 @@ ldif_back_initialize( bi->bi_entry_get_rw = ldif_back_entry_get; #if 0 /* NOTE: uncomment to completely disable access control */ -#ifdef SLAP_OVERLAY_ACCESS bi->bi_access_allowed = slap_access_always_allowed; -#endif /* SLAP_OVERLAY_ACCESS */ #endif bi->bi_tool_entry_open = ldif_tool_entry_open; diff --git a/servers/slapd/back-monitor/compare.c b/servers/slapd/back-monitor/compare.c index 954317b568..244c8bb69a 100644 --- a/servers/slapd/back-monitor/compare.c +++ b/servers/slapd/back-monitor/compare.c @@ -39,15 +39,12 @@ monitor_back_compare( struct slap_op *op, struct slap_rep *rs) if ( e == NULL ) { rs->sr_err = LDAP_NO_SUCH_OBJECT; if ( matched ) { -#ifdef SLAP_ACL_HONOR_DISCLOSE if ( !access_allowed_mask( op, matched, slap_schema.si_ad_entry, NULL, ACL_DISCLOSE, NULL, NULL ) ) { /* do nothing */ ; - } else -#endif /* SLAP_ACL_HONOR_DISCLOSE */ - { + } else { rs->sr_matched = matched->e_dn; } } @@ -97,13 +94,11 @@ return_results:; break; default: -#ifdef SLAP_ACL_HONOR_DISCLOSE if ( !access_allowed_mask( op, e, slap_schema.si_ad_entry, NULL, ACL_DISCLOSE, NULL, NULL ) ) { rs->sr_err = LDAP_NO_SUCH_OBJECT; } -#endif /* SLAP_ACL_HONOR_DISCLOSE */ break; } diff --git a/servers/slapd/back-monitor/modify.c b/servers/slapd/back-monitor/modify.c index 3602bf5481..448bad1950 100644 --- a/servers/slapd/back-monitor/modify.c +++ b/servers/slapd/back-monitor/modify.c @@ -45,15 +45,12 @@ monitor_back_modify( Operation *op, SlapReply *rs ) if ( e == NULL ) { rs->sr_err = LDAP_NO_SUCH_OBJECT; if ( matched ) { -#ifdef SLAP_ACL_HONOR_DISCLOSE if ( !access_allowed_mask( op, matched, slap_schema.si_ad_entry, NULL, ACL_DISCLOSE, NULL, NULL ) ) { /* do nothing */ ; - } else -#endif /* SLAP_ACL_HONOR_DISCLOSE */ - { + } else { rs->sr_matched = matched->e_dn; } } @@ -75,7 +72,6 @@ monitor_back_modify( Operation *op, SlapReply *rs ) rc = monitor_entry_modify( op, rs, e ); } -#ifdef SLAP_ACL_HONOR_DISCLOSE if ( rc != LDAP_SUCCESS ) { if ( !access_allowed_mask( op, e, slap_schema.si_ad_entry, NULL, ACL_DISCLOSE, NULL, NULL ) ) @@ -83,7 +79,6 @@ monitor_back_modify( Operation *op, SlapReply *rs ) rc = LDAP_NO_SUCH_OBJECT; } } -#endif /* SLAP_ACL_HONOR_DISCLOSE */ rs->sr_err = rc; send_ldap_result( op, rs ); diff --git a/servers/slapd/back-monitor/search.c b/servers/slapd/back-monitor/search.c index e71afa20b0..3f30f489b5 100644 --- a/servers/slapd/back-monitor/search.c +++ b/servers/slapd/back-monitor/search.c @@ -175,15 +175,12 @@ monitor_back_search( Operation *op, SlapReply *rs ) if ( e == NULL ) { rs->sr_err = LDAP_NO_SUCH_OBJECT; if ( matched ) { -#ifdef SLAP_ACL_HONOR_DISCLOSE if ( !access_allowed_mask( op, matched, slap_schema.si_ad_entry, NULL, ACL_DISCLOSE, NULL, NULL ) ) { /* do nothing */ ; - } else -#endif /* SLAP_ACL_HONOR_DISCLOSE */ - { + } else { rs->sr_matched = matched->e_dn; } } @@ -204,12 +201,9 @@ monitor_back_search( Operation *op, SlapReply *rs ) { monitor_cache_release( mi, e ); -#ifdef SLAP_ACL_HONOR_DISCLOSE if ( !ACL_GRANT( mask, ACL_DISCLOSE ) ) { rs->sr_err = LDAP_NO_SUCH_OBJECT; - } else -#endif /* SLAP_ACL_HONOR_DISCLOSE */ - { + } else { rs->sr_err = LDAP_INSUFFICIENT_ACCESS; } diff --git a/servers/slapd/back-sql/add.c b/servers/slapd/back-sql/add.c index a850858bf5..078df583a1 100644 --- a/servers/slapd/back-sql/add.c +++ b/servers/slapd/back-sql/add.c @@ -1478,7 +1478,6 @@ done:; * in deleting that row. */ -#ifdef SLAP_ACL_HONOR_DISCLOSE if ( e != NULL ) { int disclose = 1; @@ -1503,7 +1502,6 @@ done:; } } } -#endif /* SLAP_ACL_HONOR_DISCLOSE */ send_ldap_result( op, rs ); slap_graduate_commit_csn( op ); diff --git a/servers/slapd/back-sql/compare.c b/servers/slapd/back-sql/compare.c index 768bab8f0a..47b2914e3e 100644 --- a/servers/slapd/back-sql/compare.c +++ b/servers/slapd/back-sql/compare.c @@ -150,7 +150,6 @@ return_results:; break; default: -#ifdef SLAP_ACL_HONOR_DISCLOSE if ( !BER_BVISNULL( &e.e_nname ) && ! access_allowed( op, &e, slap_schema.si_ad_entry, NULL, @@ -159,7 +158,6 @@ return_results:; rs->sr_err = LDAP_NO_SUCH_OBJECT; rs->sr_text = NULL; } -#endif /* SLAP_ACL_HONOR_DISCLOSE */ break; } diff --git a/servers/slapd/back-sql/delete.c b/servers/slapd/back-sql/delete.c index bd2ee37c7d..a6656a8984 100644 --- a/servers/slapd/back-sql/delete.c +++ b/servers/slapd/back-sql/delete.c @@ -448,7 +448,6 @@ backsql_delete( Operation *op, SlapReply *rs ) } done:; -#ifdef SLAP_ACL_HONOR_DISCLOSE if ( e != NULL ) { if ( !access_allowed( op, e, slap_schema.si_ad_entry, NULL, ACL_DISCLOSE, NULL ) ) @@ -462,7 +461,6 @@ done:; } } } -#endif /* SLAP_ACL_HONOR_DISCLOSE */ send_ldap_result( op, rs ); diff --git a/servers/slapd/back-sql/modify.c b/servers/slapd/back-sql/modify.c index c6c84b0c02..a3a93d9837 100644 --- a/servers/slapd/back-sql/modify.c +++ b/servers/slapd/back-sql/modify.c @@ -174,7 +174,6 @@ do_transact:; SQLTransact( SQL_NULL_HENV, dbh, CompletionType ); done:; -#ifdef SLAP_ACL_HONOR_DISCLOSE if ( e != NULL ) { if ( !access_allowed( op, e, slap_schema.si_ad_entry, NULL, ACL_DISCLOSE, NULL ) ) @@ -188,7 +187,6 @@ done:; } } } -#endif /* SLAP_ACL_HONOR_DISCLOSE */ send_ldap_result( op, rs ); slap_graduate_commit_csn( op ); diff --git a/servers/slapd/back-sql/modrdn.c b/servers/slapd/back-sql/modrdn.c index 756f99798c..1c81cead29 100644 --- a/servers/slapd/back-sql/modrdn.c +++ b/servers/slapd/back-sql/modrdn.c @@ -464,7 +464,6 @@ backsql_modrdn( Operation *op, SlapReply *rs ) } done:; -#ifdef SLAP_ACL_HONOR_DISCLOSE if ( e != NULL ) { if ( !access_allowed( op, e, slap_schema.si_ad_entry, NULL, ACL_DISCLOSE, NULL ) ) @@ -478,7 +477,6 @@ done:; } } } -#endif /* SLAP_ACL_HONOR_DISCLOSE */ /* * Commit only if all operations succeed diff --git a/servers/slapd/back-sql/search.c b/servers/slapd/back-sql/search.c index 787380a089..c1ea9952f5 100644 --- a/servers/slapd/back-sql/search.c +++ b/servers/slapd/back-sql/search.c @@ -1968,7 +1968,6 @@ backsql_search( Operation *op, SlapReply *rs ) /* fall thru */ default: -#ifdef SLAP_ACL_HONOR_DISCLOSE if ( !BER_BVISNULL( &base_entry.e_nname ) && !access_allowed( op, &base_entry, slap_schema.si_ad_entry, NULL, @@ -1982,7 +1981,6 @@ backsql_search( Operation *op, SlapReply *rs ) rs->sr_matched = NULL; rs->sr_text = NULL; } -#endif /* SLAP_ACL_HONOR_DISCLOSE */ send_ldap_result( op, rs ); @@ -1997,7 +1995,6 @@ backsql_search( Operation *op, SlapReply *rs ) goto done; } -#ifdef SLAP_ACL_HONOR_DISCLOSE /* NOTE: __NEW__ "search" access is required * on searchBase object */ { @@ -2028,7 +2025,6 @@ backsql_search( Operation *op, SlapReply *rs ) goto done; } } -#endif /* SLAP_ACL_HONOR_DISCLOSE */ bsi.bsi_e = NULL; diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c index e4df383b0c..f054e50677 100644 --- a/servers/slapd/backend.c +++ b/servers/slapd/backend.c @@ -1420,13 +1420,8 @@ backend_group( be_orig = op->o_bd; op->o_bd = frontendDB; -#ifdef SLAP_OVERLAY_ACCESS rc = frontendDB->be_group( op, target, gr_ndn, op_ndn, group_oc, group_at ); -#else /* ! SLAP_OVERLAY_ACCESS */ - rc = fe_acl_group( op, target, gr_ndn, - op_ndn, group_oc, group_at ); -#endif /* ! SLAP_OVERLAY_ACCESS */ op->o_bd = be_orig; return rc; @@ -1573,13 +1568,8 @@ backend_attribute( be_orig = op->o_bd; op->o_bd = frontendDB; -#ifdef SLAP_OVERLAY_ACCESS rc = frontendDB->be_attribute( op, target, edn, entry_at, vals, access ); -#else /* !SLAP_OVERLAY_ACCESS */ - rc = fe_acl_attribute( op, target, edn, - entry_at, vals, access ); -#endif /* !SLAP_OVERLAY_ACCESS */ op->o_bd = be_orig; return rc; diff --git a/servers/slapd/backover.c b/servers/slapd/backover.c index 33b31d5400..3128840ce9 100644 --- a/servers/slapd/backover.c +++ b/servers/slapd/backover.c @@ -239,7 +239,6 @@ over_back_response ( Operation *op, SlapReply *rs ) return rc; } -#ifdef SLAP_OVERLAY_ACCESS static int over_access_allowed( Operation *op, @@ -450,7 +449,6 @@ over_acl_attribute( return rc; } -#endif /* SLAP_OVERLAY_ACCESS */ /* * default return code in case of missing backend function @@ -1018,12 +1016,10 @@ overlay_config( BackendDB *be, const char *ov ) bi->bi_chk_referrals = over_aux_chk_referrals; bi->bi_chk_controls = over_aux_chk_controls; -#ifdef SLAP_OVERLAY_ACCESS /* these have specific arglists */ bi->bi_access_allowed = over_access_allowed; bi->bi_acl_group = over_acl_group; bi->bi_acl_attribute = over_acl_attribute; -#endif /* SLAP_OVERLAY_ACCESS */ bi->bi_connection_init = over_connection_init; bi->bi_connection_destroy = over_connection_destroy; diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c index bcbed43cb4..8cf659b1ca 100644 --- a/servers/slapd/bconfig.c +++ b/servers/slapd/bconfig.c @@ -4928,9 +4928,7 @@ config_back_initialize( BackendInfo *bi ) bi->bi_chk_referrals = 0; -#ifdef SLAP_OVERLAY_ACCESS bi->bi_access_allowed = slap_access_always_allowed; -#endif /* SLAP_OVERLAY_ACCESS */ bi->bi_connection_init = 0; bi->bi_connection_destroy = 0; diff --git a/servers/slapd/compare.c b/servers/slapd/compare.c index bbe9774e1d..55dca80405 100644 --- a/servers/slapd/compare.c +++ b/servers/slapd/compare.c @@ -284,7 +284,6 @@ fe_op_compare( Operation *op, SlapReply *rs ) } } else { -#ifdef SLAP_ACL_HONOR_DISCLOSE /* return error only if "disclose" * is granted on the object */ if ( backend_access( op, NULL, &op->o_req_ndn, @@ -293,7 +292,6 @@ fe_op_compare( Operation *op, SlapReply *rs ) { rs->sr_err = LDAP_NO_SUCH_OBJECT; } -#endif /* SLAP_ACL_HONOR_DISCLOSE */ } send_ldap_result( op, rs ); @@ -328,7 +326,6 @@ fe_op_compare( Operation *op, SlapReply *rs ) ava.aa_desc, &vals, ACL_COMPARE ); switch ( rs->sr_err ) { default: -#ifdef SLAP_ACL_HONOR_DISCLOSE /* return error only if "disclose" * is granted on the object */ if ( backend_access( op, NULL, &op->o_req_ndn, @@ -338,7 +335,6 @@ fe_op_compare( Operation *op, SlapReply *rs ) { rs->sr_err = LDAP_NO_SUCH_OBJECT; } -#endif /* SLAP_ACL_HONOR_DISCLOSE */ break; case LDAP_SUCCESS: @@ -416,7 +412,6 @@ static int compare_entry( } done: -#ifdef LDAP_ACL_HONOR_DISCLOSE if( rc != LDAP_COMPARE_TRUE && rc != LDAP_COMPARE_FALSE ) { if ( ! access_allowed( op, e, slap_schema.si_ad_entry, NULL, ACL_DISCLOSE, NULL ) ) @@ -424,7 +419,6 @@ done: rc = LDAP_NO_SUCH_OBJECT; } } -#endif return rc; } diff --git a/servers/slapd/entry.c b/servers/slapd/entry.c index c389f6b0a2..93c27985b3 100644 --- a/servers/slapd/entry.c +++ b/servers/slapd/entry.c @@ -269,23 +269,14 @@ str2entry2( char *s, int checkvals ) ad->ad_type->sat_syntax->ssyn_pretty; if ( pretty ) { -#ifdef SLAP_ORDERED_PRETTYNORM rc = ordered_value_pretty( ad, &vals[i], &pval, NULL ); -#else /* ! SLAP_ORDERED_PRETTYNORM */ - rc = pretty( ad->ad_type->sat_syntax, - &vals[i], &pval, NULL ); -#endif /* ! SLAP_ORDERED_PRETTYNORM */ } else if ( validate ) { /* * validate value per syntax */ -#ifdef SLAP_ORDERED_PRETTYNORM rc = ordered_value_validate( ad, &vals[i], LDAP_MOD_ADD ); -#else /* ! SLAP_ORDERED_PRETTYNORM */ - rc = validate( ad->ad_type->sat_syntax, &vals[i] ); -#endif /* ! SLAP_ORDERED_PRETTYNORM */ } else { Debug( LDAP_DEBUG_ANY, @@ -315,19 +306,11 @@ str2entry2( char *s, int checkvals ) if ( ad->ad_type->sat_equality && ad->ad_type->sat_equality->smr_normalize ) { -#ifdef SLAP_ORDERED_PRETTYNORM rc = ordered_value_normalize( SLAP_MR_VALUE_OF_ATTRIBUTE_SYNTAX, ad, ad->ad_type->sat_equality, &vals[i], &nvals[i], NULL ); -#else /* ! SLAP_ORDERED_PRETTYNORM */ - rc = ad->ad_type->sat_equality->smr_normalize( - SLAP_MR_VALUE_OF_ATTRIBUTE_SYNTAX, - ad->ad_type->sat_syntax, - ad->ad_type->sat_equality, - &vals[i], &nvals[i], NULL ); -#endif /* ! SLAP_ORDERED_PRETTYNORM */ if ( rc ) { Debug( LDAP_DEBUG_ANY, diff --git a/servers/slapd/frontend.c b/servers/slapd/frontend.c index a7796565bf..dd27a9d5cf 100644 --- a/servers/slapd/frontend.c +++ b/servers/slapd/frontend.c @@ -119,11 +119,9 @@ frontend_init( void ) frontendDB->bd_info->bi_entry_get_rw = fe_entry_get_rw; frontendDB->bd_info->bi_entry_release_rw = fe_entry_release_rw; #endif -#ifdef SLAP_OVERLAY_ACCESS frontendDB->bd_info->bi_access_allowed = fe_access_allowed; frontendDB->bd_info->bi_acl_group = fe_acl_group; frontendDB->bd_info->bi_acl_attribute = fe_acl_attribute; -#endif /* SLAP_OVERLAY_ACCESS */ #if 0 /* FIXME: is this too early? */ diff --git a/servers/slapd/modify.c b/servers/slapd/modify.c index 9770919784..dc2af62473 100644 --- a/servers/slapd/modify.c +++ b/servers/slapd/modify.c @@ -656,21 +656,11 @@ int slap_mods_check( struct berval pval; if ( pretty ) { -#ifdef SLAP_ORDERED_PRETTYNORM rc = ordered_value_pretty( ad, &ml->sml_values[nvals], &pval, ctx ); -#else /* ! SLAP_ORDERED_PRETTYNORM */ - rc = pretty( ad->ad_type->sat_syntax, - &ml->sml_values[nvals], &pval, ctx ); -#endif /* ! SLAP_ORDERED_PRETTYNORM */ } else { -#ifdef SLAP_ORDERED_PRETTYNORM rc = ordered_value_validate( ad, &ml->sml_values[nvals], ml->sml_op ); -#else /* ! SLAP_ORDERED_PRETTYNORM */ - rc = validate( ad->ad_type->sat_syntax, - &ml->sml_values[nvals] ); -#endif /* ! SLAP_ORDERED_PRETTYNORM */ } if( rc != 0 ) { @@ -716,19 +706,11 @@ int slap_mods_check( (nvals+1)*sizeof(struct berval), ctx ); for ( nvals = 0; !BER_BVISNULL( &ml->sml_values[nvals] ); nvals++ ) { -#ifdef SLAP_ORDERED_PRETTYNORM rc = ordered_value_normalize( SLAP_MR_VALUE_OF_ATTRIBUTE_SYNTAX, ad, ad->ad_type->sat_equality, &ml->sml_values[nvals], &ml->sml_nvalues[nvals], ctx ); -#else /* ! SLAP_ORDERED_PRETTYNORM */ - rc = ad->ad_type->sat_equality->smr_normalize( - SLAP_MR_VALUE_OF_ATTRIBUTE_SYNTAX, - ad->ad_type->sat_syntax, - ad->ad_type->sat_equality, - &ml->sml_values[nvals], &ml->sml_nvalues[nvals], ctx ); -#endif /* ! SLAP_ORDERED_PRETTYNORM */ if ( rc ) { Debug( LDAP_DEBUG_ANY, "<= str2entry NULL (ssyn_normalize %d)\n", diff --git a/servers/slapd/overlays/dds.c b/servers/slapd/overlays/dds.c index b701e9e611..09e73a72b6 100644 --- a/servers/slapd/overlays/dds.c +++ b/servers/slapd/overlays/dds.c @@ -357,7 +357,6 @@ dds_op_add( Operation *op, SlapReply *rs ) slap_schema.si_oc_dynamicObject, NULL, 0, &e ); if ( rc == LDAP_SUCCESS && e != NULL ) { if ( !is_dynamicObject ) { -#ifdef SLAP_ACL_HONOR_DISCLOSE /* return referral only if "disclose" * is granted on the object */ if ( ! access_allowed( op, e, @@ -367,9 +366,7 @@ dds_op_add( Operation *op, SlapReply *rs ) rc = rs->sr_err = LDAP_NO_SUCH_OBJECT; send_ldap_result( op, rs ); - } else -#endif /* SLAP_ACL_HONOR_DISCLOSE */ - { + } else { rc = rs->sr_err = LDAP_CONSTRAINT_VIOLATION; send_ldap_error( op, rs, rc, "no static subordinate entries allowed for dynamicObject" ); } @@ -580,15 +577,12 @@ dds_op_modify( Operation *op, SlapReply *rs ) if ( BER_BVISEMPTY( &bv_entryTtl ) || !bvmatch( &bv_entryTtl, &mod->sml_values[ 0 ] ) ) { -#ifdef SLAP_ACL_HONOR_DISCLOSE rs->sr_err = backend_attribute( op, NULL, &op->o_req_ndn, slap_schema.si_ad_entry, NULL, ACL_DISCLOSE ); if ( rs->sr_err == LDAP_INSUFFICIENT_ACCESS ) { rs->sr_err = LDAP_NO_SUCH_OBJECT; - } else -#endif /* SLAP_ACL_HONOR_DISCLOSE */ - { + } else { rs->sr_err = LDAP_NO_SUCH_ATTRIBUTE; } goto done; @@ -609,15 +603,12 @@ dds_op_modify( Operation *op, SlapReply *rs ) assert( BER_BVISNULL( &mod->sml_values[ 1 ] ) ); if ( !BER_BVISEMPTY( &bv_entryTtl ) ) { -#ifdef SLAP_ACL_HONOR_DISCLOSE rs->sr_err = backend_attribute( op, NULL, &op->o_req_ndn, slap_schema.si_ad_entry, NULL, ACL_DISCLOSE ); if ( rs->sr_err == LDAP_INSUFFICIENT_ACCESS ) { rs->sr_err = LDAP_NO_SUCH_OBJECT; - } else -#endif /* SLAP_ACL_HONOR_DISCLOSE */ - { + } else { rs->sr_text = "attribute 'entryTtl' cannot have multiple values"; rs->sr_err = LDAP_CONSTRAINT_VIOLATION; } @@ -649,15 +640,12 @@ dds_op_modify( Operation *op, SlapReply *rs ) case LDAP_MOD_INCREMENT: if ( BER_BVISEMPTY( &bv_entryTtl ) ) { -#ifdef SLAP_ACL_HONOR_DISCLOSE rs->sr_err = backend_attribute( op, NULL, &op->o_req_ndn, slap_schema.si_ad_entry, NULL, ACL_DISCLOSE ); if ( rs->sr_err == LDAP_INSUFFICIENT_ACCESS ) { rs->sr_err = LDAP_NO_SUCH_OBJECT; - } else -#endif /* SLAP_ACL_HONOR_DISCLOSE */ - { + } else { rs->sr_err = LDAP_NO_SUCH_ATTRIBUTE; rs->sr_text = "modify/increment: entryTtl: no such attribute"; } @@ -678,7 +666,6 @@ dds_op_modify( Operation *op, SlapReply *rs ) } if ( rs->sr_err != LDAP_SUCCESS ) { -#ifdef SLAP_ACL_HONOR_DISCLOSE rc = backend_attribute( op, NULL, &op->o_req_ndn, slap_schema.si_ad_entry, NULL, ACL_DISCLOSE ); if ( rc == LDAP_INSUFFICIENT_ACCESS ) { @@ -686,7 +673,6 @@ dds_op_modify( Operation *op, SlapReply *rs ) rs->sr_err = LDAP_NO_SUCH_OBJECT; } -#endif /* SLAP_ACL_HONOR_DISCLOSE */ goto done; } @@ -761,7 +747,6 @@ done:; rs->sr_err = LDAP_OBJECT_CLASS_VIOLATION; } -#ifdef SLAP_ACL_HONOR_DISCLOSE if ( rc != LDAP_SUCCESS ) { rc = backend_attribute( op, NULL, &op->o_req_ndn, slap_schema.si_ad_entry, NULL, ACL_DISCLOSE ); @@ -770,7 +755,6 @@ done:; rs->sr_err = LDAP_NO_SUCH_OBJECT; } } -#endif /* SLAP_ACL_HONOR_DISCLOSE */ } } @@ -850,7 +834,6 @@ dds_op_rename( Operation *op, SlapReply *rs ) slap_schema.si_oc_dynamicObject, NULL, 0, &e ); if ( rc == LDAP_SUCCESS && e != NULL ) { if ( !is_dynamicObject ) { -#ifdef SLAP_ACL_HONOR_DISCLOSE /* return referral only if "disclose" * is granted on the object */ if ( ! access_allowed( op, e, @@ -860,9 +843,7 @@ dds_op_rename( Operation *op, SlapReply *rs ) rs->sr_err = LDAP_NO_SUCH_OBJECT; send_ldap_result( op, rs ); - } else -#endif /* SLAP_ACL_HONOR_DISCLOSE */ - { + } else { send_ldap_error( op, rs, LDAP_CONSTRAINT_VIOLATION, "static entry cannot have dynamicObject as newSuperior" ); } @@ -1072,7 +1053,6 @@ dds_op_extended( Operation *op, SlapReply *rs ) rs->sr_err = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &e ); if ( rs->sr_err == LDAP_SUCCESS && e != NULL ) { -#ifdef SLAP_ACL_HONOR_DISCLOSE /* return referral only if "disclose" * is granted on the object */ if ( ! access_allowed( op, e, @@ -1081,9 +1061,7 @@ dds_op_extended( Operation *op, SlapReply *rs ) { rs->sr_err = LDAP_NO_SUCH_OBJECT; - } else -#endif /* SLAP_ACL_HONOR_DISCLOSE */ - { + } else { rs->sr_err = LDAP_OBJECT_CLASS_VIOLATION; rs->sr_text = "refresh operation only applies to dynamic objects"; } diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h index 2ce5974c9a..797b57e215 100644 --- a/servers/slapd/proto-slap.h +++ b/servers/slapd/proto-slap.h @@ -50,7 +50,6 @@ LDAP_SLAPD_F (int) access_allowed_mask LDAP_P(( AccessControlState *state, slap_mask_t *mask )); #define access_allowed(op,e,desc,val,access,state) access_allowed_mask(op,e,desc,val,access,state,NULL) -#ifdef SLAP_OVERLAY_ACCESS LDAP_SLAPD_F (int) slap_access_allowed LDAP_P(( Operation *op, Entry *e, @@ -67,7 +66,6 @@ LDAP_SLAPD_F (int) slap_access_always_allowed LDAP_P(( slap_access_t access, AccessControlState *state, slap_mask_t *maskp )); -#endif /* SLAP_OVERLAY_ACCESS */ LDAP_SLAPD_F (int) acl_check_modlist LDAP_P(( Operation *op, Entry *e, Modifications *ml )); @@ -1440,7 +1438,6 @@ LDAP_SLAPD_F (int) slap_sasl_rewrite_config LDAP_P(( int argc, char **argv )); #endif /* SLAP_AUTH_REWRITE */ -#ifdef SLAP_AUTHZ_SYNTAX LDAP_SLAPD_F (int) authzValidate LDAP_P(( Syntax *syn, struct berval *in )); #if 0 @@ -1464,7 +1461,6 @@ LDAP_SLAPD_F (int) authzNormalize LDAP_P(( struct berval *val, struct berval *normalized, void *ctx )); -#endif /* SLAP_AUTHZ_SYNTAX */ /* * schema.c diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c index c309d110fb..9b8a07f825 100644 --- a/servers/slapd/saslauthz.c +++ b/servers/slapd/saslauthz.c @@ -202,7 +202,6 @@ int slap_parse_user( struct berval *id, struct berval *user, return LDAP_SUCCESS; } -#ifdef SLAP_AUTHZ_SYNTAX int authzValidate( Syntax *syntax, @@ -919,7 +918,6 @@ authzPretty( return rc; } -#endif /* SLAP_AUTHZ_SYNTAX */ static int slap_parseURI( @@ -936,9 +934,7 @@ slap_parseURI( int rc; LDAPURLDesc *ludp; -#ifdef SLAP_ORDERED_PRETTYNORM struct berval idx; -#endif /* SLAP_ORDERED_PRETTYNORM */ assert( uri != NULL && !BER_BVISNULL( uri ) ); BER_BVZERO( base ); @@ -952,7 +948,6 @@ slap_parseURI( rc = LDAP_PROTOCOL_ERROR; -#ifdef SLAP_ORDERED_PRETTYNORM idx = *uri; if ( idx.bv_val[ 0 ] == '{' ) { char *ptr; @@ -965,7 +960,6 @@ slap_parseURI( idx.bv_val = ptr; uri = &idx; } -#endif /* SLAP_ORDERED_PRETTYNORM */ /* * dn[.]: @@ -1677,13 +1671,7 @@ slap_sasl_match( Operation *opx, struct berval *rule, /* NOTE: don't normalize rule if authz syntax is enabled */ rc = slap_parseURI( opx, rule, &base, &op.o_req_ndn, - &op.ors_scope, &op.ors_filter, &op.ors_filterstr, -#ifdef SLAP_AUTHZ_SYNTAX - 0 -#else /* ! SLAP_AUTHZ_SYNTAX */ - 1 -#endif /* ! SLAP_AUTHZ_SYNTAX */ - ); + &op.ors_scope, &op.ors_filter, &op.ors_filterstr, 0 ); if( rc != LDAP_SUCCESS ) goto CONCLUDED; diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c index 854a49b5c1..39952664db 100644 --- a/servers/slapd/schema_init.c +++ b/servers/slapd/schema_init.c @@ -67,10 +67,8 @@ #define csnIndexer generalizedTimeIndexer #define csnFilter generalizedTimeFilter -#ifdef SLAP_AUTHZ_SYNTAX /* FIXME: temporary */ #define authzMatch octetStringMatch -#endif /* SLAP_AUTHZ_SYNTAX */ unsigned int index_substr_if_minlen = SLAP_INDEX_SUBSTR_IF_MINLEN_DEFAULT; unsigned int index_substr_if_maxlen = SLAP_INDEX_SUBSTR_IF_MAXLEN_DEFAULT; @@ -4180,11 +4178,9 @@ static slap_syntax_defs_rec syntax_defs[] = { {"( 1.3.6.1.4.1.4203.1.1.1 DESC 'OpenLDAP void' )" , SLAP_SYNTAX_HIDE, inValidate, NULL}, -#ifdef SLAP_AUTHZ_SYNTAX /* FIXME: OID is unused, but not registered yet */ {"( 1.3.6.1.4.1.4203.666.2.7 DESC 'OpenLDAP authz' )", SLAP_SYNTAX_HIDE, authzValidate, authzPretty}, -#endif /* SLAP_AUTHZ_SYNTAX */ {NULL, 0, NULL, NULL} }; @@ -4618,7 +4614,6 @@ static slap_mrule_defs_rec mrule_defs[] = { NULL, NULL, "CSNMatch" }, -#ifdef SLAP_AUTHZ_SYNTAX /* FIXME: OID is unused, but not registered yet */ {"( 1.3.6.1.4.1.4203.666.4.12 NAME 'authzMatch' " "SYNTAX 1.3.6.1.4.1.4203.666.2.7 )", @@ -4626,7 +4621,6 @@ static slap_mrule_defs_rec mrule_defs[] = { NULL, authzNormalize, authzMatch, NULL, NULL, NULL}, -#endif /* SLAP_AUTHZ_SYNTAX */ {NULL, SLAP_MR_NONE, NULL, NULL, NULL, NULL, NULL, NULL, diff --git a/servers/slapd/schema_prep.c b/servers/slapd/schema_prep.c index 92d7feae6b..881ca16251 100644 --- a/servers/slapd/schema_prep.c +++ b/servers/slapd/schema_prep.c @@ -855,16 +855,9 @@ static struct slap_schema_ad_map { { "authzTo", "( 1.3.6.1.4.1.4203.666.1.8 " "NAME ( 'authzTo' 'saslAuthzTo' ) " "DESC 'proxy authorization targets' " -#ifdef SLAP_AUTHZ_SYNTAX "EQUALITY authzMatch " "SYNTAX 1.3.6.1.4.1.4203.666.2.7 " -#else /* ! SLAP_AUTHZ_SYNTAX */ - "EQUALITY caseExactMatch " - "SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 " -#endif /* ! SLAP_AUTHZ_SYNTAX */ -#ifdef SLAP_ORDERED_PRETTYNORM "X-ORDERED 'VALUES' " -#endif /* SLAP_ORDERED_PRETTYNORM */ "USAGE distributedOperation )", NULL, SLAP_AT_HIDE, NULL, NULL, @@ -873,16 +866,9 @@ static struct slap_schema_ad_map { { "authzFrom", "( 1.3.6.1.4.1.4203.666.1.9 " "NAME ( 'authzFrom' 'saslAuthzFrom' ) " "DESC 'proxy authorization sources' " -#ifdef SLAP_AUTHZ_SYNTAX "EQUALITY authzMatch " "SYNTAX 1.3.6.1.4.1.4203.666.2.7 " -#else /* ! SLAP_AUTHZ_SYNTAX */ - "EQUALITY caseExactMatch " - "SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 " -#endif /* ! SLAP_AUTHZ_SYNTAX */ -#ifdef SLAP_ORDERED_PRETTYNORM "X-ORDERED 'VALUES' " -#endif /* SLAP_ORDERED_PRETTYNORM */ "USAGE distributedOperation )", NULL, SLAP_AT_HIDE, NULL, NULL, diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h index 0136ab8242..78a5457a4c 100644 --- a/servers/slapd/slap.h +++ b/servers/slapd/slap.h @@ -64,26 +64,19 @@ LDAP_BEGIN_DECL #define SLAP_SEM_LOAD_CONTROL #endif -#define SLAP_ACL_HONOR_DISCLOSE /* partially implemented */ -#define SLAP_ACL_HONOR_MANAGE /* not yet implemented */ -#define SLAP_OVERLAY_ACCESS +#ifdef LDAP_DEVEL +#define LDAP_COLLECTIVE_ATTRIBUTES #define LDAP_COMP_MATCH -#define LDAP_DYNAMIC_OBJECTS #define LDAP_SYNC_TIMESTAMP -#define LDAP_COLLECTIVE_ATTRIBUTES -#define SLAP_CONTROL_X_TREE_DELETE LDAP_CONTROL_X_TREE_DELETE +#endif -#define SLAP_ORDERED_PRETTYNORM -#define SLAP_AUTHZ_SYNTAX +#define LDAP_DYNAMIC_OBJECTS +#define SLAP_CONTROL_X_TREE_DELETE LDAP_CONTROL_X_TREE_DELETE #ifdef ENABLE_REWRITE #define SLAP_AUTH_REWRITE 1 /* use librewrite for sasl-regexp */ #endif -#if defined(LDAP_SLAPI) && !defined(SLAP_OVERLAY_ACCESS) -#define SLAP_OVERLAY_ACCESS -#endif - /* * SLAPD Memory allocation macros * @@ -2019,7 +2012,6 @@ typedef int (BI_entry_get_rw) LDAP_P(( struct slap_op *op, struct berval *ndn, typedef int (BI_operational) LDAP_P(( struct slap_op *op, struct slap_rep *rs )); typedef int (BI_has_subordinates) LDAP_P(( struct slap_op *op, Entry *e, int *hasSubs )); -#ifdef SLAP_OVERLAY_ACCESS typedef int (BI_access_allowed) LDAP_P(( struct slap_op *op, Entry *e, AttributeDescription *desc, struct berval *val, slap_access_t access, AccessControlState *state, slap_mask_t *maskp )); @@ -2029,7 +2021,6 @@ typedef int (BI_acl_group) LDAP_P(( struct slap_op *op, Entry *target, typedef int (BI_acl_attribute) LDAP_P(( struct slap_op *op, Entry *target, struct berval *entry_ndn, AttributeDescription *entry_at, BerVarray *vals, slap_access_t access )); -#endif /* SLAP_OVERLAY_ACCESS */ typedef int (BI_conn_func) LDAP_P(( BackendDB *bd, struct slap_conn *c )); typedef BI_conn_func BI_connection_init; @@ -2128,11 +2119,9 @@ struct slap_backend_info { BI_entry_release_rw *bi_entry_release_rw; BI_has_subordinates *bi_has_subordinates; -#ifdef SLAP_OVERLAY_ACCESS BI_access_allowed *bi_access_allowed; BI_acl_group *bi_acl_group; BI_acl_attribute *bi_acl_attribute; -#endif /* SLAP_OVERLAY_ACCESS */ BI_connection_init *bi_connection_init; BI_connection_destroy *bi_connection_destroy; -- 2.39.5