fix previous commit in case of access to non existent backend (e.g. rootDSE);...

fix previous commit in case of access to non existent backend (e.g. rootDSE); add (and document) authzID/DN support

fix previous commit in case of access to non existent backend (e.g. rootDSE);...
fix previous commit in case of access to non existent backend (e.g. rootDSE); add (and document) authzID/DN support
e9ab146a · Pierangelo Masarati · 387864a9 · e9ab146a · e9ab146a · e9ab146a
Commit e9ab146a authored Apr 12, 2005 by Pierangelo Masarati
--- a/doc/man/man8/slapacl.8
+++ b/doc/man/man8/slapacl.8
@@ -11,6 +11,7 @@ slapacl \- Check access to a list of attributes.
 .B [\-D authcDN | \-U authcID]
 .B \-b DN
 .B [\-u]
+.B [\-X authzID | \-o authzDN=DN]
 .B [attr[/access][:value]] [...]
 .LP
 .SH DESCRIPTION
@@ -63,6 +64,36 @@ rules (see
 for details); mutually exclusive with
 .BR \-D .
 .TP
+.BI \-X " authzID"
+specify an authorization ID to be mapped to a
+.B DN
+as by means of
+.B authz-regexp
+or
+.B authz-rewrite
+rules (see
+.BR slapd.conf (5)
+for details); mutually exclusive with \fB\-o\fP \fIauthzDN=DN\fP.
+.TP
+.BI \-o " option[=value]"
+Specify an
+.BR option
+with a(n optional)
+.BR value .
+Possible options/values are:
+.LP
+.nf
+              sockurl
+              domain
+              peername
+              sockname
+              ssf
+              transport_ssf
+              tls_ssf
+              sasl_ssf
+              authzDN
+.fi
+.TP
 .BI \-b " DN"
 specify the 
 .B DN 

--- a/servers/slapd/slapacl.c
+++ b/servers/slapd/slapacl.c
@@ -90,10 +90,18 @@ slapacl( int argc, char **argv )
 	op->o_sasl_ssf = sasl_ssf;

 	if ( !BER_BVISNULL( &authcID ) ) {
+		if ( !BER_BVISNULL( &authcDN ) ) {
+			fprintf( stderr, "both authcID=\"%s\" "
+					"and authcDN=\"%s\" provided\n",
+					authcID.bv_val, authcDN.bv_val );
+			rc = 1;
+			goto destroy;
+		}
+
 		rc = slap_sasl_getdn( &conn, op, &authcID, NULL,
 				&authcDN, SLAP_GETDN_AUTHCID );
 		if ( rc != LDAP_SUCCESS ) {
-			fprintf( stderr, "ID: <%s> check failed %d (%s)\n",
+			fprintf( stderr, "authcID: <%s> check failed %d (%s)\n",
 					authcID.bv_val, rc,
 					ldap_err2string( rc ) );
 			rc = 1;
@@ -115,9 +123,47 @@ slapacl( int argc, char **argv )
 		authcDN = ndn;
 	}

+	if ( !BER_BVISNULL( &authzID ) ) {
+		if ( !BER_BVISNULL( &authzDN ) ) {
+			fprintf( stderr, "both authzID=\"%s\" "
+					"and authzDN=\"%s\" provided\n",
+					authzID.bv_val, authzDN.bv_val );
+			rc = 1;
+			goto destroy;
+		}
+
+		rc = slap_sasl_getdn( &conn, op, &authzID, NULL,
+				&authzDN, SLAP_GETDN_AUTHZID );
+		if ( rc != LDAP_SUCCESS ) {
+			fprintf( stderr, "authzID: <%s> check failed %d (%s)\n",
+					authzID.bv_val, rc,
+					ldap_err2string( rc ) );
+			rc = 1;
+			goto destroy;
+		}
+
+	} else if ( !BER_BVISNULL( &authzDN ) ) {
+		struct berval	ndn;
+
+		rc = dnNormalize( 0, NULL, NULL, &authzDN, &ndn, NULL );
+		if ( rc != LDAP_SUCCESS ) {
+			fprintf( stderr, "autchDN=\"%s\" normalization failed %d (%s)\n",
+					authzDN.bv_val, rc,
+					ldap_err2string( rc ) );
+			rc = 1;
+			goto destroy;
+		}
+		ch_free( authzDN.bv_val );
+		authzDN = ndn;
+	}
+

 	if ( !BER_BVISNULL( &authcDN ) ) {
-		fprintf( stderr, "DN: \"%s\"\n", authcDN.bv_val );
+		fprintf( stderr, "authcDN: \"%s\"\n", authcDN.bv_val );
+	}
+
+	if ( !BER_BVISNULL( &authzDN ) ) {
+		fprintf( stderr, "authzDN: \"%s\"\n", authzDN.bv_val );
 	}

 	assert( !BER_BVISNULL( &baseDN ) );
@@ -131,12 +177,16 @@ slapacl( int argc, char **argv )
 	}

 	op->o_bd = be;
+	if ( !BER_BVISNULL( &authzDN ) ) {
+		op->o_dn = authzDN;
+		op->o_ndn = authzDN;
+	}
 	if ( !BER_BVISNULL( &authcDN ) ) {
-		op->o_dn = authcDN;
-		op->o_ndn = authcDN;
+		op->o_conn->c_dn = authcDN;
+		op->o_conn->c_ndn = authcDN;
 	}

-	if ( !dryrun ) {
+	if ( !dryrun && be ) {
 		ID	id;

 		if ( !be->be_entry_open ||
@@ -264,7 +314,7 @@ slapacl( int argc, char **argv )
 destroy:;
 	ber_memfree( e.e_name.bv_val );
 	ber_memfree( e.e_nname.bv_val );
-	if ( !dryrun ) {
+	if ( !dryrun && be ) {
 		if ( ep != &e ) {
 			be_entry_release_r( op, ep );
 		}

--- a/servers/slapd/slapcommon.c
+++ b/servers/slapd/slapcommon.c
@@ -54,9 +54,8 @@ usage( int tool, const char *progname )

 	switch( tool ) {
 	case SLAPACL:
-		options = "\n\t[-U authcID | -D authcDN]"
-			" -b DN -o <var>[=<val>] [-u]"
-			"\n\t[attr[/access][:value]] [...]\n";
+		options = "\n\t[-U authcID | -D authcDN] [-X authzID | -o authzDN=<DN>]"
+			"\n\t-b DN -o <var>[=<val>] [-u] [attr[/access][:value]] [...]\n";
 		break;

 	case SLAPADD:
@@ -142,6 +141,9 @@ parse_slapacl( void )
 	} else if ( strncasecmp( optarg, "sasl_ssf", len ) == 0 ) {
 		sasl_ssf = atoi( p );

+	} else if ( strncasecmp( optarg, "authzDN", len ) == 0 ) {
+		ber_str2bv( p, 0, 1, &authzDN );
+
 	} else {
 		return -1;
 	}
@@ -214,7 +216,7 @@ slap_tool_init(
 		break;

 	case SLAPACL:
-		options = "b:D:d:f:F:o:uU:v";
+		options = "b:D:d:f:F:o:uU:vX:";
 		mode |= SLAP_TOOL_READMAIN | SLAP_TOOL_READONLY;
 		break;


--- a/servers/slapd/slapcommon.h
+++ b/servers/slapd/slapcommon.h
@@ -42,8 +42,9 @@ typedef struct tool_vars {
 	Filter *tv_filter;
 	struct berval tv_sub_ndn;
 	FILE	*tv_ldiffp;
-	struct berval tv_authcDN;
 	struct berval tv_baseDN;
+	struct berval tv_authcDN;
+	struct berval tv_authzDN;
 	struct berval tv_authcID;
 	struct berval tv_authzID;
 	struct berval tv_mech;
@@ -70,8 +71,9 @@ extern tool_vars tool_globals;
 #define filter tool_globals.tv_filter
 #define sub_ndn tool_globals.tv_sub_ndn
 #define ldiffp tool_globals.tv_ldiffp
-#define authcDN tool_globals.tv_authcDN
 #define baseDN tool_globals.tv_baseDN
+#define authcDN tool_globals.tv_authcDN
+#define authzDN tool_globals.tv_authzDN
 #define authcID tool_globals.tv_authcID
 #define authzID tool_globals.tv_authzID
 #define mech tool_globals.tv_mech