aclparse.c

/* aclparse.c - routines to parse and check acl's */
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
 *
 * Copyright 1998-2005 The OpenLDAP Foundation.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted only as authorized by the OpenLDAP
 * Public License.
 *
 * A copy of this license is available in the file LICENSE in the
 * top-level directory of the distribution or, alternatively, at
 * <http://www.OpenLDAP.org/license.html>.
 */
/* Portions Copyright (c) 1995 Regents of the University of Michigan.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms are permitted
 * provided that this notice is preserved and that due credit is given
 * to the University of Michigan at Ann Arbor. The name of the University
 * may not be used to endorse or promote products derived from this
 * software without specific prior written permission. This software
 * is provided ``as is'' without express or implied warranty.
 */

#include "portable.h"

#include <stdio.h>

#include <ac/ctype.h>
#include <ac/regex.h>
#include <ac/socket.h>
#include <ac/string.h>
#include <ac/unistd.h>

#include "slap.h"
#include "lber_pvt.h"
#include "lutil.h"

static char *style_strings[] = {
	"regex",
	"expand",
	"base",
	"one",
	"subtree",
	"children",
	"level",
	"attrof",
	"anonymous",
	"users",
	"self",
	"ip",
	"path",
	NULL
};

static void		split(char *line, int splitchar, char **left, char **right);
static void		access_append(Access **l, Access *a);
static void		acl_usage(void) LDAP_GCCATTR((noreturn));

static void		acl_regex_normalized_dn(const char *src, struct berval *pat);

#ifdef LDAP_DEBUG
static void		print_acl(Backend *be, AccessControl *a);
#endif

static int		check_scope( BackendDB *be, AccessControl *a );

#ifdef SLAP_DYNACL
static int
slap_dynacl_config( const char *fname, int lineno, Access *b, const char *name, slap_style_t sty, const char *right )
{
	slap_dynacl_t	*da, *tmp;
	int		rc = 0;

	for ( da = b->a_dynacl; da; da = da->da_next ) {
		if ( strcasecmp( da->da_name, name ) == 0 ) {
			fprintf( stderr,
				"%s: line %d: dynacl \"%s\" already specified.\n",
				fname, lineno, name );
			acl_usage();
		}
	}

	da = slap_dynacl_get( name );
	if ( da == NULL ) {
		return -1;
	}

	tmp = ch_malloc( sizeof( slap_dynacl_t ) );
	*tmp = *da;

	if ( tmp->da_parse ) {
		rc = ( *tmp->da_parse )( fname, lineno, sty, right, &tmp->da_private );
		if ( rc ) {
			ch_free( tmp );
			return rc;
		}
	}

	tmp->da_next = b->a_dynacl;
	b->a_dynacl = tmp;

	return 0;
}
#endif /* SLAP_DYNACL */

static void
regtest(const char *fname, int lineno, char *pat) {
	int e;
	regex_t re;

	char buf[512];
	unsigned size;

	char *sp;
	char *dp;
	int  flag;

	sp = pat;
	dp = buf;
	size = 0;
	buf[0] = '\0';

	for (size = 0, flag = 0; (size < sizeof(buf)) && *sp; sp++) {
		if (flag) {
			if (*sp == '$'|| (*sp >= '0' && *sp <= '9')) {
				*dp++ = *sp;
				size++;
			}
			flag = 0;

		} else {
			if (*sp == '$') {
				flag = 1;
			} else {
				*dp++ = *sp;
				size++;
			}
		}
	}

	*dp = '\0';
	if ( size >= (sizeof(buf) - 1) ) {
		fprintf( stderr,
			"%s: line %d: regular expression \"%s\" too large\n",
			fname, lineno, pat );
		acl_usage();
	}

	if ((e = regcomp(&re, buf, REG_EXTENDED|REG_ICASE))) {
		char error[512];
		regerror(e, &re, error, sizeof(error));
		fprintf( stderr,
			"%s: line %d: regular expression \"%s\" bad because of %s\n",
			fname, lineno, pat, error );
		acl_usage();
	}
	regfree(&re);
}

/*
 * Experimental
 *
 * Check if the pattern of an ACL, if any, matches the scope
 * of the backend it is defined within.
 */
#define	ACL_SCOPE_UNKNOWN	(-2)
#define	ACL_SCOPE_ERR		(-1)
#define	ACL_SCOPE_OK		(0)
#define	ACL_SCOPE_PARTIAL	(1)
#define	ACL_SCOPE_WARN		(2)

static int
check_scope( BackendDB *be, AccessControl *a )
{
	int		patlen;
	struct berval	dn;

	dn = be->be_nsuffix[0];

	if ( BER_BVISEMPTY( &dn ) ) {
		return ACL_SCOPE_OK;
	}

	if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
			a->acl_dn_style != ACL_STYLE_REGEX )
	{
		slap_style_t	style = a->acl_dn_style;

		if ( style == ACL_STYLE_REGEX ) {
			char		dnbuf[SLAP_LDAPDN_MAXLEN + 2];
			char		rebuf[SLAP_LDAPDN_MAXLEN + 1];
			ber_len_t	rebuflen;
			regex_t		re;
			int		rc;
			
			/* add trailing '$' to database suffix to form
			 * a simple trial regex pattern "<suffix>$" */
			AC_MEMCPY( dnbuf, be->be_nsuffix[0].bv_val,
				be->be_nsuffix[0].bv_len );
			dnbuf[be->be_nsuffix[0].bv_len] = '$';
			dnbuf[be->be_nsuffix[0].bv_len + 1] = '\0';

			if ( regcomp( &re, dnbuf, REG_EXTENDED|REG_ICASE ) ) {
				return ACL_SCOPE_WARN;
			}

			/* remove trailing ')$', if any, from original
			 * regex pattern */
			rebuflen = a->acl_dn_pat.bv_len;
			AC_MEMCPY( rebuf, a->acl_dn_pat.bv_val, rebuflen + 1 );
			if ( rebuf[rebuflen - 1] == '$' ) {
				rebuf[--rebuflen] = '\0';
			}
			while ( rebuflen > be->be_nsuffix[0].bv_len && rebuf[rebuflen - 1] == ')' ) {
				rebuf[--rebuflen] = '\0';
			}
			if ( rebuflen == be->be_nsuffix[0].bv_len ) {
				rc = ACL_SCOPE_WARN;
				goto regex_done;
			}

			/* not a clear indication of scoping error, though */
			rc = regexec( &re, rebuf, 0, NULL, 0 )
				? ACL_SCOPE_WARN : ACL_SCOPE_OK;

regex_done:;
			regfree( &re );
			return rc;
		}

		patlen = a->acl_dn_pat.bv_len;
		/* If backend suffix is longer than pattern,
		 * it is a potential mismatch (in the sense
		 * that a superior naming context could
		 * match */
		if ( dn.bv_len > patlen ) {
			/* base is blatantly wrong */
			if ( style == ACL_STYLE_BASE ) return ACL_SCOPE_ERR;

			/* a style of one can be wrong if there is
			 * more than one level between the suffix
			 * and the pattern */
			if ( style == ACL_STYLE_ONE ) {
				int	rdnlen = -1, sep = 0;

				if ( patlen > 0 ) {
					if ( !DN_SEPARATOR( dn.bv_val[dn.bv_len - patlen - 1] )) {
						return ACL_SCOPE_ERR;
					}
					sep = 1;
				}

				rdnlen = dn_rdnlen( NULL, &dn );
				if ( rdnlen != dn.bv_len - patlen - sep )
					return ACL_SCOPE_ERR;
			}

			/* if the trailing part doesn't match,
			 * then it's an error */
			if ( strcmp( a->acl_dn_pat.bv_val,
				&dn.bv_val[dn.bv_len - patlen] ) != 0 )
			{
				return ACL_SCOPE_ERR;
			}

			return ACL_SCOPE_PARTIAL;
		}

		switch ( style ) {
		case ACL_STYLE_BASE:
		case ACL_STYLE_ONE:
		case ACL_STYLE_CHILDREN:
		case ACL_STYLE_SUBTREE:
			break;

		default:
			assert( 0 );
			break;
		}

		if ( dn.bv_len < patlen &&
			!DN_SEPARATOR( a->acl_dn_pat.bv_val[patlen - dn.bv_len - 1] ))
		{
			return ACL_SCOPE_ERR;
		}

		if ( strcmp( &a->acl_dn_pat.bv_val[patlen - dn.bv_len], dn.bv_val )
			!= 0 )
		{
			return ACL_SCOPE_ERR;
		}

		return ACL_SCOPE_OK;
	}

	return ACL_SCOPE_UNKNOWN;
}

void
parse_acl(
    Backend	*be,
    const char	*fname,
    int		lineno,
    int		argc,
    char	**argv,
	int		pos )
{
	int		i;
	char		*left, *right, *style, *next;
	struct berval	bv;
	AccessControl	*a;
	Access	*b;
	int rc;
	const char *text;

	a = NULL;
	for ( i = 1; i < argc; i++ ) {
		/* to clause - select which entries are protected */
		if ( strcasecmp( argv[i], "to" ) == 0 ) {
			if ( a != NULL ) {
				fprintf( stderr, "%s: line %d: "
					"only one to clause allowed in access line\n",
				    fname, lineno );
				acl_usage();
			}
			a = (AccessControl *) ch_calloc( 1, sizeof(AccessControl) );
			for ( ++i; i < argc; i++ ) {
				if ( strcasecmp( argv[i], "by" ) == 0 ) {
					i--;
					break;
				}

				if ( strcasecmp( argv[i], "*" ) == 0 ) {
					if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
						a->acl_dn_style != ACL_STYLE_REGEX )
					{
						fprintf( stderr,
							"%s: line %d: dn pattern"
							" already specified in to clause.\n",
							fname, lineno );
						acl_usage();
					}

					ber_str2bv( "*", STRLENOF( "*" ), 1, &a->acl_dn_pat );
					continue;
				}

				split( argv[i], '=', &left, &right );
				split( left, '.', &left, &style );

				if ( right == NULL ) {
					fprintf( stderr, "%s: line %d: "
						"missing \"=\" in \"%s\" in to clause\n",
					    fname, lineno, left );
					acl_usage();
				}

				if ( strcasecmp( left, "dn" ) == 0 ) {
					if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
						a->acl_dn_style != ACL_STYLE_REGEX )
					{
						fprintf( stderr,
							"%s: line %d: dn pattern"
							" already specified in to clause.\n",
							fname, lineno );
						acl_usage();
					}

					if ( style == NULL || *style == '\0' ||
						strcasecmp( style, "baseObject" ) == 0 ||
						strcasecmp( style, "base" ) == 0 ||
						strcasecmp( style, "exact" ) == 0 )
					{
						a->acl_dn_style = ACL_STYLE_BASE;
						ber_str2bv( right, 0, 1, &a->acl_dn_pat );

					} else if ( strcasecmp( style, "oneLevel" ) == 0 ||
						strcasecmp( style, "one" ) == 0 )
					{
						a->acl_dn_style = ACL_STYLE_ONE;
						ber_str2bv( right, 0, 1, &a->acl_dn_pat );

					} else if ( strcasecmp( style, "subtree" ) == 0 ||
						strcasecmp( style, "sub" ) == 0 )
					{
						if( *right == '\0' ) {
							ber_str2bv( "*", STRLENOF( "*" ), 1, &a->acl_dn_pat );

						} else {
							a->acl_dn_style = ACL_STYLE_SUBTREE;
							ber_str2bv( right, 0, 1, &a->acl_dn_pat );
						}

					} else if ( strcasecmp( style, "children" ) == 0 ) {
						a->acl_dn_style = ACL_STYLE_CHILDREN;
						ber_str2bv( right, 0, 1, &a->acl_dn_pat );

					} else if ( strcasecmp( style, "regex" ) == 0 ) {
						a->acl_dn_style = ACL_STYLE_REGEX;

						if ( *right == '\0' ) {
							/* empty regex should match empty DN */
							a->acl_dn_style = ACL_STYLE_BASE;
							ber_str2bv( right, 0, 1, &a->acl_dn_pat );

						} else if ( strcmp(right, "*") == 0 
							|| strcmp(right, ".*") == 0 
							|| strcmp(right, ".*$") == 0 
							|| strcmp(right, "^.*") == 0 
							|| strcmp(right, "^.*$") == 0
							|| strcmp(right, ".*$$") == 0 
							|| strcmp(right, "^.*$$") == 0 )
						{
							ber_str2bv( "*", STRLENOF("*"), 1, &a->acl_dn_pat );

						} else {
							acl_regex_normalized_dn( right, &a->acl_dn_pat );
						}

					} else {
						fprintf( stderr, "%s: line %d: "
							"unknown dn style \"%s\" in to clause\n",
						    fname, lineno, style );
						acl_usage();
					}

					continue;
				}

				if ( strcasecmp( left, "filter" ) == 0 ) {
					if ( (a->acl_filter = str2filter( right )) == NULL ) {
						fprintf( stderr,
				"%s: line %d: bad filter \"%s\" in to clause\n",
						    fname, lineno, right );
						acl_usage();
					}

				} else if ( strcasecmp( left, "attr" ) == 0		/* TOLERATED */
						|| strcasecmp( left, "attrs" ) == 0 )	/* DOCUMENTED */
				{
					a->acl_attrs = str2anlist( a->acl_attrs,
						right, "," );
					if ( a->acl_attrs == NULL ) {
						fprintf( stderr,
				"%s: line %d: unknown attr \"%s\" in to clause\n",
						    fname, lineno, right );
						acl_usage();
					}

				} else if ( strncasecmp( left, "val", 3 ) == 0 ) {
					if ( !BER_BVISEMPTY( &a->acl_attrval ) ) {
						fprintf( stderr,
				"%s: line %d: attr val already specified in to clause.\n",
							fname, lineno );
						acl_usage();
					}
					if ( a->acl_attrs == NULL || !BER_BVISEMPTY( &a->acl_attrs[1].an_name ) )
					{
						fprintf( stderr,
				"%s: line %d: attr val requires a single attribute.\n",
							fname, lineno );
						acl_usage();
					}
					ber_str2bv( right, 0, 1, &a->acl_attrval );
					a->acl_attrval_style = ACL_STYLE_BASE;
					if ( style != NULL ) {
						if ( strcasecmp( style, "regex" ) == 0 ) {
							int e = regcomp( &a->acl_attrval_re, a->acl_attrval.bv_val,
								REG_EXTENDED | REG_ICASE | REG_NOSUB );
							if ( e ) {
								char buf[512];
								regerror( e, &a->acl_attrval_re, buf, sizeof(buf) );
								fprintf( stderr, "%s: line %d: "
									"regular expression \"%s\" bad because of %s\n",
									fname, lineno, right, buf );
								acl_usage();
							}
							a->acl_attrval_style = ACL_STYLE_REGEX;

						} else {
							/* FIXME: if the attribute has DN syntax, we might
							 * allow one, subtree and children styles as well */
							if ( !strcasecmp( style, "base" ) ||
								!strcasecmp( style, "exact" ) ) {
								a->acl_attrval_style = ACL_STYLE_BASE;

							} else if ( a->acl_attrs[0].an_desc->ad_type->
								sat_syntax == slap_schema.si_syn_distinguishedName )
							{
								if ( !strcasecmp( style, "baseObject" ) ||
									!strcasecmp( style, "base" ) )
								{
									a->acl_attrval_style = ACL_STYLE_BASE;
								} else if ( !strcasecmp( style, "onelevel" ) ||
									!strcasecmp( style, "one" ) )
								{
									a->acl_attrval_style = ACL_STYLE_ONE;
								} else if ( !strcasecmp( style, "subtree" ) ||
									!strcasecmp( style, "sub" ) )
								{
									a->acl_attrval_style = ACL_STYLE_SUBTREE;
								} else if ( !strcasecmp( style, "children" ) ) {
									a->acl_attrval_style = ACL_STYLE_CHILDREN;
								} else {
									fprintf( stderr, 
										"%s: line %d: unknown val.<style> \"%s\" "
										"for attributeType \"%s\" with DN syntax; "
										"using \"base\"\n",
										fname, lineno, style,
										a->acl_attrs[0].an_desc->ad_cname.bv_val );
									a->acl_attrval_style = ACL_STYLE_BASE;
								}

							} else {
								fprintf( stderr, 
									"%s: line %d: unknown val.<style> \"%s\" "
									"for attributeType \"%s\"; using \"exact\"\n",
									fname, lineno, style,
									a->acl_attrs[0].an_desc->ad_cname.bv_val );
								a->acl_attrval_style = ACL_STYLE_BASE;
							}
						}
					}
					
				} else {
					fprintf( stderr,
						"%s: line %d: expecting <what> got \"%s\"\n",
					    fname, lineno, left );
					acl_usage();
				}
			}

			if ( !BER_BVISNULL( &a->acl_dn_pat ) && 
					ber_bvccmp( &a->acl_dn_pat, '*' ) )
			{
				free( a->acl_dn_pat.bv_val );
				BER_BVZERO( &a->acl_dn_pat );
			}
			
			if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
					a->acl_dn_style != ACL_STYLE_REGEX ) 
			{
				if ( a->acl_dn_style != ACL_STYLE_REGEX ) {
					struct berval bv;
					rc = dnNormalize( 0, NULL, NULL, &a->acl_dn_pat, &bv, NULL);
					if ( rc != LDAP_SUCCESS ) {
						fprintf( stderr,
							"%s: line %d: bad DN \"%s\" in to DN clause\n",
							fname, lineno, a->acl_dn_pat.bv_val );
						acl_usage();
					}
					free( a->acl_dn_pat.bv_val );
					a->acl_dn_pat = bv;

				} else {
					int e = regcomp( &a->acl_dn_re, a->acl_dn_pat.bv_val,
						REG_EXTENDED | REG_ICASE );
					if ( e ) {
						char buf[512];
						regerror( e, &a->acl_dn_re, buf, sizeof(buf) );
						fprintf( stderr, "%s: line %d: "
							"regular expression \"%s\" bad because of %s\n",
							fname, lineno, right, buf );
						acl_usage();
					}
				}
			}

		/* by clause - select who has what access to entries */
		} else if ( strcasecmp( argv[i], "by" ) == 0 ) {
			if ( a == NULL ) {
				fprintf( stderr, "%s: line %d: "
					"to clause required before by clause in access line\n",
				    fname, lineno );
				acl_usage();
			}

			/*
			 * by clause consists of <who> and <access>
			 */

			b = (Access *) ch_calloc( 1, sizeof(Access) );

			ACL_INVALIDATE( b->a_access_mask );

			if ( ++i == argc ) {
				fprintf( stderr,
			    "%s: line %d: premature eol: expecting <who>\n",
				    fname, lineno );
				acl_usage();
			}

			/* get <who> */
			for ( ; i < argc; i++ ) {
				slap_style_t	sty = ACL_STYLE_REGEX;
				char		*style_modifier = NULL;
				char		*style_level = NULL;
				int		level = 0;
				int		expand = 0;
				slap_dn_access	*bdn = &b->a_dn;
				int		is_realdn = 0;

				split( argv[i], '=', &left, &right );
				split( left, '.', &left, &style );
				if ( style ) {
					split( style, ',', &style, &style_modifier );

					if ( strncasecmp( style, "level", STRLENOF( "level" ) ) == 0 ) {
						split( style, '{', &style, &style_level );
						if ( style_level != NULL ) {
							char *p = strchr( style_level, '}' );
							if ( p == NULL ) {
								fprintf( stderr,
									"%s: line %d: premature eol: "
									"expecting closing '}' in \"level{n}\"\n",
									fname, lineno );
								acl_usage();
							} else if ( p == style_level ) {
								fprintf( stderr,
									"%s: line %d: empty level "
									"in \"level{n}\"\n",
									fname, lineno );
								acl_usage();
							}
							p[0] = '\0';
						}
					}
				}

				if ( style == NULL || *style == '\0' ||
					strcasecmp( style, "exact" ) == 0 ||
					strcasecmp( style, "baseObject" ) == 0 ||
					strcasecmp( style, "base" ) == 0 )
				{
					sty = ACL_STYLE_BASE;

				} else if ( strcasecmp( style, "onelevel" ) == 0 ||
					strcasecmp( style, "one" ) == 0 )
				{
					sty = ACL_STYLE_ONE;

				} else if ( strcasecmp( style, "subtree" ) == 0 ||
					strcasecmp( style, "sub" ) == 0 )
				{
					sty = ACL_STYLE_SUBTREE;

				} else if ( strcasecmp( style, "children" ) == 0 ) {
					sty = ACL_STYLE_CHILDREN;

				} else if ( strcasecmp( style, "level" ) == 0 )
				{
					char	*next;

					level = strtol( style_level, &next, 10 );
					if ( next[0] != '\0' ) {
						fprintf( stderr,
							"%s: line %d: unable to parse level "
							"in \"level{n}\"\n",
							fname, lineno );
						acl_usage();
					}

					sty = ACL_STYLE_LEVEL;

				} else if ( strcasecmp( style, "regex" ) == 0 ) {
					sty = ACL_STYLE_REGEX;

				} else if ( strcasecmp( style, "expand" ) == 0 ) {
					sty = ACL_STYLE_EXPAND;

				} else if ( strcasecmp( style, "ip" ) == 0 ) {
					sty = ACL_STYLE_IP;

				} else if ( strcasecmp( style, "path" ) == 0 ) {
					sty = ACL_STYLE_PATH;
#ifndef LDAP_PF_LOCAL
					fprintf( stderr, "%s: line %d: "
						"path style modifier is useless without local\n",
						fname, lineno );
#endif /* LDAP_PF_LOCAL */

				} else {
					fprintf( stderr,
						"%s: line %d: unknown style \"%s\" in by clause\n",
					    fname, lineno, style );
					acl_usage();
				}

				if ( style_modifier &&
					strcasecmp( style_modifier, "expand" ) == 0 )
				{
					switch ( sty ) {
					case ACL_STYLE_REGEX:
						fprintf( stderr, "%s: line %d: "
							"\"regex\" style implies "
							"\"expand\" modifier (ignored)\n",
							fname, lineno );
						break;

					case ACL_STYLE_EXPAND:
#if 0
						/* FIXME: now it's legal... */
						fprintf( stderr, "%s: line %d: "
							"\"expand\" style used "
							"in conjunction with "
							"\"expand\" modifier (ignored)\n",
							fname, lineno );
#endif
						break;

					default:
						/* we'll see later if it's pertinent */
						expand = 1;
						break;
					}
				}

				/* expand in <who> needs regex in <what> */
				if ( ( sty == ACL_STYLE_EXPAND || expand )
						&& a->acl_dn_style != ACL_STYLE_REGEX )
				{
					fprintf( stderr, "%s: line %d: "
						"\"expand\" style or modifier used "
						"in conjunction with "
						"a non-regex <what> clause\n",
						fname, lineno );
				}

				if ( strncasecmp( left, "real", STRLENOF( "real" ) ) == 0 ) {
					is_realdn = 1;
					bdn = &b->a_realdn;
					left += STRLENOF( "real" );
				}

				if ( strcasecmp( left, "*" ) == 0 ) {
					if ( is_realdn ) {
						acl_usage();
					}

					ber_str2bv( "*", STRLENOF( "*" ), 1, &bv );
					sty = ACL_STYLE_REGEX;

				} else if ( strcasecmp( left, "anonymous" ) == 0 ) {
					ber_str2bv("anonymous", STRLENOF( "anonymous" ), 1, &bv);
					sty = ACL_STYLE_ANONYMOUS;

				} else if ( strcasecmp( left, "users" ) == 0 ) {
					ber_str2bv("users", STRLENOF( "users" ), 1, &bv);
					sty = ACL_STYLE_USERS;

				} else if ( strcasecmp( left, "self" ) == 0 ) {
					ber_str2bv("self", STRLENOF( "self" ), 1, &bv);
					sty = ACL_STYLE_SELF;

				} else if ( strcasecmp( left, "dn" ) == 0 ) {
					if ( sty == ACL_STYLE_REGEX ) {
						bdn->a_style = ACL_STYLE_REGEX;
						if ( right == NULL ) {
							/* no '=' */
							ber_str2bv("users",
								STRLENOF( "users" ),
								1, &bv);
							bdn->a_style = ACL_STYLE_USERS;

						} else if (*right == '\0' ) {
							/* dn="" */
							ber_str2bv("anonymous",
								STRLENOF( "anonymous" ),
								1, &bv);
							bdn->a_style = ACL_STYLE_ANONYMOUS;

						} else if ( strcmp( right, "*" ) == 0 ) {
							/* dn=* */
							/* any or users?  users for now */
							ber_str2bv("users",
								STRLENOF( "users" ),
								1, &bv);
							bdn->a_style = ACL_STYLE_USERS;

						} else if ( strcmp( right, ".+" ) == 0
							|| strcmp( right, "^.+" ) == 0
							|| strcmp( right, ".+$" ) == 0
							|| strcmp( right, "^.+$" ) == 0
							|| strcmp( right, ".+$$" ) == 0
							|| strcmp( right, "^.+$$" ) == 0 )
						{
							ber_str2bv("users",
								STRLENOF( "users" ),
								1, &bv);
							bdn->a_style = ACL_STYLE_USERS;

						} else if ( strcmp( right, ".*" ) == 0
							|| strcmp( right, "^.*" ) == 0
							|| strcmp( right, ".*$" ) == 0
							|| strcmp( right, "^.*$" ) == 0
							|| strcmp( right, ".*$$" ) == 0
							|| strcmp( right, "^.*$$" ) == 0 )
						{
							ber_str2bv("*",
								STRLENOF( "*" ),
								1, &bv);

						} else {
							acl_regex_normalized_dn( right, &bv );
							if ( !ber_bvccmp( &bv, '*' ) ) {
								regtest( fname, lineno, bv.bv_val );
							}
						}

					} else if ( right == NULL || *right == '\0' ) {
						fprintf( stderr, "%s: line %d: "
							"missing \"=\" in (or value after) \"%s\" "
							"in by clause\n",
						    fname, lineno, left );
						acl_usage();

					} else {
						ber_str2bv( right, 0, 1, &bv );
					}

				} else {
					BER_BVZERO( &bv );
				}

				if ( !BER_BVISNULL( &bv ) ) {
					if ( !BER_BVISEMPTY( &bdn->a_pat ) ) {
						fprintf( stderr,
						    "%s: line %d: dn pattern already specified.\n",
						    fname, lineno );
						acl_usage();
					}

					if ( sty != ACL_STYLE_REGEX &&
							sty != ACL_STYLE_ANONYMOUS &&
							sty != ACL_STYLE_USERS &&
							sty != ACL_STYLE_SELF &&
							expand == 0 )
					{
						rc = dnNormalize(0, NULL, NULL,
							&bv, &bdn->a_pat, NULL);
						if ( rc != LDAP_SUCCESS ) {
							fprintf( stderr,
								"%s: line %d: bad DN \"%s\" in by DN clause\n",
								fname, lineno, bv.bv_val );
							acl_usage();
						}
						free( bv.bv_val );

					} else {
						bdn->a_pat = bv;
					}
					bdn->a_style = sty;
					bdn->a_expand = expand;
					if ( sty == ACL_STYLE_SELF ) {
						bdn->a_self_level = level;

					} else {
						if ( level < 0 ) {
							fprintf( stderr,
								"%s: line %d: bad negative level \"%d\" "
								"in by DN clause\n",
								fname, lineno, level );
							acl_usage();
						} else if ( level == 1 ) {
							fprintf( stderr,
								"%s: line %d: \"onelevel\" should be used "
								"instead of \"level{1}\" in by DN clause\n",
								fname, lineno, 0 );
						} else if ( level == 0 && sty == ACL_STYLE_LEVEL ) {
							fprintf( stderr,
								"%s: line %d: \"base\" should be used "
								"instead of \"level{0}\" in by DN clause\n",
								fname, lineno, 0 );
						}

						bdn->a_level = level;
					}
					continue;
				}

				if ( strcasecmp( left, "dnattr" ) == 0 ) {
					if ( right == NULL || right[0] == '\0' ) {
						fprintf( stderr, "%s: line %d: "
							"missing \"=\" in (or value after) \"%s\" "
							"in by clause\n",
							fname, lineno, left );
						acl_usage();
					}

					if( bdn->a_at != NULL ) {
						fprintf( stderr,
							"%s: line %d: dnattr already specified.\n",
							fname, lineno );
						acl_usage();
					}

					rc = slap_str2ad( right, &bdn->a_at, &text );

					if( rc != LDAP_SUCCESS ) {
						fprintf( stderr,
							"%s: line %d: dnattr \"%s\": %s\n",
							fname, lineno, right, text );
						acl_usage();
					}


					if( !is_at_syntax( bdn->a_at->ad_type,
						SLAPD_DN_SYNTAX ) &&
						!is_at_syntax( bdn->a_at->ad_type,
						SLAPD_NAMEUID_SYNTAX ))
					{
						fprintf( stderr,
							"%s: line %d: dnattr \"%s\": "
							"inappropriate syntax: %s\n",
							fname, lineno, right,
							bdn->a_at->ad_type->sat_syntax_oid );
						acl_usage();
					}

					if( bdn->a_at->ad_type->sat_equality == NULL ) {
						fprintf( stderr,
							"%s: line %d: dnattr \"%s\": "
							"inappropriate matching (no EQUALITY)\n",
							fname, lineno, right );
						acl_usage();
					}

					continue;
				}

				if ( strncasecmp( left, "group", STRLENOF( "group" ) ) == 0 ) {
					char *name = NULL;
					char *value = NULL;

					switch ( sty ) {
					case ACL_STYLE_REGEX:
						/* legacy, tolerated */
						fprintf( stderr, "%s: line %d: "
							"deprecated group style \"regex\"; "
							"use \"expand\" instead\n",
							fname, lineno, style );
						sty = ACL_STYLE_EXPAND;
						break;

					case ACL_STYLE_BASE:
						/* legal, traditional */
					case ACL_STYLE_EXPAND:
						/* legal, substring expansion; supersedes regex */
						break;

					default:
						/* unknown */
						fprintf( stderr, "%s: line %d: "
							"inappropriate style \"%s\" in by clause\n",
							fname, lineno, style );
						acl_usage();
					}

					if ( right == NULL || right[0] == '\0' ) {
						fprintf( stderr, "%s: line %d: "
							"missing \"=\" in (or value after) \"%s\" "
							"in by clause\n",
							fname, lineno, left );
						acl_usage();
					}

					if ( !BER_BVISEMPTY( &b->a_group_pat ) ) {
						fprintf( stderr,
							"%s: line %d: group pattern already specified.\n",
							fname, lineno );
						acl_usage();
					}

					/* format of string is
						"group/objectClassValue/groupAttrName" */
					if ( ( value = strchr(left, '/') ) != NULL ) {
						*value++ = '\0';
						if ( *value && ( name = strchr( value, '/' ) ) != NULL ) {
							*name++ = '\0';
						}
					}

					b->a_group_style = sty;
					if ( sty == ACL_STYLE_EXPAND ) {
						acl_regex_normalized_dn( right, &bv );
						if ( !ber_bvccmp( &bv, '*' ) ) {
							regtest( fname, lineno, bv.bv_val );
						}
						b->a_group_pat = bv;

					} else {
						ber_str2bv( right, 0, 0, &bv );
						rc = dnNormalize( 0, NULL, NULL, &bv,
							&b->a_group_pat, NULL );
						if ( rc != LDAP_SUCCESS ) {
							fprintf( stderr,
								"%s: line %d: bad DN \"%s\"\n",