2 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
4 * Copyright 2004-2018 The OpenLDAP Foundation.
5 * Portions Copyright 2004 Pierangelo Masarati.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted only as authorized by the OpenLDAP
12 * A copy of this license is available in file LICENSE in the
13 * top-level directory of the distribution or, alternatively, at
14 * <http://www.OpenLDAP.org/license.html>.
17 * This work was initially developed by Pierangelo Masarati for inclusion
18 * in OpenLDAP Software.
25 #include <ac/stdlib.h>
28 #include <ac/string.h>
29 #include <ac/socket.h>
30 #include <ac/unistd.h>
36 #include "slapcommon.h"
42 AttributeDescription *desc,
48 char accessmaskbuf[ACCESSMASK_MAXLEN];
50 rc = access_allowed_mask( op, e, desc, nval, ACL_AUTH, NULL, &mask );
52 fprintf( stderr, "%s%s%s: %s\n",
53 desc->ad_cname.bv_val,
54 ( val && !BER_BVISNULL( val ) ) ? "=" : "",
55 ( val && !BER_BVISNULL( val ) ) ?
56 ( desc == slap_schema.si_ad_userPassword ?
57 "****" : val->bv_val ) : "",
58 accessmask2str( mask, accessmaskbuf, 1 ) );
64 slapacl( int argc, char **argv )
66 int rc = EXIT_SUCCESS;
67 const char *progname = "slapacl";
68 Connection conn = { 0 };
70 OperationBuffer opbuf;
72 Entry e = { 0 }, *ep = &e;
78 slap_tool_init( progname, SLAPACL, argc, argv );
83 LDAP_STAILQ_FOREACH( bd, &backendDB, be_next ) {
84 if ( bd != be && backend_startup( bd ) ) {
85 fprintf( stderr, "backend_startup(#%d%s%s) failed\n",
87 bd->be_suffix ? ": " : "",
88 bd->be_suffix ? bd->be_suffix[0].bv_val : "" );
97 argv = &argv[ optind ];
100 thrctx = ldap_pvt_thread_pool_context();
101 connection_fake_init( &conn, &opbuf, thrctx );
103 op->o_tmpmemctx = NULL;
105 conn.c_listener = &listener;
106 conn.c_listener_url = listener_url;
107 conn.c_peer_domain = peer_domain;
108 conn.c_peer_name = peer_name;
109 conn.c_sock_name = sock_name;
111 op->o_transport_ssf = transport_ssf;
112 op->o_tls_ssf = tls_ssf;
113 op->o_sasl_ssf = sasl_ssf;
115 if ( !BER_BVISNULL( &authcID ) ) {
116 if ( !BER_BVISNULL( &authcDN ) ) {
117 fprintf( stderr, "both authcID=\"%s\" "
118 "and authcDN=\"%s\" provided\n",
119 authcID.bv_val, authcDN.bv_val );
124 rc = slap_sasl_getdn( &conn, op, &authcID, NULL,
125 &authcDN, SLAP_GETDN_AUTHCID );
126 if ( rc != LDAP_SUCCESS ) {
127 fprintf( stderr, "authcID: <%s> check failed %d (%s)\n",
129 ldap_err2string( rc ) );
134 } else if ( !BER_BVISNULL( &authcDN ) ) {
137 rc = dnNormalize( 0, NULL, NULL, &authcDN, &ndn, NULL );
138 if ( rc != LDAP_SUCCESS ) {
139 fprintf( stderr, "autchDN=\"%s\" normalization failed %d (%s)\n",
141 ldap_err2string( rc ) );
145 ch_free( authcDN.bv_val );
149 if ( !BER_BVISNULL( &authzID ) ) {
150 if ( !BER_BVISNULL( &authzDN ) ) {
151 fprintf( stderr, "both authzID=\"%s\" "
152 "and authzDN=\"%s\" provided\n",
153 authzID.bv_val, authzDN.bv_val );
158 rc = slap_sasl_getdn( &conn, op, &authzID, NULL,
159 &authzDN, SLAP_GETDN_AUTHZID );
160 if ( rc != LDAP_SUCCESS ) {
161 fprintf( stderr, "authzID: <%s> check failed %d (%s)\n",
163 ldap_err2string( rc ) );
168 } else if ( !BER_BVISNULL( &authzDN ) ) {
171 rc = dnNormalize( 0, NULL, NULL, &authzDN, &ndn, NULL );
172 if ( rc != LDAP_SUCCESS ) {
173 fprintf( stderr, "autchDN=\"%s\" normalization failed %d (%s)\n",
175 ldap_err2string( rc ) );
179 ch_free( authzDN.bv_val );
184 if ( !BER_BVISNULL( &authcDN ) ) {
185 fprintf( stderr, "authcDN: \"%s\"\n", authcDN.bv_val );
188 if ( !BER_BVISNULL( &authzDN ) ) {
189 fprintf( stderr, "authzDN: \"%s\"\n", authzDN.bv_val );
192 if ( !BER_BVISNULL( &authzDN ) ) {
196 if ( !BER_BVISNULL( &authcDN ) ) {
197 op->o_conn->c_dn = authcDN;
198 op->o_conn->c_ndn = authcDN;
201 op->o_conn->c_dn = authzDN;
202 op->o_conn->c_ndn = authzDN;
205 } else if ( !BER_BVISNULL( &authcDN ) ) {
206 op->o_conn->c_dn = authcDN;
207 op->o_conn->c_ndn = authcDN;
212 assert( !BER_BVISNULL( &baseDN ) );
213 rc = dnPrettyNormal( NULL, &baseDN, &e.e_name, &e.e_nname, NULL );
214 if ( rc != LDAP_SUCCESS ) {
215 fprintf( stderr, "base=\"%s\" normalization failed %d (%s)\n",
217 ldap_err2string( rc ) );
223 if ( op->o_bd == NULL ) {
224 /* NOTE: if no database could be found (e.g. because
225 * accessing the rootDSE or so), use the frontendDB
226 * rules; might need work */
227 op->o_bd = frontendDB;
234 fprintf( stderr, "%s: no target database "
235 "has been found for baseDN=\"%s\"; "
236 "you may try with \"-u\" (dry run).\n",
237 baseDN.bv_val, progname );
242 if ( !be->be_entry_open ||
243 !be->be_entry_close ||
247 fprintf( stderr, "%s: target database "
248 "doesn't support necessary operations; "
249 "you may try with \"-u\" (dry run).\n",
255 if ( be->be_entry_open( be, 0 ) != 0 ) {
256 fprintf( stderr, "%s: could not open database.\n",
264 id = be->be_dn2id_get( be, &e.e_nname );
266 fprintf( stderr, "%s: unable to fetch ID of DN \"%s\"\n",
267 progname, e.e_nname.bv_val );
271 ep = be->be_entry_get( be, id );
273 fprintf( stderr, "%s: unable to fetch entry \"%s\" (%lu)\n",
274 progname, e.e_nname.bv_val, id );
283 (void)print_access( op, ep, slap_schema.si_ad_entry, NULL, NULL );
284 (void)print_access( op, ep, slap_schema.si_ad_children, NULL, NULL );
286 for ( a = ep->e_attrs; a; a = a->a_next ) {
289 for ( i = 0; !BER_BVISNULL( &a->a_nvals[ i ] ); i++ ) {
290 (void)print_access( op, ep, a->a_desc,
298 for ( ; argc--; argv++ ) {
300 AttributeDescription *desc = NULL;
301 struct berval val = BER_BVNULL,
304 char accessmaskbuf[ACCESSMASK_MAXLEN];
306 slap_access_t access = ACL_AUTH;
308 if ( attr == NULL ) {
312 val.bv_val = strchr( attr, ':' );
313 if ( val.bv_val != NULL ) {
314 val.bv_val[0] = '\0';
316 val.bv_len = strlen( val.bv_val );
320 accessstr = strchr( attr, '/' );
321 if ( accessstr != NULL ) {
326 access = str2access( accessstr );
328 case ACL_INVALID_ACCESS:
329 fprintf( stderr, "unknown access \"%s\" for attribute \"%s\"\n",
335 fprintf( stderr, "\"none\" not allowed for attribute \"%s\"\n",
345 if ( continuemode ) {
352 rc = slap_str2ad( attr, &desc, &text );
353 if ( rc != LDAP_SUCCESS ) {
354 fprintf( stderr, "slap_str2ad(%s) failed %d (%s)\n",
355 attr, rc, ldap_err2string( rc ) );
356 if ( continuemode ) {
362 rc = access_allowed_mask( op, ep, desc, valp, access,
366 fprintf( stderr, "%s access to %s%s%s: %s\n",
368 desc->ad_cname.bv_val,
369 val.bv_val ? "=" : "",
370 val.bv_val ? val.bv_val : "",
371 rc ? "ALLOWED" : "DENIED" );
374 fprintf( stderr, "%s%s%s: %s\n",
375 desc->ad_cname.bv_val,
376 val.bv_val ? "=" : "",
377 val.bv_val ? val.bv_val : "",
378 accessmask2str( mask, accessmaskbuf, 1 ) );
385 if ( !BER_BVISNULL( &e.e_name ) ) {
386 ber_memfree( e.e_name.bv_val );
388 if ( !BER_BVISNULL( &e.e_nname ) ) {
389 ber_memfree( e.e_nname.bv_val );
391 if ( !dryrun && be ) {
392 if ( ep && ep != &e ) {
393 be_entry_release_r( op, ep );
396 be->be_entry_close( be );
399 LDAP_STAILQ_FOREACH( bd, &backendDB, be_next ) {
401 backend_shutdown( bd );
406 if ( slap_tool_destroy())
projects / openldap / blob