Commit 7c52060c authored by Stuart Lynne's avatar Stuart Lynne
Browse files

1. extend aclgroup's to be able to specify objectClassValue and groupAttrName

2. update print_acl() a bit and call it during aclparse if LDAP_DEBUG_ACL
parent 033cf4eb
......@@ -368,15 +368,10 @@ acl_access_allowed(
* entry with objectclass group* and we test to see if odn is one of
* the values in the attribute group
*/
Debug( LDAP_DEBUG_ARGS, "<= check a_group: %s\n",
b->a_group, 0, 0);
Debug( LDAP_DEBUG_ARGS, "<= check a_group: odn: %s\n",
odn, 0, 0);
/* see if asker is listed in dnattr */
string_expand(buf, sizeof(buf), b->a_group, edn, matches);
if (be_group(be, buf, odn) == 0) {
if (be_group(be, buf, odn, b->a_objectclassvalue, b->a_groupattrname) == 0) {
Debug( LDAP_DEBUG_ACL,
"<= acl_access_allowed: matched by clause #%d (group) access granted\n",
i, 0, 0 );
......
......@@ -210,8 +210,36 @@ parse_acl(
#ifdef SLAPD_ACLGROUPS
} else if ( strcasecmp( left, "group" ) == 0 ) {
char *name = NULL;
char *value = NULL;
regtest(fname, lineno, right);
/* format of string is "group/objectClassValue/groupAttrName"
*/
if ((value = strchr(right, '/')) != NULL) {
*value++ = '\0';
if (value && *value && (name = strchr(value, '/')) != NULL)
*name++ = '\0';
}
b->a_group = dn_upcase(strdup( right ));
if (value && *value) {
b->a_objectclassvalue = strdup(value);
*--value = '/';
}
else
b->a_objectclassvalue = strdup("groupOfNames");
if (name && *name) {
b->a_groupattrname = strdup(name);
*--name = '/';
}
else
b->a_groupattrname = strdup("member");
#endif /* SLAPD_ACLGROUPS */
} else if ( strcasecmp( left, "domain" ) == 0 ) {
char *s;
......@@ -264,6 +292,10 @@ parse_acl(
fname, lineno );
} else {
if (ldap_debug&LDAP_DEBUG_ACL)
print_acl(a);
if ( a->acl_access == NULL ) {
fprintf( stderr,
......@@ -386,15 +418,22 @@ print_access( struct access *b )
{
printf( "\tby" );
if ( b->a_dnpat != NULL ) {
printf( " dn=%s", b->a_dnpat );
fprintf( stderr, " dn=%s", b->a_dnpat );
} else if ( b->a_addrpat != NULL ) {
printf( " addr=%s", b->a_addrpat );
fprintf( stderr, " addr=%s", b->a_addrpat );
} else if ( b->a_domainpat != NULL ) {
printf( " domain=%s", b->a_domainpat );
fprintf( stderr, " domain=%s", b->a_domainpat );
} else if ( b->a_dnattr != NULL ) {
printf( " dnattr=%s", b->a_dnattr );
fprintf( stderr, " dnattr=%s", b->a_dnattr );
}
printf( " %s\n", access2str( b->a_access ) );
else if ( b->a_group != NULL ) {
fprintf( stderr, " group: %s", b->a_group );
if ( b->a_objectclassvalue )
fprintf( stderr, " objectClassValue: %s", b->a_objectclassvalue );
if ( b->a_groupattrname )
fprintf( stderr, " groupAttrName: %s", b->a_groupattrname );
}
fprintf( stderr, "\n" );
}
static void
......@@ -404,33 +443,34 @@ print_acl( struct acl *a )
struct access *b;
if ( a == NULL ) {
printf( "NULL\n" );
fprintf( stderr, "NULL\n" );
}
printf( "access to" );
fprintf( stderr, "ACL: access to" );
if ( a->acl_filter != NULL ) {
printf( " filter=" );
fprintf( stderr," filter=" );
filter_print( a->acl_filter );
}
if ( a->acl_dnpat != NULL ) {
printf( " dn=" );
printf( a->acl_dnpat );
fprintf( stderr, " dn=" );
fprintf( stderr, a->acl_dnpat );
}
if ( a->acl_attrs != NULL ) {
int first = 1;
printf( " attrs=" );
fprintf( stderr, "\n attrs=" );
for ( i = 0; a->acl_attrs[i] != NULL; i++ ) {
if ( ! first ) {
printf( "," );
fprintf( stderr, "," );
}
printf( a->acl_attrs[i] );
fprintf( stderr, a->acl_attrs[i] );
first = 0;
}
}
printf( "\n" );
fprintf( stderr, "\n" );
for ( b = a->acl_access; b != NULL; b = b->a_next ) {
print_access( b );
}
fprintf( stderr, "\n" );
}
#endif /* LDAP_DEBUG */
......@@ -15,7 +15,7 @@ extern Attribute *attr_find();
#ifdef SLAPD_ACLGROUPS
/* return 0 IFF edn is a value in uniqueMember attribute
/* return 0 IFF edn is a value in member attribute
* of entry with bdn AND that entry has an objectClass
* value of groupOfNames
*/
......@@ -23,7 +23,9 @@ int
ldbm_back_group(
Backend *be,
char *bdn,
char *edn
char *edn,
char *objectclassValue,
char *groupattrName
)
{
struct ldbminfo *li = (struct ldbminfo *) be->be_private;
......@@ -35,6 +37,8 @@ ldbm_back_group(
Debug( LDAP_DEBUG_TRACE, "=> ldbm_back_group: bdn: %s\n", bdn, 0, 0 );
Debug( LDAP_DEBUG_TRACE, "=> ldbm_back_group: edn: %s\n", edn, 0, 0 );
Debug( LDAP_DEBUG_TRACE, "=> ldbm_back_group: objectClass: %s attrName: %s\n",
objectclassValue, groupattrName, 0 );
/* can we find bdn entry with reader lock */
if ((e = dn2entry_r(be, bdn, &matched )) == NULL) {
......@@ -56,32 +60,33 @@ ldbm_back_group(
if ((objectClass = attr_find(e->e_attrs, "objectclass")) == NULL) {
Debug( LDAP_DEBUG_TRACE, "<= ldbm_back_group: failed to find objectClass\n", 0, 0, 0 );
}
else if ((member = attr_find(e->e_attrs, "member")) == NULL) {
Debug( LDAP_DEBUG_TRACE, "<= ldbm_back_group: failed to find member\n", 0, 0, 0 );
else if ((member = attr_find(e->e_attrs, groupattrName)) == NULL) {
Debug( LDAP_DEBUG_TRACE, "<= ldbm_back_group: failed to find %s\n", groupattrName, 0, 0 );
}
else {
struct berval bvObjectClass;
struct berval bvMembers;
Debug( LDAP_DEBUG_ARGS, "<= ldbm_back_group: found objectClass and members\n", 0, 0, 0 );
Debug( LDAP_DEBUG_ARGS, "<= ldbm_back_group: found objectClass and %s\n", groupattrName, 0, 0 );
bvObjectClass.bv_val = "groupofnames";
bvObjectClass.bv_val = objectclassValue;
bvObjectClass.bv_len = strlen( bvObjectClass.bv_val );
bvMembers.bv_val = edn;
bvMembers.bv_len = strlen( edn );
if (value_find(objectClass->a_vals, &bvObjectClass, SYNTAX_CIS, 1) != 0) {
Debug( LDAP_DEBUG_TRACE,
"<= ldbm_back_group: failed to find objectClass in groupOfNames\n",
0, 0, 0 );
"<= ldbm_back_group: failed to find %s in objectClass\n",
objectclassValue, 0, 0 );
}
else if (value_find(member->a_vals, &bvMembers, SYNTAX_CIS, 1) != 0) {
Debug( LDAP_DEBUG_ACL, "<= ldbm_back_group: %s not in %s: groupOfNames\n",
edn, bdn, 0 );
Debug( LDAP_DEBUG_ACL, "<= ldbm_back_group: %s not in %s: %s\n",
edn, bdn, groupattrName );
}
else {
Debug( LDAP_DEBUG_ACL, "<= ldbm_back_group: %s is in %s: groupOfNames\n",
edn, bdn, 0 );
Debug( LDAP_DEBUG_ACL, "<= ldbm_back_group: %s is in %s: %s\n",
edn, bdn, groupattrName );
rc = 0;
}
}
......@@ -91,5 +96,5 @@ ldbm_back_group(
Debug( LDAP_DEBUG_ARGS, "ldbm_back_group: rc: %d\n", rc, 0, 0 );
return(rc);
}
#endif
#endif /* SLAPD_ACLGROUPS */
......@@ -282,10 +282,10 @@ be_unbind(
#ifdef SLAPD_ACLGROUPS
int
be_group(Backend *be, char *bdn, char *edn)
be_group(Backend *be, char *bdn, char *edn, char *objectclassValue, char *groupattrName)
{
if (be->be_group)
return(be->be_group(be, bdn, edn));
return(be->be_group(be, bdn, edn, objectclassValue, groupattrName));
else
return(1);
}
......
......@@ -391,63 +391,63 @@ filter_print( Filter *f )
Filter *p;
if ( f == NULL ) {
printf( "NULL" );
fprintf( stderr, "NULL" );
}
switch ( f->f_choice ) {
case LDAP_FILTER_EQUALITY:
printf( "(%s=%s)", f->f_ava.ava_type,
fprintf( stderr, "(%s=%s)", f->f_ava.ava_type,
f->f_ava.ava_value.bv_val );
break;
case LDAP_FILTER_GE:
printf( "(%s>=%s)", f->f_ava.ava_type,
fprintf( stderr, "(%s>=%s)", f->f_ava.ava_type,
f->f_ava.ava_value.bv_val );
break;
case LDAP_FILTER_LE:
printf( "(%s<=%s)", f->f_ava.ava_type,
fprintf( stderr, "(%s<=%s)", f->f_ava.ava_type,
f->f_ava.ava_value.bv_val );
break;
case LDAP_FILTER_APPROX:
printf( "(%s~=%s)", f->f_ava.ava_type,
fprintf( stderr, "(%s~=%s)", f->f_ava.ava_type,
f->f_ava.ava_value.bv_val );
break;
case LDAP_FILTER_SUBSTRINGS:
printf( "(%s=", f->f_sub_type );
fprintf( stderr, "(%s=", f->f_sub_type );
if ( f->f_sub_initial != NULL ) {
printf( "%s", f->f_sub_initial );
fprintf( stderr, "%s", f->f_sub_initial );
}
if ( f->f_sub_any != NULL ) {
for ( i = 0; f->f_sub_any[i] != NULL; i++ ) {
printf( "*%s", f->f_sub_any[i] );
fprintf( stderr, "*%s", f->f_sub_any[i] );
}
}
charray_free( f->f_sub_any );
if ( f->f_sub_final != NULL ) {
printf( "*%s", f->f_sub_final );
fprintf( stderr, "*%s", f->f_sub_final );
}
break;
case LDAP_FILTER_PRESENT:
printf( "%s=*", f->f_type );
fprintf( stderr, "%s=*", f->f_type );
break;
case LDAP_FILTER_AND:
case LDAP_FILTER_OR:
case LDAP_FILTER_NOT:
printf( "(%c", f->f_choice == LDAP_FILTER_AND ? '&' :
fprintf( stderr, "(%c", f->f_choice == LDAP_FILTER_AND ? '&' :
f->f_choice == LDAP_FILTER_OR ? '|' : '!' );
for ( p = f->f_list; p != NULL; p = p->f_next ) {
filter_print( p );
}
printf( ")" );
fprintf( stderr, ")" );
break;
default:
printf( "unknown type %d", f->f_choice );
fprintf( stderr, "unknown type %d", f->f_choice );
break;
}
}
......
......@@ -144,7 +144,9 @@ struct access {
long a_access;
#ifdef SLAPD_ACLGROUPS
char *a_group;
char *a_group;
char *a_objectclassvalue;
char *a_groupattrname;
#endif
#define ACL_NONE 0x01
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment