Commit 0dbaf877 authored by Kurt Zeilenga's avatar Kurt Zeilenga
Browse files

Another round of changes behind -DSLAPD_SCHEMA_NOT_COMPAT

plus these changes unhidden changes:
	remove now meaning --enable-discreteaci configure option
	fix ITS#451, slapd filters
	Add ber_bvecadd() to support above
	constify ldap_pvt_find_wildcard() and misc slapd routines
	renamed some slap.h macros
	likely broken something
parent 4e4b8204
This source diff could not be displayed because it is too large. You can view the blob instead.
......@@ -141,7 +141,6 @@ OL_ARG_ENABLE(phonetic,[ --enable-phonetic enable phonetic/soundex], no)dnl
OL_ARG_ENABLE(quipu,[ --enable-quipu build quipu migration tools], no)dnl
OL_ARG_ENABLE(rlookups,[ --enable-rlookups enable reverse lookups], auto)dnl
OL_ARG_ENABLE(aci,[ --enable-aci enable per-object ACIs], no)dnl
OL_ARG_ENABLE(discreteaci,[ --enable-discreteaci enable discrete rights in ACIs], no)dnl
OL_ARG_ENABLE(wrappers,[ --enable-wrappers enable tcp wrapper support], no)dnl
OL_ARG_ENABLE(dynamic,[ --enable-dynamic enable linking built binaries with dynamic libs], no)dnl
......@@ -242,9 +241,6 @@ if test $ol_enable_slapd = no ; then
if test $ol_enable_aci = yes ; then
AC_MSG_WARN([slapd disabled, ignoring --enable-aci argument])
fi
if test $ol_enable_discreteaci = yes ; then
AC_MSG_WARN([slapd disabled, ignoring --enable-discreteaci argument])
fi
if test $ol_with_ldbm_api != auto ; then
AC_MSG_WARN([slapd disabled, ignoring --with-ldbm-api argument])
fi
......@@ -291,7 +287,6 @@ if test $ol_enable_slapd = no ; then
ol_enable_quipu=no
ol_enable_rlookups=no
ol_enable_aci=no
ol_enable_discreteaci=no
ol_enable_wrappers=no
ol_enable_dynamic=no
......@@ -2206,9 +2201,6 @@ fi
if test "$ol_enable_aci" != no ; then
AC_DEFINE(SLAPD_ACI_ENABLED,1,[define to support per-object ACIs])
fi
if test "$ol_enable_discreteaci" != no ; then
AC_DEFINE(SLAPD_ACI_DISCRETE_RIGHTS,1,[define to support discrete rights in ACIs])
fi
if test "$ol_link_modules" != no ; then
AC_DEFINE(SLAPD_MODULES,1,[define to support modules])
......
......@@ -466,6 +466,11 @@ LIBLBER_F( void )
ber_bvecfree LDAP_P((
struct berval **bv ));
LIBLBER_F( int )
ber_bvecadd LDAP_P((
struct berval ***bvec,
struct berval *bv ));
LIBLBER_F( struct berval * )
ber_bvdup LDAP_P((
LDAP_CONST struct berval *bv ));
......
......@@ -119,7 +119,7 @@ LIBLDAP_F (int) ldap_pvt_sasl_bind LDAP_P(( LDAP *, LDAP_CONST char *, LDAP_CONS
/* search.c */
LIBLDAP_F( char * )
ldap_pvt_find_wildcard LDAP_P(( char *s ));
ldap_pvt_find_wildcard LDAP_P(( const char *s ));
LIBLDAP_F( ber_slen_t )
ldap_pvt_filter_value_unescape LDAP_P(( char *filter ));
......
......@@ -886,9 +886,6 @@
/* define to support per-object ACIs */
#undef SLAPD_ACI_ENABLED
/* define to support discrete rights in ACIs */
#undef SLAPD_ACI_DISCRETE_RIGHTS
/* define to support modules */
#undef SLAPD_MODULES
......
......@@ -270,6 +270,57 @@ ber_bvecfree( struct berval **bv )
LBER_FREE( (char *) bv );
}
int
ber_bvecadd( struct berval ***bvec, struct berval *bv )
{
ber_len_t i;
struct berval **new;
ber_int_options.lbo_valid = LBER_INITIALIZED;
if( bvec == NULL ) {
if( bv == NULL ) {
/* nothing to add */
return 0;
}
*bvec = ber_memalloc( 2 * sizeof(struct berval *) );
if( *bvec == NULL ) {
return -1;
}
(*bvec)[0] = bv;
(*bvec)[1] = NULL;
return 1;
}
BER_MEM_VALID( bvec );
/* count entries */
for ( i = 0; bvec[i] != NULL; i++ ) {
/* EMPTY */;
}
if( bv == NULL ) {
return i;
}
new = ber_memrealloc( *bvec, (i+2) * sizeof(struct berval *));
if( new == NULL ) {
return -1;
}
*bvec = new;
(*bvec)[i++] = bv;
(*bvec)[i] = NULL;
return i;
}
struct berval *
ber_bvdup(
......
......@@ -424,12 +424,12 @@ static int hex2value( int c )
}
char *
ldap_pvt_find_wildcard( char *s )
ldap_pvt_find_wildcard( const char *s )
{
for( ; *s != '\0' ; s++ ) {
switch( *s ) {
case '*': /* found wildcard */
return s;
return (char *) s;
case '\\':
s++; /* skip over escape */
......
......@@ -18,20 +18,37 @@
static AccessControl * acl_get(
AccessControl *ac, int *count,
Backend *be, Operation *op,
Entry *e, char *attr,
Entry *e,
#ifdef SLAPD_SCHEMA_NOT_COMPAT
AttributeType *type,
#else
const char *attr,
#endif
int nmatches, regmatch_t *matches );
static slap_control_t acl_mask(
AccessControl *ac, slap_access_mask_t *mask,
Backend *be, Connection *conn, Operation *op,
Entry *e, char *attr, struct berval *val,
Entry *e,
#ifdef SLAPD_SCHEMA_NOT_COMPAT
AttributeType *type,
#else
const char *attr,
#endif
struct berval *val,
regmatch_t *matches );
#ifdef SLAPD_ACI_ENABLED
static int aci_mask(
Backend *be,
Operation *op,
Entry *e, char *attr, struct berval *val, struct berval *aci,
Entry *e,
#ifdef SLAPD_SCHEMA_NOT_COMPAT
AttributeType *type,
#else
const char *attr,
#endif
struct berval *val, struct berval *aci,
regmatch_t *matches, slap_access_t *grant, slap_access_t *deny );
char *supportedACIMechs[] = {
......@@ -41,8 +58,10 @@ char *supportedACIMechs[] = {
};
#endif
static int regex_matches(char *pat, char *str, char *buf, regmatch_t *matches);
static void string_expand(char *newbuf, int bufsiz, char *pattern,
static int regex_matches(
char *pat, char *str, char *buf, regmatch_t *matches);
static void string_expand(
char *newbuf, int bufsiz, char *pattern,
char *match, regmatch_t *matches);
......@@ -67,10 +86,13 @@ access_allowed(
Connection *conn,
Operation *op,
Entry *e,
char *attr,
#ifdef SLAPD_SCHEMA_NOT_COMPAT
AttributeType *attr,
#else
const char *attr,
#endif
struct berval *val,
slap_access_t access
)
slap_access_t access )
{
int count;
AccessControl *a;
......@@ -105,7 +127,12 @@ access_allowed(
* by ACL_WRITE checking as any found here are not provided
* by the user
*/
if ( access >= ACL_WRITE && oc_check_op_no_usermod_attr( attr ) ) {
#ifdef SLAPD_SCHEMA_NOT_COMPAT
if ( access >= ACL_WRITE && is_at_no_user_mod( attr ) )
#else
if ( access >= ACL_WRITE && oc_check_op_no_usermod_attr( attr ) )
#endif
{
Debug( LDAP_DEBUG_ACL, "NoUserMod Operational attribute:"
" %s access granted\n",
attr, 0, 0 );
......@@ -202,10 +229,13 @@ acl_get(
Backend *be,
Operation *op,
Entry *e,
char *attr,
#ifdef SLAPD_SCHEMA_NOT_COMPAT
AttributeType *attr,
#else
const char *attr,
#endif
int nmatch,
regmatch_t *matches
)
regmatch_t *matches )
{
assert( e != NULL );
assert( count != NULL );
......@@ -282,7 +312,11 @@ acl_mask(
Connection *conn,
Operation *op,
Entry *e,
char *attr,
#ifdef SLAPD_SCHEMA_NOT_COMPAT
AttributeType *attr,
#else
const char *attr,
#endif
struct berval *val,
regmatch_t *matches
)
......@@ -398,7 +432,6 @@ acl_mask(
}
if ( b->a_dn_at != NULL && op->o_ndn != NULL ) {
char *dn_at;
Attribute *at;
struct berval bv;
......@@ -408,14 +441,8 @@ acl_mask(
bv.bv_val = op->o_ndn;
bv.bv_len = strlen( bv.bv_val );
#ifdef SLAPD_SCHEMA_NOT_COMPAT
dn_at = at_canonical_name( b->a_dn_at );
#else
dn_at = b->a_dn_at;
#endif
/* see if asker is listed in dnattr */
if ( (at = attr_find( e->e_attrs, dn_at )) != NULL
if ( (at = attr_find( e->e_attrs, b->a_dn_at )) != NULL
#ifdef SLAPD_SCHEMA_NOT_COMPAT
/* not yet implemented */
#else
......@@ -714,7 +741,7 @@ acl_check_modlist(
#ifdef SLAPD_ACI_ENABLED
static char *
aci_bvstrdup (struct berval *bv)
aci_bvstrdup( struct berval *bv )
{
char *s;
......@@ -727,7 +754,9 @@ aci_bvstrdup (struct berval *bv)
}
static int
aci_strbvcmp (char *s, struct berval *bv)
aci_strbvcmp(
const char *s,
struct berval *bv )
{
int res, len;
......@@ -743,7 +772,11 @@ aci_strbvcmp (char *s, struct berval *bv)
}
static int
aci_get_part (struct berval *list, int ix, char sep, struct berval *bv)
aci_get_part(
struct berval *list,
int ix,
char sep,
struct berval *bv )
{
int len;
char *p;
......@@ -778,8 +811,8 @@ aci_get_part (struct berval *list, int ix, char sep, struct berval *bv)
}
static int
aci_list_map_rights (
struct berval *list)
aci_list_map_rights(
struct berval *list )
{
struct berval bv;
slap_access_t mask;
......@@ -823,7 +856,10 @@ aci_list_map_rights (
}
static int
aci_list_has_attr (struct berval *list, char *attr, struct berval *val)
aci_list_has_attr(
struct berval *list,
const char *attr,
struct berval *val )
{
struct berval bv, left, right;
int i;
......@@ -869,7 +905,10 @@ aci_list_has_attr (struct berval *list, char *attr, struct berval *val)
}
static slap_access_t
aci_list_get_attr_rights (struct berval *list, char *attr, struct berval *val)
aci_list_get_attr_rights(
struct berval *list,
const char *attr,
struct berval *val )
{
struct berval bv;
slap_access_t mask;
......@@ -888,12 +927,12 @@ aci_list_get_attr_rights (struct berval *list, char *attr, struct berval *val)
}
static int
aci_list_get_rights (
aci_list_get_rights(
struct berval *list,
char *attr,
const char *attr,
struct berval *val,
slap_access_t *grant,
slap_access_t *deny)
slap_access_t *deny )
{
struct berval perm, actn;
slap_access_t *mask;
......@@ -974,11 +1013,11 @@ aci_group_member (
}
static int
aci_mask (
aci_mask(
Backend *be,
Operation *op,
Entry *e,
char *attr,
const char *attr,
struct berval *val,
struct berval *aci,
regmatch_t *matches,
......@@ -1063,8 +1102,12 @@ aci_mask (
bv.bv_val = op->o_ndn;
bv.bv_len = strlen( bv.bv_val );
#ifdef SLAPD_SCHEMA_NOT_COMPAT
/* not yet implemented */
#else
if (value_find( at->a_vals, &bv, at->a_syntax, 3 ) == 0 )
return(1);
#endif
}
} else if (aci_strbvcmp( "group", &bv ) == 0) {
......@@ -1080,7 +1123,8 @@ aci_mask (
}
char *
get_supported_acimech (int index)
get_supported_acimech(
int index )
{
if (index < 0 || index >= (sizeof(supportedACIMechs) / sizeof(char *)))
return(NULL);
......
/* acl.c - routines to parse and check acl's */
/* aclparse.c - routines to parse and check acl's */
/* $OpenLDAP$ */
/*
* Copyright 1998-1999 The OpenLDAP Foundation, All Rights Reserved.
......@@ -95,6 +95,12 @@ parse_acl(
char *left, *right;
AccessControl *a;
Access *b;
#ifdef SLAPD_SCHEMA_NOT_COMPAT
int rc;
char *text;
static AttributeDescription *member = NULL;
static AttributeDescription *aci = NULL;
#endif
a = NULL;
for ( i = 1; i < argc; i++ ) {
......@@ -321,17 +327,17 @@ parse_acl(
}
#ifdef SLAPD_SCHEMA_NOT_COMPAT
b->a_dn_at = at_find( right );
rc = slap_str2ad( right, &b->a_dn_at, &text );
if( b->a_dn_at == NULL ) {
if( rc != LDAP_SUCCESS ) {
fprintf( stderr,
"%s: line %d: dnattr attribute type undefined.\n",
fname, lineno );
"%s: line %d: dnattr \"%s\": %s\n",
fname, lineno, right, text );
acl_usage();
}
#ifdef SLAPD_OID_DN_SYNTAX
if( strcmp( b->a_dn_at->sat_syntax_oid,
if( strcmp( b->a_dn_at->ad_type->sat_syntax_oid,
SLAPD_OID_DN_SYNTAX ) != 0 )
{
fprintf( stderr,
......@@ -379,7 +385,14 @@ parse_acl(
if (name && *name) {
#ifdef SLAPD_SCHEMA_NOT_COMPAT
b->a_group_at = at_find( name );
rc = slap_str2ad( right, &b->a_group_at, &text );
if( rc != LDAP_SUCCESS ) {
fprintf( stderr,
"%s: line %d: group \"%s\": %s\n",
fname, lineno, right, text );
acl_usage();
}
#else
b->a_group_at = ch_strdup(name);
#endif
......@@ -387,7 +400,7 @@ parse_acl(
} else {
#ifdef SLAPD_SCHEMA_NOT_COMPAT
b->a_group_at = at_find("member");
b->a_group_at = member;
#else
b->a_group_at = ch_strdup("member");
#endif
......@@ -402,7 +415,7 @@ parse_acl(
}
#ifdef SLAPD_OID_DN_SYNTAX
if( strcmp( b->a_group_at->sat_syntax_oid,
if( strcmp( b->a_group_at->ad_type->sat_syntax_oid,
SLAPD_OID_DN_SYNTAX ) != 0 )
{
fprintf( stderr,
......@@ -478,9 +491,16 @@ parse_acl(
#ifdef SLAPD_SCHEMA_NOT_COMPAT
if ( right != NULL && *right != '\0' ) {
b->a_aci_at = at_find( right );
rc = slap_str2ad( right, &b->a_aci_at, &text );
if( rc != LDAP_SUCCESS ) {
fprintf( stderr,
"%s: line %d: aci \"%s\": %s\n",
fname, lineno, right, text );
acl_usage();
}
} else {
b->a_aci_at = at_find( SLAPD_ACI_DEFAULT_ATTR );
b->a_aci_at = aci;
}
if( b->a_aci_at == NULL ) {
......@@ -490,7 +510,7 @@ parse_acl(
acl_usage();
}
if( strcmp( b->a_aci_at->sat_syntax_oid,
if( strcmp( b->a_aci_at->ad_type->sat_syntax_oid,
SLAPD_OID_ACI_SYNTAX ) != 0 )
{
fprintf( stderr,
......
......@@ -20,6 +20,35 @@
#ifdef SLAPD_SCHEMA_NOT_COMPAT
static int ad_keystring(
struct berval *bv )
{
ber_len_t i;
if( !AD_CHAR( bv->bv_val[0] ) ) {
return 1;
}
for( i=1; i<bv->bv_len; i++ ) {
if( !AD_CHAR( bv->bv_val[i] ) ) {
return 1;
}
}
return 0;
}
int slap_str2ad(
const char *str,
AttributeDescription **ad,
char **text )
{
struct berval bv;
bv.bv_val = (char *) str;
bv.bv_len = strlen( str );
return slap_bv2ad( &bv, ad, text );
}
int slap_bv2ad(
struct berval *bv,
AttributeDescription **ad,
......@@ -39,8 +68,8 @@ int slap_bv2ad(
}
/* make sure description is IA5 */
if( IA5StringValidate( NULL, bv ) != 0 ) {
*text = "attribute description contains non-IA5 characters";
if( ad_keystring( bv ) ) {
*text = "attribute description contains inappropriate characters";
return LDAP_UNDEFINED_TYPE;
}
......
......@@ -65,7 +65,7 @@ attr_syntax( const char *type )
*/
void
attr_syntax_config(
at_config(
const char *fname,
int lineno,
int argc,
......@@ -166,7 +166,7 @@ at_fake_if_needed(
argv[0] = (char*) name;
argv[1] = "cis";
argv[2] = NULL;
attr_syntax_config( "implicit", 0, 2, argv );
at_config( "implicit", 0, 2, argv );
return 0;
}
}
......
......@@ -30,7 +30,6 @@ void
attr_free( Attribute *a )
{
#ifdef SLAPD_SCHEMA_NOT_COMPAT
/* not yet implemented */
ad_free( &a->a_desc, 0 );
#else
free( a->a_type );
......@@ -80,7 +79,6 @@ Attribute *attr_dup( Attribute *a )
}
#ifdef SLAPD_SCHEMA_NOT_COMPAT
/* not yet implemented */
tmp->a_desc = a->a_desc;
tmp->a_desc.ad_cname = ber_bvdup( a->a_desc.ad_cname );
tmp->a_desc.ad_lang = ch_strdup( a->a_desc.ad_lang );
......@@ -183,8 +181,7 @@ int
attr_merge(
Entry *e,
const char *type,
struct berval **vals
)
struct berval **vals )
{
Attribute **a;
......
......@@ -30,6 +30,13 @@ ldbm_back_add(
int rootlock = 0;
int rc;
#ifdef SLAPD_SCHEMA_NOT_COMPAT
static AttributeDescription *children = NULL;
#else
static const char *children = "children";
#endif
Debug(LDAP_DEBUG_ARGS, "==> ldbm_back_add: %s\n", e->e_dn, 0, 0);
/* nobody else can add until we lock our parent */
......@@ -109,7 +116,7 @@ ldbm_back_add(
free(pdn);
if ( ! access_allowed( be, conn, op, p,
"children", NULL, ACL_WRITE ) )
children, NULL, ACL_WRITE ) )
{
/* free parent and writer lock */
cache_return_entry_w( &li->li_cache, p );
......
......@@ -215,7 +215,14 @@ static char* get_alias_dn(
int *err,
char **errmsg )
{
Attribute *a = attr_find( e->e_attrs, "aliasedobjectname" );
Attribute *a;
#ifdef SLAPD_SCHEMA_NOT_COMPAT
static AttributeDescription *aliasedObjectName = NULL;
#else
static const char *aliasedObjectName = NULL;
#endif
a = attr_find( e->e_attrs, aliasedObjectName );
if( a == NULL ) {
/*
......
......@@ -41,6 +41,14 @@ ldbm_back_bind(