diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c
index 1c001f529eaeb8ddd19f47733568c6d77d51bc1e..0150d1c7e9ad67b1b8f4e691054fddf22c0d1341 100644
--- a/servers/slapd/acl.c
+++ b/servers/slapd/acl.c
@@ -253,7 +253,7 @@ access_allowed_mask(
"<= root access granted\n",
0, 0, 0 );
if ( maskp ) {
- mask = ACL_LVL_WRITE;
+ mask = ACL_LVL_MANAGE;
}
goto done;
@@ -1741,7 +1741,9 @@ acl_check_modlist(
Debug( LDAP_DEBUG_ACL,
"=> access_allowed: backend default %s access %s to \"%s\"\n",
access2str( ACL_WRITE ),
- op->o_bd->be_dfltaccess >= ACL_WRITE ? "granted" : "denied", op->o_dn.bv_val );
+ op->o_bd->be_dfltaccess >= ACL_WRITE
+ ? "granted" : "denied",
+ op->o_dn.bv_val );
ret = (op->o_bd->be_dfltaccess >= ACL_WRITE);
goto done;
}
diff --git a/servers/slapd/aclparse.c b/servers/slapd/aclparse.c
index 1809c9e9a8039aec1a74a37b9a4f8ff2a5d0288c..05b52d25f67cdb3c83cf3ad6b1f886613ffde135 100644
--- a/servers/slapd/aclparse.c
+++ b/servers/slapd/aclparse.c
@@ -62,10 +62,7 @@ static void print_acl(Backend *be, AccessControl *a);
static void print_access(Access *b);
#endif
-#ifdef LDAP_DEVEL
-static int
-check_scope( BackendDB *be, AccessControl *a );
-#endif /* LDAP_DEVEL */
+static int check_scope( BackendDB *be, AccessControl *a );
#ifdef SLAP_DYNACL
static int
@@ -160,7 +157,6 @@ regtest(const char *fname, int lineno, char *pat) {
regfree(&re);
}
-#ifdef LDAP_DEVEL
/*
* Experimental
*
@@ -295,7 +291,6 @@ regex_done:;
return ACL_SCOPE_UNKNOWN;
}
-#endif /* LDAP_DEVEL */
void
parse_acl(
@@ -303,8 +298,7 @@ parse_acl(
const char *fname,
int lineno,
int argc,
- char **argv
-)
+ char **argv )
{
int i;
char *left, *right, *style, *next;
@@ -1653,7 +1647,6 @@ parse_acl(
}
if ( be != NULL ) {
-#ifdef LDAP_DEVEL
if ( !BER_BVISNULL( &be->be_nsuffix[ 1 ] ) ) {
fprintf( stderr, "%s: line %d: warning: "
"scope checking only applies to single-valued "
@@ -1693,7 +1686,6 @@ parse_acl(
default:
break;
}
-#endif /* LDAP_DEVEL */
acl_append( &be->be_acl, a );
} else {
@@ -1720,6 +1712,9 @@ accessmask2str( slap_mask_t mask, char *buf )
if ( ACL_LVL_IS_NONE(mask) ) {
ptr = lutil_strcopy( ptr, "none" );
+ } else if ( ACL_LVL_IS_DISCLOSE(mask) ) {
+ ptr = lutil_strcopy( ptr, "disclose" );
+
} else if ( ACL_LVL_IS_AUTH(mask) ) {
ptr = lutil_strcopy( ptr, "auth" );
@@ -1734,6 +1729,10 @@ accessmask2str( slap_mask_t mask, char *buf )
} else if ( ACL_LVL_IS_WRITE(mask) ) {
ptr = lutil_strcopy( ptr, "write" );
+
+ } else if ( ACL_LVL_IS_MANAGE(mask) ) {
+ ptr = lutil_strcopy( ptr, "manage" );
+
} else {
ptr = lutil_strcopy( ptr, "unknown" );
}
@@ -1751,6 +1750,11 @@ accessmask2str( slap_mask_t mask, char *buf )
*ptr++ = '=';
}
+ if ( ACL_PRIV_ISSET(mask, ACL_PRIV_MANAGE) ) {
+ none = 0;
+ *ptr++ = 'm';
+ }
+
if ( ACL_PRIV_ISSET(mask, ACL_PRIV_WRITE) ) {
none = 0;
*ptr++ = 'w';
@@ -1776,6 +1780,11 @@ accessmask2str( slap_mask_t mask, char *buf )
*ptr++ = 'x';
}
+ if ( ACL_PRIV_ISSET(mask, ACL_PRIV_DISCLOSE) ) {
+ none = 0;
+ *ptr++ = 'd';
+ }
+
if ( none && ACL_PRIV_ISSET(mask, ACL_PRIV_NONE) ) {
none = 0;
*ptr++ = 'n';
@@ -1817,7 +1826,10 @@ str2accessmask( const char *str )
}
for( i=1; str[i] != '\0'; i++ ) {
- if( TOLOWER((unsigned char) str[i]) == 'w' ) {
+ if( TOLOWER((unsigned char) str[i]) == 'm' ) {
+ ACL_PRIV_SET(mask, ACL_PRIV_MANAGE);
+
+ } else if( TOLOWER((unsigned char) str[i]) == 'w' ) {
ACL_PRIV_SET(mask, ACL_PRIV_WRITE);
} else if( TOLOWER((unsigned char) str[i]) == 'r' ) {
@@ -1832,6 +1844,9 @@ str2accessmask( const char *str )
} else if( TOLOWER((unsigned char) str[i]) == 'x' ) {
ACL_PRIV_SET(mask, ACL_PRIV_AUTH);
+ } else if( TOLOWER((unsigned char) str[i]) == 'd' ) {
+ ACL_PRIV_SET(mask, ACL_PRIV_DISCLOSE);
+
} else if( str[i] != '0' ) {
ACL_INVALIDATE(mask);
return mask;
@@ -1844,6 +1859,9 @@ str2accessmask( const char *str )
if ( strcasecmp( str, "none" ) == 0 ) {
ACL_LVL_ASSIGN_NONE(mask);
+ } else if ( strcasecmp( str, "disclose" ) == 0 ) {
+ ACL_LVL_ASSIGN_DISCLOSE(mask);
+
} else if ( strcasecmp( str, "auth" ) == 0 ) {
ACL_LVL_ASSIGN_AUTH(mask);
@@ -1859,6 +1877,9 @@ str2accessmask( const char *str )
} else if ( strcasecmp( str, "write" ) == 0 ) {
ACL_LVL_ASSIGN_WRITE(mask);
+ } else if ( strcasecmp( str, "manage" ) == 0 ) {
+ ACL_LVL_ASSIGN_MANAGE(mask);
+
} else {
ACL_INVALIDATE( mask );
}
@@ -1890,8 +1911,8 @@ acl_usage( void )
"<peernamestyle> ::= exact | regex | ip | path\n"
"<domainstyle> ::= exact | regex | base(Object) | sub(tree)\n"
"<access> ::= [self]{<level>|<priv>}\n"
- "<level> ::= none | auth | compare | search | read | write\n"
- "<priv> ::= {=|+|-}{w|r|s|c|x|0}+\n"
+ "<level> ::= none|disclose|auth|compare|search|read|write|manage\n"
+ "<priv> ::= {=|+|-}{0|d|x|c|s|r|w|m}+\n"
"<control> ::= [ stop | continue | break ]\n"
);
exit( EXIT_FAILURE );
@@ -2053,6 +2074,9 @@ access2str( slap_access_t access )
if ( access == ACL_NONE ) {
return "none";
+ } else if ( access == ACL_DISCLOSE ) {
+ return "disclose";
+
} else if ( access == ACL_AUTH ) {
return "auth";
@@ -2067,6 +2091,10 @@ access2str( slap_access_t access )
} else if ( access == ACL_WRITE ) {
return "write";
+
+ } else if ( access == ACL_MANAGE ) {
+ return "manage";
+
}
return "unknown";
@@ -2078,6 +2106,9 @@ str2access( const char *str )
if ( strcasecmp( str, "none" ) == 0 ) {
return ACL_NONE;
+ } else if ( strcasecmp( str, "disclose" ) == 0 ) {
+ return ACL_DISCLOSE;
+
} else if ( strcasecmp( str, "auth" ) == 0 ) {
return ACL_AUTH;
@@ -2092,6 +2123,9 @@ str2access( const char *str )
} else if ( strcasecmp( str, "write" ) == 0 ) {
return ACL_WRITE;
+
+ } else if ( strcasecmp( str, "manage" ) == 0 ) {
+ return ACL_MANAGE;
}
return( ACL_INVALID_ACCESS );
diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h
index b5c62909cb5b860ebb29b57f7292c82316d0f6dc..e20cba370bab8daf88a0d86ff3203a800c10e469 100644
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@@ -1123,11 +1123,13 @@ typedef struct slap_ldap_modlist {
typedef enum slap_access_e {
ACL_INVALID_ACCESS = -1,
ACL_NONE = 0,
+ ACL_DISCLOSE,
ACL_AUTH,
ACL_COMPARE,
ACL_SEARCH,
ACL_READ,
- ACL_WRITE
+ ACL_WRITE,
+ ACL_MANAGE
} slap_access_t;
typedef enum slap_control_e {
@@ -1209,11 +1211,13 @@ typedef struct slap_access {
#define ACL_ACCESS2PRIV(access) (0x01U << (access))
#define ACL_PRIV_NONE ACL_ACCESS2PRIV( ACL_NONE )
+#define ACL_PRIV_DISCLOSE ACL_ACCESS2PRIV( ACL_DISCLOSE )
#define ACL_PRIV_AUTH ACL_ACCESS2PRIV( ACL_AUTH )
#define ACL_PRIV_COMPARE ACL_ACCESS2PRIV( ACL_COMPARE )
#define ACL_PRIV_SEARCH ACL_ACCESS2PRIV( ACL_SEARCH )
#define ACL_PRIV_READ ACL_ACCESS2PRIV( ACL_READ )
#define ACL_PRIV_WRITE ACL_ACCESS2PRIV( ACL_WRITE )
+#define ACL_PRIV_MANAGE ACL_ACCESS2PRIV( ACL_MANAGE )
#define ACL_PRIV_MASK 0x00ffUL
@@ -1242,26 +1246,32 @@ typedef struct slap_access {
#define ACL_IS_SUBTRACTIVE(m) ACL_PRIV_ISSET((m),ACL_PRIV_SUBSTRACTIVE)
#define ACL_LVL_NONE (ACL_PRIV_NONE|ACL_PRIV_LEVEL)
-#define ACL_LVL_AUTH (ACL_PRIV_AUTH|ACL_LVL_NONE)
+#define ACL_LVL_DISCLOSE (ACL_PRIV_DISCLOSE|ACL_LVL_NONE)
+#define ACL_LVL_AUTH (ACL_PRIV_AUTH|ACL_LVL_DISCLOSE)
#define ACL_LVL_COMPARE (ACL_PRIV_COMPARE|ACL_LVL_AUTH)
#define ACL_LVL_SEARCH (ACL_PRIV_SEARCH|ACL_LVL_COMPARE)
#define ACL_LVL_READ (ACL_PRIV_READ|ACL_LVL_SEARCH)
#define ACL_LVL_WRITE (ACL_PRIV_WRITE|ACL_LVL_READ)
+#define ACL_LVL_MANAGE (ACL_PRIV_MANAGE|ACL_LVL_WRITE)
#define ACL_LVL(m,l) (((m)&ACL_PRIV_MASK) == ((l)&ACL_PRIV_MASK))
#define ACL_LVL_IS_NONE(m) ACL_LVL((m),ACL_LVL_NONE)
+#define ACL_LVL_IS_DISCLOSE(m) ACL_LVL((m),ACL_LVL_DISCLOSE)
#define ACL_LVL_IS_AUTH(m) ACL_LVL((m),ACL_LVL_AUTH)
#define ACL_LVL_IS_COMPARE(m) ACL_LVL((m),ACL_LVL_COMPARE)
#define ACL_LVL_IS_SEARCH(m) ACL_LVL((m),ACL_LVL_SEARCH)
#define ACL_LVL_IS_READ(m) ACL_LVL((m),ACL_LVL_READ)
#define ACL_LVL_IS_WRITE(m) ACL_LVL((m),ACL_LVL_WRITE)
+#define ACL_LVL_IS_MANAGE(m) ACL_LVL((m),ACL_LVL_MANAGE)
#define ACL_LVL_ASSIGN_NONE(m) ACL_PRIV_ASSIGN((m),ACL_LVL_NONE)
+#define ACL_LVL_ASSIGN_DISCLOSE(m) ACL_PRIV_ASSIGN((m),ACL_LVL_DISCLOSE)
#define ACL_LVL_ASSIGN_AUTH(m) ACL_PRIV_ASSIGN((m),ACL_LVL_AUTH)
#define ACL_LVL_ASSIGN_COMPARE(m) ACL_PRIV_ASSIGN((m),ACL_LVL_COMPARE)
#define ACL_LVL_ASSIGN_SEARCH(m) ACL_PRIV_ASSIGN((m),ACL_LVL_SEARCH)
#define ACL_LVL_ASSIGN_READ(m) ACL_PRIV_ASSIGN((m),ACL_LVL_READ)
#define ACL_LVL_ASSIGN_WRITE(m) ACL_PRIV_ASSIGN((m),ACL_LVL_WRITE)
+#define ACL_LVL_ASSIGN_MANAGE(m) ACL_PRIV_ASSIGN((m),ACL_LVL_MANAGE)
slap_mask_t a_access_mask;