Commit 51d1c908 authored by Kurt Zeilenga's avatar Kurt Zeilenga
Browse files

unifdef -DSLAPD_ACLGROUPS -DSLAPD_ACLAUTH

parent 549c89f8
......@@ -190,9 +190,6 @@
/* define this if you want no thread support */
#undef NO_THREADS
/* define this for ACL Group support */
#undef SLAPD_ACLGROUPS
/* define this to use SLAPD Berkeley DB2 backend */
#undef SLAPD_BDB2
......
This diff is collapsed.
......@@ -93,7 +93,6 @@ OL_ARG_ENABLE(ldapd,[ --enable-ldapd enable building ldapd], no)dnl
dnl SLAPD OPTIONS
AC_ARG_WITH(xxslapdoptions,[SLAPD Options:])
OL_ARG_ENABLE(slapd,[ --enable-slapd enable building slapd], yes)dnl
OL_ARG_ENABLE(aclgroups,[ --enable-aclgroups enable ACL group support], auto)dnl
OL_ARG_ENABLE(cleartext,[ --enable-cleartext enable cleartext passwords], yes)dnl
OL_ARG_ENABLE(crypt,[ --enable-crypt enable crypt(3) passwords], auto)dnl
OL_ARG_ENABLE(modules,[ --enable-modules enable dynamic module support], no)dnl
......@@ -173,9 +172,6 @@ if test $ol_enable_slapd = no ; then
if test $ol_enable_tcl = yes ; then
AC_MSG_WARN([slapd disabled, ignoring --enable-tcl argument])
fi
if test $ol_enable_aclgroups = yes ; then
AC_MSG_WARN([slapd disabled, ignoring --enable-aclgroups argument])
fi
if test $ol_enable_modules = yes ; then
AC_MSG_WARN([slapd disabled, ignoring --enable-modules argument])
fi
......@@ -228,7 +224,6 @@ if test $ol_enable_slapd = no ; then
ol_enable_shell=no
ol_enable_tcl=no
ol_enable_aclgroups=no
ol_enable_modules=no
ol_enable_phonetic=no
ol_enable_rlookups=no
......@@ -1812,9 +1807,6 @@ if test "$ol_enable_cldap" != no ; then
AC_DEFINE(LDAP_CONNECTIONLESS,1)
fi
if test "$ol_enable_aclgroups" != no ; then
AC_DEFINE(SLAPD_ACLGROUPS,1)
fi
if test "$ol_enable_crypt" != no ; then
AC_DEFINE(SLAPD_CRYPT,1)
fi
......
......@@ -164,9 +164,6 @@
/* define this to use DBHASH w/ LDBM backend */
#undef LDBM_USE_DBHASH
/* define this for ACL Group support */
#undef SLAPD_ACLGROUPS
/* define this to use SLAPD Berkeley DB2 backend */
#undef SLAPD_BDB2
......
......@@ -353,7 +353,7 @@ acl_access_allowed(
return ACL_GRANT(b->a_access, access );
}
#ifdef SLAPD_ACLGROUPS
if ( b->a_group != NULL && op->o_ndn != NULL ) {
char buf[1024];
......@@ -374,7 +374,6 @@ acl_access_allowed(
return ACL_GRANT(b->a_access, access );
}
}
#endif /* SLAPD_ACLGROUPS */
}
Debug( LDAP_DEBUG_ACL,
......
......@@ -204,39 +204,38 @@ parse_acl(
} else if ( strcasecmp( left, "dnattr" ) == 0 ) {
b->a_dnattr = ch_strdup( right );
#ifdef SLAPD_ACLGROUPS
} else if ( strncasecmp( left, "group", sizeof("group")-1 ) == 0 ) {
char *name = NULL;
char *value = NULL;
/* format of string is "group/objectClassValue/groupAttrName"
*/
if ((value = strchr(left, '/')) != NULL) {
*value++ = '\0';
if (value && *value && (name = strchr(value, '/')) != NULL)
*name++ = '\0';
}
char *name = NULL;
char *value = NULL;
/* format of string is "group/objectClassValue/groupAttrName" */
if ((value = strchr(left, '/')) != NULL) {
*value++ = '\0';
if (value && *value
&& (name = strchr(value, '/')) != NULL)
{
*name++ = '\0';
}
}
regtest(fname, lineno, right);
b->a_group = dn_upcase(ch_strdup( right ));
if (value && *value) {
b->a_group_oc = ch_strdup(value);
*--value = '/';
}
else
b->a_group_oc = ch_strdup("groupOfNames");
if (name && *name) {
b->a_group_at = ch_strdup(name);
*--name = '/';
}
else
b->a_group_at = ch_strdup("member");
if (value && *value) {
b->a_group_oc = ch_strdup(value);
*--value = '/';
} else {
b->a_group_oc = ch_strdup("groupOfNames");
if (name && *name) {
b->a_group_at = ch_strdup(name);
*--name = '/';
} else {
b->a_group_at = ch_strdup("member");
}
}
#endif /* SLAPD_ACLGROUPS */
} else if ( strcasecmp( left, "domain" ) == 0 ) {
char *s;
regtest(fname, lineno, right);
......@@ -321,10 +320,8 @@ access2str( int access )
if ( ACL_IS_NONE(access) ) {
strcat( buf, "none" );
#ifdef SLAPD_ACLAUTH
} else if ( ACL_IS_AUTH(access) ) {
strcat( buf, "auth" );
#endif
} else if ( ACL_IS_COMPARE(access) ) {
strcat( buf, "compare" );
} else if ( ACL_IS_SEARCH(access) ) {
......@@ -354,10 +351,8 @@ str2access( char *str )
if ( strcasecmp( str, "none" ) == 0 ) {
ACL_SET_NONE(access);
#ifdef SLAPD_ACLAUTH
} else if ( strcasecmp( str, "auth" ) == 0 ) {
ACL_SET_AUTH(access);
#endif
} else if ( strcasecmp( str, "compare" ) == 0 ) {
ACL_SET_COMPARE(access);
} else if ( strcasecmp( str, "search" ) == 0 ) {
......@@ -383,14 +378,8 @@ acl_usage( void )
"<attr> ::= <attrname> | entry | children\n"
"<who> ::= * | anonymous | self | dn=<regex> | addr=<regex>\n"
"\t| domain=<regex> | dnattr=<dnattrname>\n"
#ifdef SLAPD_ACLGROUPS
"\t| group[/<objectclass>[/<attrname>]]=<regex>\n"
#endif
#ifdef SLAPD_ACLAUTH
"<access> ::= [self]{none|auth|compare|search|read|write}\n"
#else
"<access> ::= [self]{none|auth|compare|search|read|write}\n"
#endif
);
exit( 1 );
}
......@@ -448,16 +437,15 @@ print_access( struct access *b )
fprintf( stderr, " domain=%s", b->a_domainpat );
} else if ( b->a_dnattr != NULL ) {
fprintf( stderr, " dnattr=%s", b->a_dnattr );
}
#ifdef SLAPD_ACLGROUPS
else if ( b->a_group != NULL ) {
fprintf( stderr, " group: %s", b->a_group );
if ( b->a_group_oc )
fprintf( stderr, " objectClass: %s", b->a_group_oc );
if ( b->a_group_at )
fprintf( stderr, " attributeType: %s", b->a_group_at );
}
#endif
} else if ( b->a_group != NULL ) {
fprintf( stderr, " group: %s", b->a_group );
if ( b->a_group_oc ) {
fprintf( stderr, " objectClass: %s", b->a_group_oc );
if ( b->a_group_at ) {
fprintf( stderr, " attributeType: %s", b->a_group_at );
}
}
}
fprintf( stderr, "\n" );
}
......
......@@ -12,7 +12,6 @@
#include "proto-back-bdb2.h"
#ifdef SLAPD_ACLGROUPS
/* return 0 IFF op_dn is a value in member attribute
* of entry with gr_dn AND that entry has an objectClass
* value of groupOfNames
......@@ -156,5 +155,4 @@ bdb2_back_group(
return( ret );
}
#endif /* SLAPD_ACLGROUPS */
......@@ -75,9 +75,7 @@ bdb2_back_initialize(
bi->bi_op_abandon = bdb2_back_abandon;
bi->bi_entry_release_rw = bdb2_back_entry_release_rw;
#ifdef SLAPD_ACLGROUPS
bi->bi_acl_group = bdb2_back_group;
#endif
bi->bi_connection_init = 0;
bi->bi_connection_destroy = 0;
......
......@@ -70,9 +70,7 @@ ldap_back_initialize(
bi->bi_op_delete = ldap_back_delete;
bi->bi_op_abandon = 0;
#ifdef SLAPD_ACLGROUPS
bi->bi_acl_group = 0;
#endif
bi->bi_connection_init = 0;
bi->bi_connection_destroy = 0;
......
......@@ -124,7 +124,6 @@ ldbm_back_bind(
/* check for deleted */
#ifdef SLAPD_ACLAUTH
if ( ! access_allowed( be, conn, op, e,
"entry", NULL, ACL_AUTH ) )
{
......@@ -132,7 +131,6 @@ ldbm_back_bind(
rc = 1;
goto return_results;
}
#endif
switch ( method ) {
case LDAP_AUTH_SIMPLE:
......@@ -153,7 +151,6 @@ ldbm_back_bind(
goto return_results;
}
#ifdef SLAPD_ACLAUTH
if ( ! access_allowed( be, conn, op, e,
"userpassword", NULL, ACL_AUTH ) )
{
......@@ -161,7 +158,6 @@ ldbm_back_bind(
rc = 1;
goto return_results;
}
#endif
if ( (a = attr_find( e->e_attrs, "userpassword" )) == NULL ) {
send_ldap_result( conn, op, LDAP_INAPPROPRIATE_AUTH,
......@@ -186,7 +182,6 @@ ldbm_back_bind(
#ifdef HAVE_KERBEROS
case LDAP_AUTH_KRBV41:
#ifdef SLAPD_ACLAUTH
if ( ! access_allowed( be, conn, op, e,
"krbname", NULL, ACL_AUTH ) )
{
......@@ -194,15 +189,17 @@ ldbm_back_bind(
rc = 1;
goto return_results;
}
#endif
if ( krbv4_ldap_auth( be, cred, &ad ) != LDAP_SUCCESS ) {
send_ldap_result( conn, op, LDAP_INVALID_CREDENTIALS,
NULL, NULL );
rc = 0;
goto return_results;
}
sprintf( krbname, "%s%s%s@%s", ad.pname, *ad.pinst ? "."
: "", ad.pinst, ad.prealm );
if ( (a = attr_find( e->e_attrs, "krbname" )) == NULL ) {
/*
* no krbName values present: check against DN
......
......@@ -12,7 +12,6 @@
#include "proto-back-ldbm.h"
#ifdef SLAPD_ACLGROUPS
/* return 0 IFF op_dn is a value in member attribute
* of entry with gr_dn AND that entry has an objectClass
* value of groupOfNames
......@@ -122,5 +121,4 @@ ldbm_back_group(
Debug( LDAP_DEBUG_ARGS, "ldbm_back_group: rc: %d\n", rc, 0, 0 );
return(rc);
}
#endif /* SLAPD_ACLGROUPS */
......@@ -51,9 +51,7 @@ ldbm_back_initialize(
bi->bi_op_abandon = ldbm_back_abandon;
bi->bi_entry_release_rw = ldbm_back_entry_release_rw;
#ifdef SLAPD_ACLGROUPS
bi->bi_acl_group = ldbm_back_group;
#endif
bi->bi_connection_init = 0;
bi->bi_connection_destroy = 0;
......
......@@ -49,9 +49,7 @@ passwd_back_initialize(
bi->bi_op_delete = 0;
bi->bi_op_abandon = 0;
#ifdef SLAPD_ACLGROUPS
bi->bi_acl_group = 0;
#endif
bi->bi_connection_init = 0;
bi->bi_connection_destroy = 0;
......
......@@ -90,9 +90,7 @@ perl_back_initialize(
bi->bi_op_delete = perl_back_delete;
bi->bi_op_abandon = 0;
#ifdef SLAPD_ACLGROUPS
bi->bi_acl_group = 0;
#endif
bi->bi_connection_init = 0;
bi->bi_connection_destroy = 0;
......
......@@ -49,9 +49,7 @@ shell_back_initialize(
bi->bi_op_delete = shell_back_delete;
bi->bi_op_abandon = shell_back_abandon;
#ifdef SLAPD_ACLGROUPS
bi->bi_acl_group = 0;
#endif
bi->bi_connection_init = 0;
bi->bi_connection_destroy = 0;
......
/* tcl_init.c - tcl backend initialization
*
* $Id: tcl_init.c,v 1.7 1999/06/23 10:31:37 bastiaan Exp $
* $Id: tcl_init.c,v 1.8 1999/06/24 15:06:42 bastiaan Exp $
*
* Copyright 1999, Ben Collins <bcollins@debian.org>, All rights reserved.
*
......@@ -73,9 +73,7 @@ tcl_back_initialize (
bi->bi_op_delete = tcl_back_delete;
bi->bi_op_abandon = tcl_back_abandon;
#ifdef SLAPD_ACLGROUPS
bi->bi_acl_group = 0;
#endif
bi->bi_connection_init = 0;
bi->bi_connection_destroy = 0;
......
......@@ -599,7 +599,6 @@ backend_connection_destroy(
return 0;
}
#ifdef SLAPD_ACLGROUPS
int
backend_group(
Backend *be,
......@@ -616,4 +615,3 @@ backend_group(
else
return(1);
}
#endif
......@@ -176,17 +176,17 @@ typedef struct entry {
/* the "by" part */
struct access {
#define ACL_NONE 0x0001
/* #define SLAPD_ACLAUTH 1 */
#ifdef SLAPD_ACLAUTH
#define ACL_AUTH 0x0002
#endif
#define ACL_COMPARE 0x0004
#define ACL_SEARCH 0x0008
#define ACL_READ 0x0010
#define ACL_WRITE 0x0020
#define ACL_SELF 0x4000
#define ACL_INVALID -1
#define ACL_NONE 0x0001
#define ACL_AUTH 0x0002
#define ACL_COMPARE 0x0004
#define ACL_SEARCH 0x0008
#define ACL_READ 0x0010
#define ACL_WRITE 0x0020
#define ACL_PRIV_MASK 0x00ff
#define ACL_SELF 0x4000
#define ACL_INVALID (-1)
#define ACL_IS(a,lvl) (((a) & (lvl)) == (lvl))
......@@ -197,8 +197,7 @@ struct access {
#define ACL_IS_READ(a) ACL_IS((a),ACL_READ)
#define ACL_IS_WRITE(a) ACL_IS((a),ACL_WRITE)
#define ACL_IS_SELF(a) ACL_IS((a),ACL_SELF)
#define ACL_IS_INVALID(a) ACL_IS((a),ACL_INVALID)
#define ACL_IS_INVALID(a) ((a) == ACL_INVALID)
#define ACL_CLR(a) ((a) = 0)
#define ACL_SET(a,lvl) ((a) |= (lvl))
......@@ -209,13 +208,10 @@ struct access {
#define ACL_SET_READ(a) ACL_SET((a),ACL_READ)
#define ACL_SET_WRITE(a) ACL_SET((a),ACL_WRITE)
#define ACL_SET_SELF(a) ACL_SET((a),ACL_SELF)
#define ACL_SET_INVALID(a) ACL_SET((a),ACL_INVALID)
#define ACL_SET_INVALID(a) ((a) = ACL_INVALID)
#define ACL_PRIV_MASK 0x00ff
#define ACL_PRIV(a) ((a) & ACL_PRIV_MASK)
#define ACL_PRIV(a) ((a) & ACL_PRIV_MASK)
#define ACL_GRANT(a,lvl) (ACL_PRIV(a) >= (lvl))
#define ACL_TEST
int a_access;
......@@ -224,11 +220,11 @@ struct access {
char *a_domainpat;
char *a_dnattr;
#ifdef SLAPD_ACLGROUPS
char *a_group;
char *a_group_oc;
char *a_group_at;
#endif
/* ACL Groups */
char *a_group;
char *a_group_oc;
char *a_group_at;
struct access *a_next;
};
......@@ -497,11 +493,10 @@ struct backend_info {
/* Auxilary Functions */
int (*bi_entry_release_rw) LDAP_P((BackendDB *bd, Entry *e, int rw));
#ifdef SLAPD_ACLGROUPS
int (*bi_acl_group) LDAP_P((Backend *bd,
Entry *e, char *bdn, char *edn,
char *objectclassValue, char *groupattrName ));
#endif
int (*bi_connection_init) LDAP_P((BackendDB *bd,
struct slap_conn *c));
......
......@@ -21,19 +21,26 @@ index cn,sn,uid pres,eq,approx
index default none
lastmod on
defaultaccess none
access to attr=objectclass
by * read
access to attr=userpassword
access to filter="objectclass=person" attr=userpassword
by self write
by * compare
by anonymous auth
by * none
access to dn="^.*,ou=Alumni Association,ou=People,o=University of Michigan,c=US$"
by dn="^.*,o=University of Michigan,c=US$"
read
by dn="^.*,o=University of Michigan,c=US$" read
by anonymous auth
by * none
access to attr=member
by dnattr=member selfwrite
by * read
access to filter="objectclass=rfc822mailgroup"
by dn="Bjorn Jensen,ou=Information Technology Division,ou=People,o=University of Michigan,c=US" write
by * read
access to * by * read
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment