acl_mask_dn(
Operation *op,
Entry *e,
+ AttributeDescription *desc,
+ struct berval *val,
AccessControl *a,
int nmatch,
regmatch_t *matches,
return 1;
}
+ if ( b->a_self ) {
+ const char *dummy;
+ int rc, match = 0;
+
+ /* must have DN syntax */
+ if ( desc->ad_type->sat_syntax != slap_schema.si_syn_distinguishedName ) return 1;
+
+ /* check if the target is an attribute. */
+ if ( val == NULL ) return 1;
+
+ /* target is attribute, check if the attribute value
+ * is the op dn.
+ */
+ rc = value_match( &match, desc,
+ desc->ad_type->sat_equality, 0,
+ val, opndn, &dummy );
+ /* on match error or no match, fail the ACL clause */
+ if ( rc != LDAP_SUCCESS || match != 0 )
+ return 1;
+ }
+
} else if ( b->a_style == ACL_STYLE_SELF ) {
struct berval ndn, selfndn;
int level;
* is maintaned in a_dn_pat.
*/
- if ( acl_mask_dn( op, e, a, nmatch, matches,
+ if ( acl_mask_dn( op, e, desc, val, a, nmatch, matches,
&b->a_dn, &op->o_ndn ) )
{
continue;
ndn = op->o_ndn;
}
- if ( acl_mask_dn( op, e, a, nmatch, matches,
+ if ( acl_mask_dn( op, e, desc, val, a, nmatch, matches,
&b->a_realdn, &ndn ) )
{
continue;
if ( ri && ri->ri_attrs ) {
int is_in = ad_inlist( ml->sml_desc, ri->ri_attrs );
+ /* skip if:
+ * 1) the attribute is not in the list,
+ * and it's not an exclusion list
+ * 2) the attribute is in the list
+ * and it's an exclusion list,
+ * and either the objectClass attribute
+ * has already been dealt with or
+ * this is not the objectClass attr
+ */
if ( ( !is_in && !ri->ri_exclude )
- || ( is_in && ri->ri_exclude ) )
+ || ( ( is_in && ri->ri_exclude )
+ && ( !ocs || a->a_desc != slap_schema.si_ad_objectClass ) ) )
{
continue;
}
+
/* If this is objectClass, see if the value is included
* in any subset, otherwise drop it.
*/
int match = 0;
for ( an = ri->ri_attrs; an->an_name.bv_val; an++ ) {
if ( an->an_oc ) {
+ struct berval bv = an->an_name;
+
ocs = 1;
match |= an->an_oc_exclude;
- if ( ml->sml_values[i].bv_len == an->an_name.bv_len
+
+ switch ( bv.bv_val[ 0 ] ) {
+ case '@':
+ case '+':
+ case '!':
+ bv.bv_val++;
+ bv.bv_len--;
+ break;
+ }
+
+ if ( ml->sml_values[i].bv_len == bv.bv_len
&& !strcasecmp(ml->sml_values[i].bv_val,
- an->an_name.bv_val ) ) {
+ bv.bv_val ) )
+ {
match = !an->an_oc_exclude;
break;
}
fprintf( fp, "%s: %s\n", did, type );
first = 0;
}
- vals[0] = an->an_name;
+ vals[0] = a->a_nvals[i];
print_vals( fp, &ml->sml_desc->ad_cname, vals );
ocs = 2;
}
for ( a = op->ora_e->e_attrs ; a != NULL; a=a->a_next ) {
if ( ri && ri->ri_attrs ) {
int is_in = ad_inlist( a->a_desc, ri->ri_attrs );
- if ( ( !is_in && !ri->ri_exclude ) || ( is_in && ri->ri_exclude ) ) {
+
+ /* skip if:
+ * 1) the attribute is not in the list,
+ * and it's not an exclusion list
+ * 2) the attribute is in the list
+ * and it's an exclusion list,
+ * and either the objectClass attribute
+ * has already been dealt with or
+ * this is not the objectClass attr
+ */
+ if ( ( !is_in && !ri->ri_exclude )
+ || ( ( is_in && ri->ri_exclude )
+ && ( !ocs || a->a_desc != slap_schema.si_ad_objectClass ) ) )
+ {
continue;
}
int match = 0;
for ( an = ri->ri_attrs; an->an_name.bv_val; an++ ) {
if ( an->an_oc ) {
+ struct berval bv = an->an_name;
+
ocs = 1;
match |= an->an_oc_exclude;
- if ( a->a_vals[i].bv_len == an->an_name.bv_len
+
+ switch ( bv.bv_val[ 0 ] ) {
+ case '@':
+ case '+':
+ case '!':
+ bv.bv_val++;
+ bv.bv_len--;
+ break;
+ }
+
+ if ( a->a_vals[i].bv_len == bv.bv_len
&& !strcasecmp(a->a_vals[i].bv_val,
- an->an_name.bv_val ) ) {
+ bv.bv_val ) )
+ {
match = !an->an_oc_exclude;
break;
}
fprintf( fp, "changetype: add\n" );
dohdr = 0;
}
- vals[0] = an->an_name;
+ vals[0] = a->a_nvals[i];
print_vals( fp, &a->a_desc->ad_cname, vals );
}
}