acl.c

/* acl.c - routines to parse and check acl's */
/* $OpenLDAP$ */
/*
 * Copyright 1998-2000 The OpenLDAP Foundation, All Rights Reserved.
 * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
 */

#include "portable.h"

#include <stdio.h>

#include <ac/regex.h>
#include <ac/socket.h>
#include <ac/string.h>

#include "slap.h"
#include "sets.h"

static AccessControl * acl_get(
	AccessControl *ac, int *count,
	Backend *be, Operation *op,
	Entry *e,
	AttributeDescription *desc,
	int nmatches, regmatch_t *matches );

static slap_control_t acl_mask(
	AccessControl *ac, slap_mask_t *mask,
	Backend *be, Connection *conn, Operation *op,
	Entry *e,
	AttributeDescription *desc,
	struct berval *val,
	regmatch_t *matches );

#ifdef SLAPD_ACI_ENABLED
static int aci_mask(
	Backend *be,
    Connection *conn,
	Operation *op,
	Entry *e,
	AttributeDescription *desc,
	struct berval *val,
	struct berval *aci,
	regmatch_t *matches,
	slap_access_t *grant,
	slap_access_t *deny );
#endif

static int	regex_matches(
	char *pat, char *str, char *buf, regmatch_t *matches);
static void	string_expand(
	char *newbuf, int bufsiz, char *pattern,
	char *match, regmatch_t *matches);

char **aci_set_gather (void *cookie, char *name, char *attr);
static int aci_match_set ( struct berval *subj, Backend *be,
    Entry *e, Connection *conn, Operation *op, int setref );

/*
 * access_allowed - check whether op->o_ndn is allowed the requested access
 * to entry e, attribute attr, value val.  if val is null, access to
 * the whole attribute is assumed (all values).
 *
 * This routine loops through all access controls and calls
 * acl_mask() on each applicable access control.
 * The loop exits when a definitive answer is reached or
 * or no more controls remain.
 *
 * returns:
 *		0	access denied
 *		1	access granted
 */

int
access_allowed(
    Backend		*be,
    Connection		*conn,
    Operation		*op,
    Entry		*e,
	AttributeDescription	*desc,
    struct berval	*val,
    slap_access_t	access )
{
	int				count;
	AccessControl	*a;
#ifdef LDAP_DEBUG
	char accessmaskbuf[ACCESSMASK_MAXLEN];
#endif
	slap_mask_t mask;
	slap_control_t control;
	const char *attr;
	regmatch_t matches[MAXREMATCHES];

	assert( e != NULL );
	assert( desc != NULL );
	assert( access > ACL_NONE );

	attr = desc->ad_cname.bv_val;

	assert( attr != NULL );

#ifdef NEW_LOGGING
	LDAP_LOG(( "acl", LDAP_LEVEL_ENTRY,
		"access_allowed: conn %d %s access to \"%s\" \"%s\" requested\n",
		conn ? conn->c_connid : -1, access2str( access ), e->e_dn, attr ));
#else
	Debug( LDAP_DEBUG_ACL,
		"=> access_allowed: %s access to \"%s\" \"%s\" requested\n",
	    access2str( access ), e->e_dn, attr );
#endif

	if ( op == NULL ) {
		/* no-op call */
		return 1;
	}

	if ( be == NULL ) be = &backends[0];
	assert( be != NULL );

	/* grant database root access */
	if ( be != NULL && be_isroot( be, op->o_ndn ) ) {
#ifdef NEW_LOGGING
		LDAP_LOG(( "acl", LDAP_LEVEL_INFO,
		       "access_allowed: conn %d root access granted\n",
		       conn->c_connid));
#else
		Debug( LDAP_DEBUG_ACL,
		    "<= root access granted\n",
			0, 0, 0 );
#endif
		return 1;
	}

	/*
	 * no-user-modification operational attributes are ignored
	 * by ACL_WRITE checking as any found here are not provided
	 * by the user
	 */
	if ( access >= ACL_WRITE && is_at_no_user_mod( desc->ad_type )
		&& desc != slap_schema.si_ad_entry
		&& desc != slap_schema.si_ad_children )
	{
#ifdef NEW_LOGGING
		LDAP_LOG(( "acl", LDAP_LEVEL_DETAIL1,
		       "access_allowed: conn %d NoUserMod Operational attribute: %s access granted\n",
		       conn->c_connid, attr ));
#else
		Debug( LDAP_DEBUG_ACL, "NoUserMod Operational attribute:"
			" %s access granted\n",
			attr, 0, 0 );
#endif
		return 1;
	}

	/* use backend default access if no backend acls */
	if( be != NULL && be->be_acl == NULL ) {
#ifdef NEW_LOGGING
		LDAP_LOG(( "acl", LDAP_LEVEL_DETAIL1,
		       "access_allowed: conn %d backend default %s access %s to \"%s\"\n",
		       conn->c_connid, access2str( access ),
		       be->be_dfltaccess >= access ? "granted" : "denied", op->o_dn ));
#else
		Debug( LDAP_DEBUG_ACL,
			"=> access_allowed: backend default %s access %s to \"%s\"\n",
			access2str( access ),
			be->be_dfltaccess >= access ? "granted" : "denied", op->o_dn );
#endif
		return be->be_dfltaccess >= access;

#ifdef notdef
	/* be is always non-NULL */
	/* use global default access if no global acls */
	} else if ( be == NULL && global_acl == NULL ) {
#ifdef NEW_LOGGING
		LDAP_LOG(( "acl", LDAP_LEVEL_DETAIL1,
		       "access_allowed: conn %d global default %s access %s to \"%s\"\n",
		       conn->c_connid, access2str( access ),
		       global_default_access >= access ? "granted" : "denied", op->o_dn ));
#else
		Debug( LDAP_DEBUG_ACL,
			"=> access_allowed: global default %s access %s to \"%s\"\n",
			access2str( access ),
			global_default_access >= access ? "granted" : "denied", op->o_dn );
#endif
		return global_default_access >= access;
#endif
	}

	ACL_INIT(mask);
	memset(matches, '\0', sizeof(matches));
	
	control = ACL_BREAK;
	a = NULL;
	count = 0;

	while((a = acl_get( a, &count, be, op, e, desc, MAXREMATCHES, matches )) != NULL)
	{
		int i;

		for (i = 0; i < MAXREMATCHES && matches[i].rm_so > 0; i++) {
#ifdef NEW_LOGGING
			LDAP_LOG(( "acl", LDAP_LEVEL_DETAIL1,
			       "access_allowed: conn %d match[%d]:  %d %d ",
			       conn->c_connid, i, (int)matches[i].rm_so, (int)matches[i].rm_eo ));
#else
			Debug( LDAP_DEBUG_ACL, "=> match[%d]: %d %d ", i,
			       (int)matches[i].rm_so, (int)matches[i].rm_eo );
#endif
			if( matches[i].rm_so <= matches[0].rm_eo ) {
				int n;
				for ( n = matches[i].rm_so; n < matches[i].rm_eo; n++) {
					Debug( LDAP_DEBUG_ACL, "%c", e->e_ndn[n], 0, 0 );
				}
			}
#ifdef NEW_LOGGING
			LDAP_LOG(( "acl", LDAP_LEVEL_ARGS, "\n" ));
#else
			Debug( LDAP_DEBUG_ARGS, "\n", 0, 0, 0 );
#endif
		}

		control = acl_mask( a, &mask, be, conn, op,
			e, desc, val, matches );

		if ( control != ACL_BREAK ) {
			break;
		}

		memset(matches, '\0', sizeof(matches));
	}

	if ( ACL_IS_INVALID( mask ) ) {
#ifdef NEW_LOGGING
		LDAP_LOG(( "acl", LDAP_LEVEL_DETAIL1,
		       "access_allowed: conn %d	 \"%s\" (%s) invalid!\n",
		       conn->c_connid, e->e_dn, attr ));
#else
		Debug( LDAP_DEBUG_ACL,
			"=> access_allowed: \"%s\" (%s) invalid!\n",
			e->e_dn, attr, 0 );
#endif
		ACL_INIT( mask );

	} else if ( control == ACL_BREAK ) {
#ifdef NEW_LOGGING
		LDAP_LOG(( "acl", LDAP_LEVEL_DETAIL1,
		       "access_allowed: conn %d	 no more rules\n", conn->c_connid ));
#else
		Debug( LDAP_DEBUG_ACL,
			"=> access_allowed: no more rules\n", 0, 0, 0);
#endif
		ACL_INIT( mask );
	}

#ifdef NEW_LOGGING
	LDAP_LOG(( "acl", LDAP_LEVEL_ENTRY,
		   "access_allowed: conn %d  %s access %s by %s\n",
		   conn->c_connid,
		   access2str( access ),
		   ACL_GRANT( mask, access ) ? "granted" : "denied",
		   accessmask2str( mask, accessmaskbuf ) ));
#else
	Debug( LDAP_DEBUG_ACL,
		"=> access_allowed: %s access %s by %s\n",
		access2str( access ),
		ACL_GRANT(mask, access) ? "granted" : "denied",
		accessmask2str( mask, accessmaskbuf ) );
#endif
	return ACL_GRANT(mask, access);
}

/*
 * acl_get - return the acl applicable to entry e, attribute
 * attr.  the acl returned is suitable for use in subsequent calls to
 * acl_access_allowed().
 */

static AccessControl *
acl_get(
	AccessControl *a,
	int			*count,
    Backend		*be,
    Operation	*op,
    Entry		*e,
	AttributeDescription *desc,
    int			nmatch,
    regmatch_t	*matches )
{
	const char *attr;
	int dnlen, patlen;

	assert( e != NULL );
	assert( count != NULL );
	assert( desc != NULL );

	attr = desc->ad_cname.bv_val;

	assert( attr != NULL );

	if( a == NULL ) {
		if( be == NULL ) {
			a = global_acl;
		} else {
			a = be->be_acl;
		}

		assert( a != NULL );

	} else {
		a = a->acl_next;
	}

	dnlen = strlen(e->e_ndn);

	for ( ; a != NULL; a = a->acl_next ) {
		(*count) ++;

		if (a->acl_dn_pat != NULL) {
			if ( a->acl_dn_style == ACL_STYLE_REGEX ) {
#ifdef NEW_LOGGING
				LDAP_LOG(( "acl", LDAP_LEVEL_DETAIL1,
					   "acl_get: dnpat [%d] %s nsub: %d\n",
					   *count, a->acl_dn_pat, (int) a->acl_dn_re.re_nsub ));
#else
				Debug( LDAP_DEBUG_ACL, "=> dnpat: [%d] %s nsub: %d\n", 
					*count, a->acl_dn_pat, (int) a->acl_dn_re.re_nsub );
#endif
				if (regexec(&a->acl_dn_re, e->e_ndn, nmatch, matches, 0))
					continue;

			} else {
#ifdef NEW_LOGGING
				LDAP_LOG(( "acl", LDAP_LEVEL_DETAIL1,
					   "acl_get: dn [%d] %s\n",
					   *count, a->acl_dn_pat ));
#else
				Debug( LDAP_DEBUG_ACL, "=> dn: [%d] %s\n", 
					*count, a->acl_dn_pat, 0 );
#endif
				patlen = strlen( a->acl_dn_pat );
				if ( dnlen < patlen )
					continue;

				if ( a->acl_dn_style == ACL_STYLE_BASE ) {
					/* base dn -- entire object DN must match */
					if ( dnlen != patlen )
						continue;

				} else if ( a->acl_dn_style == ACL_STYLE_ONE ) {
					int rdnlen = -1;

					if ( dnlen <= patlen )
						continue;

					if ( !DN_SEPARATOR( e->e_ndn[dnlen - patlen - 1] ) || DN_ESCAPE( e->e_ndn[dnlen - patlen - 2] ) )
						continue;

					rdnlen = dn_rdnlen( NULL, e->e_ndn );
					if ( rdnlen != dnlen - patlen - 1 )
						continue;

				} else if ( a->acl_dn_style == ACL_STYLE_SUBTREE ) {
					if ( dnlen > patlen && ( !DN_SEPARATOR( e->e_ndn[dnlen - patlen - 1] ) || DN_ESCAPE( e->e_ndn[dnlen - patlen - 2] ) ) )
						continue;

				} else if ( a->acl_dn_style == ACL_STYLE_CHILDREN ) {
					if ( dnlen <= patlen )
						continue;
					if ( !DN_SEPARATOR( e->e_ndn[dnlen - patlen - 1] ) || DN_ESCAPE( e->e_ndn[dnlen - patlen - 2] ) )
						continue;
				}

				if ( strcmp( a->acl_dn_pat, e->e_ndn + dnlen - patlen ) != 0 )
					continue;
			}

#ifdef NEW_LOGGING
			LDAP_LOG(( "acl", LDAP_LEVEL_DETAIL1,
				   "acl_get: [%d] matched\n",
				   *count ));
#else
			Debug( LDAP_DEBUG_ACL, "=> acl_get: [%d] matched\n",
				*count, 0, 0 );
#endif
		}

		if ( a->acl_filter != NULL ) {
			ber_int_t rc = test_filter( NULL, NULL, NULL, e, a->acl_filter );
			if ( rc != LDAP_COMPARE_TRUE ) {
				continue;
			}
		}

#ifdef NEW_LOGGING
		LDAP_LOG(( "acl", LDAP_LEVEL_DETAIL1,
			   "acl_get: [%d] check attr %s\n",
			   *count, attr ));
#else
		Debug( LDAP_DEBUG_ACL, "=> acl_get: [%d] check attr %s\n",
		       *count, attr, 0);
#endif
		if ( attr == NULL || a->acl_attrs == NULL ||
			ad_inlist( desc, a->acl_attrs ) )
		{
#ifdef NEW_LOGGING
			LDAP_LOG(( "acl", LDAP_LEVEL_DETAIL1,
				   "acl_get:  [%d] acl %s attr: %s\n",
				   *count, e->e_dn, attr ));
#else
			Debug( LDAP_DEBUG_ACL,
				"<= acl_get: [%d] acl %s attr: %s\n",
				*count, e->e_dn, attr );
#endif
			return a;
		}
		matches[0].rm_so = matches[0].rm_eo = -1;
	}

#ifdef NEW_LOGGING
	LDAP_LOG(( "acl", LDAP_LEVEL_ENTRY,
		   "acl_get: done.\n" ));
#else
	Debug( LDAP_DEBUG_ACL, "<= acl_get: done.\n", 0, 0, 0 );
#endif
	return( NULL );
}


/*
 * acl_mask - modifies mask based upon the given acl and the
 * requested access to entry e, attribute attr, value val.  if val
 * is null, access to the whole attribute is assumed (all values).
 *
 * returns	0	access NOT allowed
 *		1	access allowed
 */

static slap_control_t
acl_mask(
    AccessControl	*a,
	slap_mask_t *mask,
    Backend		*be,
    Connection	*conn,
    Operation	*op,
    Entry		*e,
	AttributeDescription *desc,
    struct berval	*val,
	regmatch_t	*matches
)
{
	int		i, odnlen, patlen;
	Access	*b;
#ifdef LDAP_DEBUG
	char accessmaskbuf[ACCESSMASK_MAXLEN];
#endif
	const char *attr;

	assert( a != NULL );
	assert( mask != NULL );
	assert( desc != NULL );

	attr = desc->ad_cname.bv_val;

	assert( attr != NULL );

#ifdef NEW_LOGGING
	LDAP_LOG(( "acl", LDAP_LEVEL_ENTRY,
		   "acl_mask: conn %d  access to entry \"%s\", attr \"%s\" requested\n",
		   conn->c_connid, e->e_dn, attr ));

	LDAP_LOG(( "acl", LDAP_LEVEL_ARGS,
		   " to %s by \"%s\", (%s) \n",
		   val ? "value" : "all values",
		   op->o_ndn ? op->o_ndn : "",
		   accessmask2str( *mask, accessmaskbuf ) ));
#else
	Debug( LDAP_DEBUG_ACL,
		"=> acl_mask: access to entry \"%s\", attr \"%s\" requested\n",
		e->e_dn, attr, 0 );

	Debug( LDAP_DEBUG_ACL,
		"=> acl_mask: to %s by \"%s\", (%s) \n",
		val ? "value" : "all values",
		op->o_ndn ?  op->o_ndn : "",
		accessmask2str( *mask, accessmaskbuf ) );
#endif

	for ( i = 1, b = a->acl_access; b != NULL; b = b->a_next, i++ ) {
		slap_mask_t oldmask, modmask;

		ACL_INVALIDATE( modmask );

		/* AND <who> clauses */
		if ( b->a_dn_pat != NULL ) {
#ifdef NEW_LOGGING
			LDAP_LOG(( "acl", LDAP_LEVEL_DETAIL1,
				   "acl_mask: conn %d  check a_dn_pat: %s\n",
				   conn->c_connid, b->a_dn_pat ));
#else
			Debug( LDAP_DEBUG_ACL, "<= check a_dn_pat: %s\n",
				b->a_dn_pat, 0, 0);
#endif
			/*
			 * if access applies to the entry itself, and the
			 * user is bound as somebody in the same namespace as
			 * the entry, OR the given dn matches the dn pattern
			 */
			if ( strcmp( b->a_dn_pat, "anonymous" ) == 0 ) {
				if (op->o_ndn != NULL && op->o_ndn[0] != '\0' ) {
					continue;
				}

			} else if ( strcmp( b->a_dn_pat, "users" ) == 0 ) {
				if (op->o_ndn == NULL || op->o_ndn[0] == '\0' ) {
					continue;
				}

			} else if ( strcmp( b->a_dn_pat, "self" ) == 0 ) {
				if( op->o_ndn == NULL || op->o_ndn[0] == '\0' ) {
					continue;
				}
				
				if ( e->e_dn == NULL || strcmp( e->e_ndn, op->o_ndn ) != 0 ) {
					continue;
				}

			} else if ( b->a_dn_style == ACL_STYLE_REGEX ) {
				if ( strcmp( b->a_dn_pat, "*" ) != 0 ) {
					int ret = regex_matches( b->a_dn_pat,
						op->o_ndn, e->e_ndn, matches );

					if( ret == 0 ) {
						continue;
					}
				}

			} else {
				if ( e->e_dn == NULL )
					continue;

				patlen = strlen( b->a_dn_pat );
				odnlen = strlen( op->o_ndn );
				if ( odnlen < patlen )
					continue;

				if ( b->a_dn_style == ACL_STYLE_BASE ) {
					/* base dn -- entire object DN must match */
					if ( odnlen != patlen )
						continue;

				} else if ( b->a_dn_style == ACL_STYLE_ONE ) {
					int rdnlen = -1;

					if ( odnlen <= patlen )
						continue;

					if ( !DN_SEPARATOR( op->o_ndn[odnlen - patlen - 1] ) || DN_ESCAPE( op->o_ndn[odnlen - patlen - 2] ) )
						continue;

					rdnlen = dn_rdnlen( NULL, op->o_ndn );
					if ( rdnlen != odnlen - patlen - 1 )
						continue;

				} else if ( b->a_dn_style == ACL_STYLE_SUBTREE ) {
					if ( odnlen > patlen && ( !DN_SEPARATOR( op->o_ndn[odnlen - patlen - 1] ) || DN_ESCAPE( op->o_ndn[odnlen - patlen - 2] ) ) )
						continue;

				} else if ( b->a_dn_style == ACL_STYLE_CHILDREN ) {
					if ( odnlen <= patlen )
						continue;
					if ( !DN_SEPARATOR( op->o_ndn[odnlen - patlen - 1] ) || DN_ESCAPE( op->o_ndn[odnlen - patlen - 2] ) )
						continue;
				}

				if ( strcmp( b->a_dn_pat, op->o_ndn + odnlen - patlen ) != 0 )
					continue;

			}
		}

		if ( b->a_sockurl_pat != NULL ) {
#ifdef NEW_LOGGING
			LDAP_LOG(( "acl", LDAP_LEVEL_DETAIL1,
				   "acl_mask: conn %d  check a_sockurl_pat: %s\n",
				   conn->c_connid, b->a_sockurl_pat ));
#else
			Debug( LDAP_DEBUG_ACL, "<= check a_sockurl_pat: %s\n",
				b->a_sockurl_pat, 0, 0 );
#endif

			if ( strcmp( b->a_sockurl_pat, "*" ) != 0) {
				if ( b->a_sockurl_style == ACL_STYLE_REGEX) {
					if (!regex_matches( b->a_sockurl_pat, conn->c_listener_url,
							e->e_ndn, matches ) ) 
					{
						continue;
					}
				} else {
					if ( strcasecmp( b->a_sockurl_pat, conn->c_listener_url ) == 0 )
						continue;
				}
			}
		}

		if ( b->a_domain_pat != NULL ) {
#ifdef NEW_LOGGING
			LDAP_LOG(( "acl", LDAP_LEVEL_DETAIL1,
				   "acl_mask: conn %d  check a_domain_pat: %s\n",
				   conn->c_connid, b->a_domain_pat ));
#else
			Debug( LDAP_DEBUG_ACL, "<= check a_domain_pat: %s\n",
				b->a_domain_pat, 0, 0 );
#endif
			if ( strcmp( b->a_domain_pat, "*" ) != 0) {
				if ( b->a_domain_style == ACL_STYLE_REGEX) {
					if (!regex_matches( b->a_domain_pat, conn->c_peer_domain,
							e->e_ndn, matches ) ) 
					{
						continue;
					}
				} else {
					if ( strcasecmp( b->a_domain_pat, conn->c_peer_domain ) == 0 )
						continue;
				}
			}
		}

		if ( b->a_peername_pat != NULL ) {
#ifdef NEW_LOGGING
			LDAP_LOG(( "acl", LDAP_LEVEL_DETAIL1,
				   "acl_mask: conn %d  check a_perrname_path: %s\n",
				   conn->c_connid, b->a_peername_pat ));
#else
			Debug( LDAP_DEBUG_ACL, "<= check a_peername_path: %s\n",
				b->a_peername_pat, 0, 0 );
#endif
			if ( strcmp( b->a_peername_pat, "*" ) != 0) {
				if ( b->a_peername_style == ACL_STYLE_REGEX) {
					if (!regex_matches( b->a_peername_pat, conn->c_peer_name,
							e->e_ndn, matches ) ) 
					{
						continue;
					}
				} else {
					if ( strcasecmp( b->a_peername_pat, conn->c_peer_name ) == 0 )
						continue;
				}
			}
		}

		if ( b->a_sockname_pat != NULL ) {
#ifdef NEW_LOGGING
			LDAP_LOG(( "acl", LDAP_LEVEL_DETAIL1,
				   "acl_mask: conn %d  check a_sockname_path: %s\n",
				   conn->c_connid, b->a_sockname_pat ));
#else
			Debug( LDAP_DEBUG_ACL, "<= check a_sockname_path: %s\n",
				b->a_sockname_pat, 0, 0 );
#endif
			if ( strcmp( b->a_sockname_pat, "*" ) != 0) {
				if ( b->a_sockname_style == ACL_STYLE_REGEX) {
					if (!regex_matches( b->a_sockname_pat, conn->c_sock_name,
							e->e_ndn, matches ) ) 
					{
						continue;
					}
				} else {
					if ( strcasecmp( b->a_sockname_pat, conn->c_sock_name ) == 0 )
						continue;
				}
			}
		}

		if ( b->a_dn_at != NULL && op->o_ndn != NULL ) {
			Attribute	*at;
			struct berval	bv;
			int rc, match = 0;
			const char *text;
			const char *attr = b->a_dn_at->ad_cname.bv_val;

			assert( attr != NULL );

#ifdef NEW_LOGGING
			LDAP_LOG(( "acl", LDAP_LEVEL_DETAIL1,
				   "acl_mask: conn %d  check a_dn_pat: %s\n",
				   conn->c_connid, attr ));
#else
			Debug( LDAP_DEBUG_ACL, "<= check a_dn_at: %s\n",
				attr, 0, 0);
#endif
			bv.bv_val = op->o_ndn;
			bv.bv_len = strlen( bv.bv_val );

			/* see if asker is listed in dnattr */
			for( at = attrs_find( e->e_attrs, b->a_dn_at );
				at != NULL;
				at = attrs_find( at->a_next, b->a_dn_at ) )
			{
				if( value_find( b->a_dn_at, at->a_vals, &bv ) == 0 ) {
					/* found it */
					match = 1;
					break;
				}
			}

			if( match ) {
				/* have a dnattr match. if this is a self clause then
				 * the target must also match the op dn.
				 */
				if ( b->a_dn_self ) {
					/* check if the target is an attribute. */
					if ( val == NULL )
						continue;
					/* target is attribute, check if the attribute value
					 * is the op dn.
					 */
					rc = value_match( &match, b->a_dn_at,
						b->a_dn_at->ad_type->sat_equality, 0,
						val, &bv, &text );
					/* on match error or no match, fail the ACL clause */
					if (rc != LDAP_SUCCESS || match != 0 )
						continue;
				}
			} else {
				/* no dnattr match, check if this is a self clause */
				if ( ! b->a_dn_self )
					continue;
				/* this is a self clause, check if the target is an
				 * attribute.
				 */
				if ( val == NULL )
					continue;
				/* target is attribute, check if the attribute value
				 * is the op dn.
				 */
				rc = value_match( &match, b->a_dn_at,
					b->a_dn_at->ad_type->sat_equality, 0,
					val, &bv, &text );

				/* on match error or no match, fail the ACL clause */
				if (rc != LDAP_SUCCESS || match != 0 )
					continue;
			}
		}

		if ( b->a_group_pat != NULL && op->o_ndn != NULL ) {
			char buf[1024];

			/* b->a_group is an unexpanded entry name, expanded it should be an 
			 * entry with objectclass group* and we test to see if odn is one of
			 * the values in the attribute group
			 */
			/* see if asker is listed in dnattr */
			if ( b->a_group_style == ACL_STYLE_REGEX ) {
				string_expand(buf, sizeof(buf), b->a_group_pat, e->e_ndn, matches);
				if ( dn_normalize(buf) == NULL ) {
					/* did not expand to a valid dn */
					continue;
				}
			} else {
				strncpy( buf, b->a_group_pat, sizeof(buf) - 1 );
				buf[sizeof(buf) - 1] = 0;
			}

			if (backend_group(be, conn, op, e, buf, op->o_ndn,
				b->a_group_oc, b->a_group_at) != 0)
			{
				continue;
			}
		}

		if ( b->a_set_pat != NULL ) {
			struct berval bv;

			bv.bv_val = b->a_set_pat;
			bv.bv_len = strlen(b->a_set_pat);
			if (aci_match_set( &bv, be, e, conn, op, 0 ) == 0) {
				continue;
			}
		}

		if ( b->a_authz.sai_ssf ) {
#ifdef NEW_LOGGING
			LDAP_LOG(( "acl", LDAP_LEVEL_DETAIL1,
				   "acl_mask: conn %d  check a_authz.sai_ssf: ACL %u > OP %u\n",
				   conn->c_connid, b->a_authz.sai_ssf, op->o_ssf ));
#else
			Debug( LDAP_DEBUG_ACL, "<= check a_authz.sai_ssf: ACL %u > OP %u\n",
				b->a_authz.sai_ssf, op->o_ssf, 0 );
#endif
			if ( b->a_authz.sai_ssf >  op->o_ssf ) {
				continue;
			}
		}

		if ( b->a_authz.sai_transport_ssf ) {
#ifdef NEW_LOGGING
			LDAP_LOG(( "acl", LDAP_LEVEL_DETAIL1,
				   "acl_mask: conn %d  check a_authz.sai_transport_ssf: ACL %u > OP %u\n",
				   conn->c_connid, b->a_authz.sai_transport_ssf, op->o_transport_ssf ));
#else
			Debug( LDAP_DEBUG_ACL,
				"<= check a_authz.sai_transport_ssf: ACL %u > OP %u\n",
				b->a_authz.sai_transport_ssf, op->o_transport_ssf, 0 );
#endif
			if ( b->a_authz.sai_transport_ssf >  op->o_transport_ssf ) {
				continue;
			}
		}

		if ( b->a_authz.sai_tls_ssf ) {
#ifdef NEW_LOGGING
			LDAP_LOG(( "acl", LDAP_LEVEL_DETAIL1,
				   "acl_mask: conn %d  check a_authz.sai_tls_ssf: ACL %u > OP %u\n",
				   conn->c_connid, b->a_authz.sai_tls_ssf, op->o_tls_ssf ));
#else
			Debug( LDAP_DEBUG_ACL,
				"<= check a_authz.sai_tls_ssf: ACL %u > OP %u\n",
				b->a_authz.sai_tls_ssf, op->o_tls_ssf, 0 );
#endif
			if ( b->a_authz.sai_tls_ssf >  op->o_tls_ssf ) {
				continue;
			}
		}

		if ( b->a_authz.sai_sasl_ssf ) {
#ifdef NEW_LOGGING
			LDAP_LOG(( "acl", LDAP_LEVEL_DETAIL1,
				   "acl_mask: conn %d check a_authz.sai_sasl_ssf: ACL %u > OP %u\n",
				   conn->c_connid, b->a_authz.sai_sasl_ssf, op->o_sasl_ssf ));
#else
			Debug( LDAP_DEBUG_ACL,
				"<= check a_authz.sai_sasl_ssf: ACL %u > OP %u\n",
				b->a_authz.sai_sasl_ssf, op->o_sasl_ssf, 0 );
#endif
			if ( b->a_authz.sai_sasl_ssf >	op->o_sasl_ssf ) {
				continue;
			}
		}

#ifdef SLAPD_ACI_ENABLED
		if ( b->a_aci_at != NULL ) {
			Attribute	*at;
			slap_access_t grant, deny, tgrant, tdeny;

			/* this case works different from the others above.
			 * since aci's themselves give permissions, we need
			 * to first check b->a_access_mask, the ACL's access level.
			 */

			if( op->o_ndn == NULL || op->o_ndn[0] == '\0' ) {
				continue;
			}

			if ( e->e_dn == NULL ) {
				continue;
			}

			/* first check if the right being requested
			 * is allowed by the ACL clause.
			 */
			if ( ! ACL_GRANT( b->a_access_mask, *mask ) ) {
				continue;
			}

			/* get the aci attribute */
			at = attr_find( e->e_attrs, b->a_aci_at );
			if ( at == NULL ) {
				continue;
			}

			/* start out with nothing granted, nothing denied */
			ACL_INIT(tgrant);
			ACL_INIT(tdeny);

			/* the aci is an multi-valued attribute.  The
			 * rights are determined by OR'ing the individual
			 * rights given by the acis.
			 */
			for ( i = 0; at->a_vals[i] != NULL; i++ ) {
				if (aci_mask( be, conn, op,
					e, desc, val, at->a_vals[i],
					matches, &grant, &deny ) != 0)
				{
					tgrant |= grant;
					tdeny |= deny;
				}
			}

			/* remove anything that the ACL clause does not allow */
			tgrant &= b->a_access_mask & ACL_PRIV_MASK;
			tdeny &= ACL_PRIV_MASK;

			/* see if we have anything to contribute */
			if( ACL_IS_INVALID(tgrant) && ACL_IS_INVALID(tdeny) ) {