unifdef -DSLAPD_ACLGROUPS -DSLAPD_ACLAUTH

acconfig.h

@@ -190,9 +190,6 @@
 /* define this if you want no thread support */
 #undef NO_THREADS
 
-/* define this for ACL Group support */
-#undef SLAPD_ACLGROUPS
-
 /* define this to use SLAPD Berkeley DB2 backend */
 #undef SLAPD_BDB2
 

configure.in

@@ -93,7 +93,6 @@ OL_ARG_ENABLE(ldapd,[  --enable-ldapd	enable building ldapd], no)dnl
 dnl SLAPD OPTIONS
 AC_ARG_WITH(xxslapdoptions,[SLAPD Options:])
 OL_ARG_ENABLE(slapd,[  --enable-slapd	enable building slapd], yes)dnl
-OL_ARG_ENABLE(aclgroups,[    --enable-aclgroups	enable ACL group support], auto)dnl
 OL_ARG_ENABLE(cleartext,[    --enable-cleartext	enable cleartext passwords], yes)dnl
 OL_ARG_ENABLE(crypt,[    --enable-crypt	enable crypt(3) passwords], auto)dnl
 OL_ARG_ENABLE(modules,[    --enable-modules	enable dynamic module support], no)dnl
@@ -173,9 +172,6 @@ if test $ol_enable_slapd = no ; then
 	if test $ol_enable_tcl = yes ; then
 		AC_MSG_WARN([slapd disabled, ignoring --enable-tcl argument])
 	fi
-	if test $ol_enable_aclgroups = yes ; then
-		AC_MSG_WARN([slapd disabled, ignoring --enable-aclgroups argument])
-	fi
 	if test $ol_enable_modules = yes ; then
 		AC_MSG_WARN([slapd disabled, ignoring --enable-modules argument])
 	fi
@@ -228,7 +224,6 @@ if test $ol_enable_slapd = no ; then
 	ol_enable_shell=no
 	ol_enable_tcl=no
 
-	ol_enable_aclgroups=no
 	ol_enable_modules=no
 	ol_enable_phonetic=no
 	ol_enable_rlookups=no
@@ -1812,9 +1807,6 @@ if test "$ol_enable_cldap" != no ; then
 	AC_DEFINE(LDAP_CONNECTIONLESS,1)
 fi
 
-if test "$ol_enable_aclgroups" != no ; then
-	AC_DEFINE(SLAPD_ACLGROUPS,1)
-fi
 if test "$ol_enable_crypt" != no ; then
 	AC_DEFINE(SLAPD_CRYPT,1)
 fi

include/portable.h.in

@@ -164,9 +164,6 @@
 /* define this to use DBHASH w/ LDBM backend */
 #undef LDBM_USE_DBHASH
 
-/* define this for ACL Group support */
-#undef SLAPD_ACLGROUPS
-
 /* define this to use SLAPD Berkeley DB2 backend */
 #undef SLAPD_BDB2
 

servers/slapd/acl.c

@@ -353,7 +353,7 @@ acl_access_allowed(
 
 			return ACL_GRANT(b->a_access, access );
 		}
-#ifdef SLAPD_ACLGROUPS
+
 		if ( b->a_group != NULL && op->o_ndn != NULL ) {
 			char buf[1024];
 
@@ -374,7 +374,6 @@ acl_access_allowed(
 				return ACL_GRANT(b->a_access, access );
 			}
 		}
-#endif /* SLAPD_ACLGROUPS */
 	}
 
 	Debug( LDAP_DEBUG_ACL,

servers/slapd/aclparse.c

@@ -204,39 +204,38 @@ parse_acl(
 			} else if ( strcasecmp( left, "dnattr" ) == 0 ) {
 				b->a_dnattr = ch_strdup( right );
 
-#ifdef SLAPD_ACLGROUPS
 			} else if ( strncasecmp( left, "group", sizeof("group")-1 ) == 0 ) {
-                                char *name = NULL;
-                                char *value = NULL;
-
-                                /* format of string is "group/objectClassValue/groupAttrName"
-                                 */
-                                if ((value = strchr(left, '/')) != NULL) {
-                                        *value++ = '\0';
-                                        if (value && *value && (name = strchr(value, '/')) != NULL) 
-                                            *name++ = '\0';
-                                }
+				char *name = NULL;
+				char *value = NULL;
+
+				/* format of string is "group/objectClassValue/groupAttrName" */
+				if ((value = strchr(left, '/')) != NULL) {
+					*value++ = '\0';
+					if (value && *value
+						&& (name = strchr(value, '/')) != NULL)
+					{
+						*name++ = '\0';
+					}
+				}
 
 				regtest(fname, lineno, right);
 				b->a_group = dn_upcase(ch_strdup( right ));
 
-                                if (value && *value) {
-                                        b->a_group_oc = ch_strdup(value);
-                                        *--value = '/';
-                                }
-                                else
-                                        b->a_group_oc = ch_strdup("groupOfNames");
-
-                                if (name && *name) {
-                                        b->a_group_at = ch_strdup(name);
-                                        *--name = '/';
-                                }
-                                else
-                                        b->a_group_at = ch_strdup("member");
+				if (value && *value) {
+					b->a_group_oc = ch_strdup(value);
+					*--value = '/';
+				} else {
+					b->a_group_oc = ch_strdup("groupOfNames");
 
+					if (name && *name) {
+						b->a_group_at = ch_strdup(name);
+						*--name = '/';
 
+					} else {
+						b->a_group_at = ch_strdup("member");
+					}
+				}
 
-#endif /* SLAPD_ACLGROUPS */
 			} else if ( strcasecmp( left, "domain" ) == 0 ) {
 				char	*s;
 				regtest(fname, lineno, right);
@@ -321,10 +320,8 @@ access2str( int access )
 
 	if ( ACL_IS_NONE(access) ) {
 		strcat( buf, "none" );
-#ifdef SLAPD_ACLAUTH
 	} else if ( ACL_IS_AUTH(access) ) {
 		strcat( buf, "auth" );
-#endif
 	} else if ( ACL_IS_COMPARE(access) ) {
 		strcat( buf, "compare" );
 	} else if ( ACL_IS_SEARCH(access) ) {
@@ -354,10 +351,8 @@ str2access( char *str )
 
 	if ( strcasecmp( str, "none" ) == 0 ) {
 		ACL_SET_NONE(access);
-#ifdef SLAPD_ACLAUTH
 	} else if ( strcasecmp( str, "auth" ) == 0 ) {
 		ACL_SET_AUTH(access);
-#endif
 	} else if ( strcasecmp( str, "compare" ) == 0 ) {
 		ACL_SET_COMPARE(access);
 	} else if ( strcasecmp( str, "search" ) == 0 ) {
@@ -383,14 +378,8 @@ acl_usage( void )
 		"<attr> ::= <attrname> | entry | children\n"
 		"<who> ::= * | anonymous | self | dn=<regex> | addr=<regex>\n"
 			"\t| domain=<regex> | dnattr=<dnattrname>\n"
-#ifdef SLAPD_ACLGROUPS
 			"\t| group[/<objectclass>[/<attrname>]]=<regex>\n"
-#endif
-#ifdef SLAPD_ACLAUTH
 		"<access> ::= [self]{none|auth|compare|search|read|write}\n"
-#else
-		"<access> ::= [self]{none|auth|compare|search|read|write}\n"
-#endif
 		);
 	exit( 1 );
 }
@@ -448,16 +437,15 @@ print_access( struct access *b )
 		fprintf( stderr, " domain=%s", b->a_domainpat );
 	} else if ( b->a_dnattr != NULL ) {
 		fprintf( stderr, " dnattr=%s", b->a_dnattr );
-	}
-#ifdef SLAPD_ACLGROUPS
-        else if ( b->a_group != NULL ) {
-                fprintf( stderr, " group: %s", b->a_group );
-                if ( b->a_group_oc )
-                        fprintf( stderr, " objectClass: %s", b->a_group_oc );
-                if ( b->a_group_at )
-                        fprintf( stderr, " attributeType: %s", b->a_group_at );
-        }
-#endif
+	} else if ( b->a_group != NULL ) {
+		fprintf( stderr, " group: %s", b->a_group );
+		if ( b->a_group_oc ) {
+			fprintf( stderr, " objectClass: %s", b->a_group_oc );
+			if ( b->a_group_at ) {
+				fprintf( stderr, " attributeType: %s", b->a_group_at );
+			}
+		}
+    }
 	fprintf( stderr, "\n" );
 }
 

servers/slapd/back-bdb2/group.c

@@ -12,7 +12,6 @@
 #include "proto-back-bdb2.h"
 
 
-#ifdef SLAPD_ACLGROUPS
 /* return 0 IFF op_dn is a value in member attribute
  * of entry with gr_dn AND that entry has an objectClass
  * value of groupOfNames
@@ -156,5 +155,4 @@ bdb2_back_group(
 	return( ret );
 }
 
-#endif /* SLAPD_ACLGROUPS */
 

servers/slapd/back-bdb2/init.c

@@ -75,9 +75,7 @@ bdb2_back_initialize(
 	bi->bi_op_abandon = bdb2_back_abandon;
 
 	bi->bi_entry_release_rw = bdb2_back_entry_release_rw;
-#ifdef SLAPD_ACLGROUPS
 	bi->bi_acl_group = bdb2_back_group;
-#endif
 
 	bi->bi_connection_init = 0;
 	bi->bi_connection_destroy = 0;

servers/slapd/back-ldap/init.c

@@ -70,9 +70,7 @@ ldap_back_initialize(
 	bi->bi_op_delete = ldap_back_delete;
 	bi->bi_op_abandon = 0;
 
-#ifdef SLAPD_ACLGROUPS
 	bi->bi_acl_group = 0;
-#endif
 
 	bi->bi_connection_init = 0;
 	bi->bi_connection_destroy = 0;

servers/slapd/back-ldbm/bind.c

@@ -124,7 +124,6 @@ ldbm_back_bind(
 
 	/* check for deleted */
 
-#ifdef SLAPD_ACLAUTH
 	if ( ! access_allowed( be, conn, op, e,
 		"entry", NULL, ACL_AUTH ) )
 	{
@@ -132,7 +131,6 @@ ldbm_back_bind(
 		rc = 1;
 		goto return_results;
 	}
-#endif
 
 	switch ( method ) {
 	case LDAP_AUTH_SIMPLE:
@@ -153,7 +151,6 @@ ldbm_back_bind(
 			goto return_results;
 		}
 
-#ifdef SLAPD_ACLAUTH
 		if ( ! access_allowed( be, conn, op, e,
 			"userpassword", NULL, ACL_AUTH ) )
 		{
@@ -161,7 +158,6 @@ ldbm_back_bind(
 			rc = 1;
 			goto return_results;
 		}
-#endif
 
 		if ( (a = attr_find( e->e_attrs, "userpassword" )) == NULL ) {
 			send_ldap_result( conn, op, LDAP_INAPPROPRIATE_AUTH,
@@ -186,7 +182,6 @@ ldbm_back_bind(
 
 #ifdef HAVE_KERBEROS
 	case LDAP_AUTH_KRBV41:
-#ifdef SLAPD_ACLAUTH
 		if ( ! access_allowed( be, conn, op, e,
 			"krbname", NULL, ACL_AUTH ) )
 		{
@@ -194,15 +189,17 @@ ldbm_back_bind(
 			rc = 1;
 			goto return_results;
 		}
-#endif
+
 		if ( krbv4_ldap_auth( be, cred, &ad ) != LDAP_SUCCESS ) {
 			send_ldap_result( conn, op, LDAP_INVALID_CREDENTIALS,
 			    NULL, NULL );
 			rc = 0;
 			goto return_results;
 		}
+
 		sprintf( krbname, "%s%s%s@%s", ad.pname, *ad.pinst ? "."
 		    : "", ad.pinst, ad.prealm );
+
 		if ( (a = attr_find( e->e_attrs, "krbname" )) == NULL ) {
 			/*
 			 * no krbName values present:  check against DN

servers/slapd/back-ldbm/group.c

@@ -12,7 +12,6 @@
 #include "proto-back-ldbm.h"
 
 
-#ifdef SLAPD_ACLGROUPS
 /* return 0 IFF op_dn is a value in member attribute
  * of entry with gr_dn AND that entry has an objectClass
  * value of groupOfNames
@@ -122,5 +121,4 @@ ldbm_back_group(
 	Debug( LDAP_DEBUG_ARGS, "ldbm_back_group: rc: %d\n", rc, 0, 0 ); 
 	return(rc);
 }
-#endif /* SLAPD_ACLGROUPS */
 

servers/slapd/back-ldbm/init.c

@@ -51,9 +51,7 @@ ldbm_back_initialize(
 	bi->bi_op_abandon = ldbm_back_abandon;
 
 	bi->bi_entry_release_rw = ldbm_back_entry_release_rw;
-#ifdef SLAPD_ACLGROUPS
 	bi->bi_acl_group = ldbm_back_group;
-#endif
 
 	bi->bi_connection_init = 0;
 	bi->bi_connection_destroy = 0;

servers/slapd/back-passwd/init.c

@@ -49,9 +49,7 @@ passwd_back_initialize(
 	bi->bi_op_delete = 0;
 	bi->bi_op_abandon = 0;
 
-#ifdef SLAPD_ACLGROUPS
 	bi->bi_acl_group = 0;
-#endif
 
 	bi->bi_connection_init = 0;
 	bi->bi_connection_destroy = 0;

servers/slapd/back-perl/init.c

@@ -90,9 +90,7 @@ perl_back_initialize(
 	bi->bi_op_delete = perl_back_delete;
 	bi->bi_op_abandon = 0;
 
-#ifdef SLAPD_ACLGROUPS
 	bi->bi_acl_group = 0;
-#endif
 
 	bi->bi_connection_init = 0;
 	bi->bi_connection_destroy = 0;

servers/slapd/back-shell/init.c

@@ -49,9 +49,7 @@ shell_back_initialize(
 	bi->bi_op_delete = shell_back_delete;
 	bi->bi_op_abandon = shell_back_abandon;
 
-#ifdef SLAPD_ACLGROUPS
 	bi->bi_acl_group = 0;
-#endif
 
 	bi->bi_connection_init = 0;
 	bi->bi_connection_destroy = 0;

servers/slapd/back-tcl/tcl_init.c

 /* tcl_init.c - tcl backend initialization
  *
- * $Id: tcl_init.c,v 1.7 1999/06/23 10:31:37 bastiaan Exp $
+ * $Id: tcl_init.c,v 1.8 1999/06/24 15:06:42 bastiaan Exp $
  *
  * Copyright 1999, Ben Collins <bcollins@debian.org>, All rights reserved.
  *
@@ -73,9 +73,7 @@ tcl_back_initialize (
 	bi->bi_op_delete = tcl_back_delete;
 	bi->bi_op_abandon = tcl_back_abandon;
 
-#ifdef SLAPD_ACLGROUPS
 	bi->bi_acl_group = 0;
-#endif
 
 	bi->bi_connection_init = 0;
 	bi->bi_connection_destroy = 0;

servers/slapd/backend.c

@@ -599,7 +599,6 @@ backend_connection_destroy(
 	return 0;
 }
 
-#ifdef SLAPD_ACLGROUPS
 int 
 backend_group(
 	Backend	*be,
@@ -616,4 +615,3 @@ backend_group(
 	else
 		return(1);
 }
-#endif

servers/slapd/slap.h

@@ -176,17 +176,17 @@ typedef struct entry {
 
 /* the "by" part */
 struct access {
-#define ACL_NONE	0x0001
-/* #define SLAPD_ACLAUTH 1 */
-#ifdef SLAPD_ACLAUTH
-#define ACL_AUTH	0x0002
-#endif
-#define ACL_COMPARE	0x0004
-#define ACL_SEARCH	0x0008
-#define ACL_READ	0x0010
-#define ACL_WRITE	0x0020
-#define ACL_SELF	0x4000
-#define ACL_INVALID	-1
+
+#define ACL_NONE		0x0001
+#define ACL_AUTH		0x0002
+#define ACL_COMPARE		0x0004
+#define ACL_SEARCH		0x0008
+#define ACL_READ		0x0010
+#define ACL_WRITE		0x0020
+#define ACL_PRIV_MASK	0x00ff
+
+#define ACL_SELF		0x4000
+#define ACL_INVALID		(-1)
 
 #define ACL_IS(a,lvl)	(((a) & (lvl)) == (lvl))
 
@@ -197,8 +197,7 @@ struct access {
 #define ACL_IS_READ(a)		ACL_IS((a),ACL_READ)
 #define ACL_IS_WRITE(a)		ACL_IS((a),ACL_WRITE)
 #define ACL_IS_SELF(a)		ACL_IS((a),ACL_SELF)
-#define ACL_IS_INVALID(a)	ACL_IS((a),ACL_INVALID)
-
+#define ACL_IS_INVALID(a)	((a) == ACL_INVALID)
 
 #define ACL_CLR(a)			((a) = 0)
 #define ACL_SET(a,lvl)		((a) |= (lvl))
@@ -209,13 +208,10 @@ struct access {
 #define ACL_SET_READ(a)		ACL_SET((a),ACL_READ)
 #define ACL_SET_WRITE(a)	ACL_SET((a),ACL_WRITE)
 #define ACL_SET_SELF(a)		ACL_SET((a),ACL_SELF)
-#define ACL_SET_INVALID(a)	ACL_SET((a),ACL_INVALID)
+#define ACL_SET_INVALID(a)	((a) = ACL_INVALID)
 
-#define ACL_PRIV_MASK	0x00ff
-#define	ACL_PRIV(a)		((a) & ACL_PRIV_MASK)
+#define	ACL_PRIV(a)			((a) & ACL_PRIV_MASK)
 #define ACL_GRANT(a,lvl)	(ACL_PRIV(a) >= (lvl))
-#define ACL_TEST
-
 
 	int			a_access;
 
@@ -224,11 +220,11 @@ struct access {
 	char		*a_domainpat;
 	char		*a_dnattr;
 
-#ifdef SLAPD_ACLGROUPS
-        char		*a_group;
-        char		*a_group_oc;
-        char		*a_group_at;
-#endif
+	/* ACL Groups */
+	char		*a_group;
+	char		*a_group_oc;
+	char		*a_group_at;
+
 	struct access	*a_next;
 };
 
@@ -497,11 +493,10 @@ struct backend_info {
 
 	/* Auxilary Functions */
 	int	(*bi_entry_release_rw) LDAP_P((BackendDB *bd, Entry *e, int rw));
-#ifdef SLAPD_ACLGROUPS
+
 	int	(*bi_acl_group)  LDAP_P((Backend *bd,
 		Entry *e, char *bdn, char *edn,
 		char *objectclassValue, char *groupattrName ));
-#endif
 
 	int	(*bi_connection_init) LDAP_P((BackendDB *bd,
 		struct slap_conn *c));

tests/data/slapd-acl.conf

@@ -21,19 +21,26 @@ index		cn,sn,uid	pres,eq,approx
 index		default		none
 lastmod		on
 defaultaccess	none
+
 access		to attr=objectclass
 		by * read
-access		to attr=userpassword
+
+access		to filter="objectclass=person" attr=userpassword
 		by self write
-		by * compare
+		by anonymous auth
+		by * none
+
 access		to dn="^.*,ou=Alumni Association,ou=People,o=University of Michigan,c=US$"
-		by dn="^.*,o=University of Michigan,c=US$"
-		read
+		by dn="^.*,o=University of Michigan,c=US$" read
+		by anonymous auth
 		by * none
+
 access		to attr=member
 		by dnattr=member selfwrite
 		by * read
+
 access		to filter="objectclass=rfc822mailgroup"
 		by dn="Bjorn Jensen,ou=Information Technology Division,ou=People,o=University of Michigan,c=US" write
 		by * read
+
 access		to * by * read