Commit 8f4621a4 authored by Quanah Gibson-Mount's avatar Quanah Gibson-Mount
Browse files

ITS#5804

parent a2464cc3
......@@ -5,6 +5,7 @@ OpenLDAP 2.4.14 Engineering
Fixed libldap peer cert memory leak (ITS#5849)
Fixed libldap_r deref building (ITS#5768)
Fixed libldap_r slapd lockup when paused during shutdown (ITS#5841)
Added slapd val.regex expansion (ITS#5804)
Fixed slapd syncrepl rename handling (ITS#5809)
Fixed slapd syncrepl MMR when adding new server (ITS#5850)
Fixed slapd-ldif numerous bugs (ITS#5408)
......
......@@ -369,6 +369,10 @@ ranging from 0 to 9 (where 0 matches the entire string),
or the form
.BR ${<digit>+} ,
for submatches higher than 9.
Substring substitution from attribute value can
be done in
using the form
.BR ${v<digit>+} .
Since the dollar character is used to indicate a substring replacement,
the dollar character that is used to indicate match up to the end of
the string must be escaped by a second dollar character, e.g.
......
......@@ -400,11 +400,15 @@ aci_group_member (
if ( grp_oc != NULL && grp_ad != NULL ) {
char buf[ ACI_BUF_SIZE ];
struct berval bv, ndn;
AclRegexMatches amatches = { 0 };
amatches.dn_count = nmatch;
AC_MEMCPY( amatches.dn_data, matches, sizeof( amatches.dn_data ) );
bv.bv_len = sizeof( buf ) - 1;
bv.bv_val = (char *)&buf;
if ( acl_string_expand( &bv, &subjdn,
e->e_ndn, nmatch, matches ) )
&e->e_nname, NULL, &amatches ) )
{
rc = LDAP_OTHER;
goto done;
......
This diff is collapsed.
......@@ -528,7 +528,7 @@ parse_acl(
if ( style != NULL ) {
if ( strcasecmp( style, "regex" ) == 0 ) {
int e = regcomp( &a->acl_attrval_re, bv.bv_val,
REG_EXTENDED | REG_ICASE | REG_NOSUB );
REG_EXTENDED | REG_ICASE );
if ( e ) {
char err[SLAP_TEXT_BUFLEN],
buf[ SLAP_TEXT_BUFLEN ];
......@@ -1004,7 +1004,8 @@ parse_acl(
< bdn->a_pat.bv_len;
exp = strchr( exp, '$' ) )
{
if ( isdigit( (unsigned char) exp[ 1 ] ) ) {
if ( ( isdigit( (unsigned char) exp[ 1 ] ) ||
exp[ 1 ] == '{' ) ) {
gotit = 1;
break;
}
......
......@@ -93,7 +93,7 @@ LDAP_SLAPD_F (int) acl_match_set LDAP_P((
struct berval *default_set_attribute ));
LDAP_SLAPD_F (int) acl_string_expand LDAP_P((
struct berval *newbuf, struct berval *pattern,
char *match, int nmatch, regmatch_t *matches ));
struct berval *dnmatch, struct berval *valmatch, AclRegexMatches *matches ));
/*
* aclparse.c
......
......@@ -1547,6 +1547,13 @@ typedef struct AccessControlState {
#define ACL_STATE_INIT { NULL, NULL, NULL, \
ACL_STATE_NOT_RECORDED, 0, 0, 0 }
typedef struct AclRegexMatches {
int dn_count;
regmatch_t dn_data[MAXREMATCHES];
int val_count;
regmatch_t val_data[MAXREMATCHES];
} AclRegexMatches;
/*
* Backend-info
* represents a backend
......
# master slapd config -- for testing
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2008 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted only as authorized by the OpenLDAP
## Public License.
##
## A copy of this license is available in the file LICENSE in the
## top-level directory of the distribution or, alternatively, at
## <http://www.OpenLDAP.org/license.html>.
include @SCHEMADIR@/core.schema
include @SCHEMADIR@/cosine.schema
include @SCHEMADIR@/inetorgperson.schema
include @SCHEMADIR@/openldap.schema
include @SCHEMADIR@/nis.schema
pidfile @TESTDIR@/slapd.1.pid
argsfile @TESTDIR@/slapd.1.args
# global ACLs
#
# normal installations should protect root dse, cn=monitor, cn=subschema
#
access to dn.exact="" attrs=objectClass
by users read
access to *
by * read
#mod#modulepath ../servers/slapd/back-@BACKEND@/
#mod#moduleload back_@BACKEND@.la
#monitormod#modulepath ../servers/slapd/back-monitor/
#monitormod#moduleload back_monitor.la
#######################################################################
# database definitions
#######################################################################
database @BACKEND@
suffix "dc=example,dc=com"
directory @TESTDIR@/db.1.a
rootdn "cn=Manager,dc=example,dc=com"
rootpw secret
#bdb#index objectClass eq
#bdb#index cn,sn,uid pres,eq,sub
#hdb#index objectClass eq
#hdb#index cn,sn,uid pres,eq,sub
#ndb#dbname db_1
#ndb#include @DATADIR@/ndb.conf
access to attrs=userPassword
by anonymous auth
by * none stop
access to attrs=sn val.regex="^(.*)$"
by dn.exact,expand="cn=${v1},ou=Alumni Association,ou=People,dc=example,dc=com" write
by * read stop
access to attrs=sn val.regex="."
by * read stop
access to attrs=sn
by dn.exact="cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com" write
by * read stop
# fall into global ACLs
#monitor#database monitor
......@@ -131,6 +131,7 @@ DDSCONF=$DATADIR/slapd-dds.conf
PASSWDCONF=$DATADIR/slapd-passwd.conf
UNDOCONF=$DATADIR/slapd-config-undo.conf
NAKEDCONF=$DATADIR/slapd-config-naked.conf
VALREGEXCONF=$DATADIR/slapd-valregex.conf
DYNAMICCONF=$DATADIR/slapd-dynamic.ldif
......
#! /bin/sh
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2008 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted only as authorized by the OpenLDAP
## Public License.
##
## A copy of this license is available in the file LICENSE in the
## top-level directory of the distribution or, alternatively, at
## <http://www.OpenLDAP.org/license.html>.
case "$BACKEND" in
bdb|hdb)
;;
*)
echo "Test does not support $BACKEND backend"
exit 0
esac
echo "running defines.sh"
. $SRCDIR/scripts/defines.sh
LVL=acl
mkdir -p $TESTDIR $DBDIR1
echo "Running slapadd to build slapd database..."
. $CONFFILTER $BACKEND $MONITORDB < $VALREGEXCONF > $CONF1
$SLAPADD -f $CONF1 -l $LDIFORDERED
RC=$?
if test $RC != 0 ; then
echo "slapadd failed ($RC)!"
exit $RC
fi
echo "Starting slapd on TCP/IP port $PORT1..."
$SLAPD -f $CONF1 -h $URI1 -d $LVL $TIMING > $LOG1 2>&1 &
PID=$!
if test $WAIT != 0 ; then
echo PID $PID
read foo
fi
KILLPIDS="$PID"
sleep 1
echo "Testing attribute value regex subsitution..."
for i in 0 1 2 3 4 5; do
$LDAPSEARCH -s base -b "$MONITOR" -h $LOCALHOST -p $PORT1 \
'objectclass=*' > /dev/null 2>&1
RC=$?
if test $RC = 0 ; then
break
fi
echo "Waiting 5 seconds for slapd to start..."
sleep 5
done
if test $RC != 0 ; then
echo "ldapsearch failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
cat /dev/null > $SEARCHOUT
echo "# Try an attribute vale regex that match, but substitute does not"
echo "# this should fail"
$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \
$TESTOUT 2>&1 << EOMODS
dn: cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com
changetype: modify
replace: sn
sn: foobarbuz
EOMODS
RC=$?
case $RC in
50)
echo "ldapmodify failed as expected"
;;
0)
echo "ldapmodify should have failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit -1
;;
*)
echo "ldapmodify failed ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
;;
esac
echo "# Try an attribute vale regex that match and substitute does"
echo "# this should succeed"
$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \
$TESTOUT 2>&1 << EOMODS
dn: cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com
changetype: modify
replace: sn
sn: James A Jones 1
EOMODS
RC=$?
test $KILLSERVERS != no && kill -HUP $KILLPIDS
case $RC in
0)
echo "ldapmodify succeed as expected"
;;
*)
echo "ldapmodify failed ($RC)!"
exit $RC
;;
esac
echo ">>>>> Test succeeded"
test $KILLSERVERS != no && wait
exit 0
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment