Commit 0dbaf877 authored by Kurt Zeilenga's avatar Kurt Zeilenga
Browse files

Another round of changes behind -DSLAPD_SCHEMA_NOT_COMPAT

plus these changes unhidden changes:
	remove now meaning --enable-discreteaci configure option
	fix ITS#451, slapd filters
	Add ber_bvecadd() to support above
	constify ldap_pvt_find_wildcard() and misc slapd routines
	renamed some slap.h macros
	likely broken something
parent 4e4b8204
This diff is collapsed.
...@@ -141,7 +141,6 @@ OL_ARG_ENABLE(phonetic,[ --enable-phonetic enable phonetic/soundex], no)dnl ...@@ -141,7 +141,6 @@ OL_ARG_ENABLE(phonetic,[ --enable-phonetic enable phonetic/soundex], no)dnl
OL_ARG_ENABLE(quipu,[ --enable-quipu build quipu migration tools], no)dnl OL_ARG_ENABLE(quipu,[ --enable-quipu build quipu migration tools], no)dnl
OL_ARG_ENABLE(rlookups,[ --enable-rlookups enable reverse lookups], auto)dnl OL_ARG_ENABLE(rlookups,[ --enable-rlookups enable reverse lookups], auto)dnl
OL_ARG_ENABLE(aci,[ --enable-aci enable per-object ACIs], no)dnl OL_ARG_ENABLE(aci,[ --enable-aci enable per-object ACIs], no)dnl
OL_ARG_ENABLE(discreteaci,[ --enable-discreteaci enable discrete rights in ACIs], no)dnl
OL_ARG_ENABLE(wrappers,[ --enable-wrappers enable tcp wrapper support], no)dnl OL_ARG_ENABLE(wrappers,[ --enable-wrappers enable tcp wrapper support], no)dnl
OL_ARG_ENABLE(dynamic,[ --enable-dynamic enable linking built binaries with dynamic libs], no)dnl OL_ARG_ENABLE(dynamic,[ --enable-dynamic enable linking built binaries with dynamic libs], no)dnl
...@@ -242,9 +241,6 @@ if test $ol_enable_slapd = no ; then ...@@ -242,9 +241,6 @@ if test $ol_enable_slapd = no ; then
if test $ol_enable_aci = yes ; then if test $ol_enable_aci = yes ; then
AC_MSG_WARN([slapd disabled, ignoring --enable-aci argument]) AC_MSG_WARN([slapd disabled, ignoring --enable-aci argument])
fi fi
if test $ol_enable_discreteaci = yes ; then
AC_MSG_WARN([slapd disabled, ignoring --enable-discreteaci argument])
fi
if test $ol_with_ldbm_api != auto ; then if test $ol_with_ldbm_api != auto ; then
AC_MSG_WARN([slapd disabled, ignoring --with-ldbm-api argument]) AC_MSG_WARN([slapd disabled, ignoring --with-ldbm-api argument])
fi fi
...@@ -291,7 +287,6 @@ if test $ol_enable_slapd = no ; then ...@@ -291,7 +287,6 @@ if test $ol_enable_slapd = no ; then
ol_enable_quipu=no ol_enable_quipu=no
ol_enable_rlookups=no ol_enable_rlookups=no
ol_enable_aci=no ol_enable_aci=no
ol_enable_discreteaci=no
ol_enable_wrappers=no ol_enable_wrappers=no
ol_enable_dynamic=no ol_enable_dynamic=no
...@@ -2206,9 +2201,6 @@ fi ...@@ -2206,9 +2201,6 @@ fi
if test "$ol_enable_aci" != no ; then if test "$ol_enable_aci" != no ; then
AC_DEFINE(SLAPD_ACI_ENABLED,1,[define to support per-object ACIs]) AC_DEFINE(SLAPD_ACI_ENABLED,1,[define to support per-object ACIs])
fi fi
if test "$ol_enable_discreteaci" != no ; then
AC_DEFINE(SLAPD_ACI_DISCRETE_RIGHTS,1,[define to support discrete rights in ACIs])
fi
if test "$ol_link_modules" != no ; then if test "$ol_link_modules" != no ; then
AC_DEFINE(SLAPD_MODULES,1,[define to support modules]) AC_DEFINE(SLAPD_MODULES,1,[define to support modules])
......
...@@ -466,6 +466,11 @@ LIBLBER_F( void ) ...@@ -466,6 +466,11 @@ LIBLBER_F( void )
ber_bvecfree LDAP_P(( ber_bvecfree LDAP_P((
struct berval **bv )); struct berval **bv ));
LIBLBER_F( int )
ber_bvecadd LDAP_P((
struct berval ***bvec,
struct berval *bv ));
LIBLBER_F( struct berval * ) LIBLBER_F( struct berval * )
ber_bvdup LDAP_P(( ber_bvdup LDAP_P((
LDAP_CONST struct berval *bv )); LDAP_CONST struct berval *bv ));
......
...@@ -119,7 +119,7 @@ LIBLDAP_F (int) ldap_pvt_sasl_bind LDAP_P(( LDAP *, LDAP_CONST char *, LDAP_CONS ...@@ -119,7 +119,7 @@ LIBLDAP_F (int) ldap_pvt_sasl_bind LDAP_P(( LDAP *, LDAP_CONST char *, LDAP_CONS
/* search.c */ /* search.c */
LIBLDAP_F( char * ) LIBLDAP_F( char * )
ldap_pvt_find_wildcard LDAP_P(( char *s )); ldap_pvt_find_wildcard LDAP_P(( const char *s ));
LIBLDAP_F( ber_slen_t ) LIBLDAP_F( ber_slen_t )
ldap_pvt_filter_value_unescape LDAP_P(( char *filter )); ldap_pvt_filter_value_unescape LDAP_P(( char *filter ));
......
...@@ -886,9 +886,6 @@ ...@@ -886,9 +886,6 @@
/* define to support per-object ACIs */ /* define to support per-object ACIs */
#undef SLAPD_ACI_ENABLED #undef SLAPD_ACI_ENABLED
/* define to support discrete rights in ACIs */
#undef SLAPD_ACI_DISCRETE_RIGHTS
/* define to support modules */ /* define to support modules */
#undef SLAPD_MODULES #undef SLAPD_MODULES
......
...@@ -270,6 +270,57 @@ ber_bvecfree( struct berval **bv ) ...@@ -270,6 +270,57 @@ ber_bvecfree( struct berval **bv )
LBER_FREE( (char *) bv ); LBER_FREE( (char *) bv );
} }
int
ber_bvecadd( struct berval ***bvec, struct berval *bv )
{
ber_len_t i;
struct berval **new;
ber_int_options.lbo_valid = LBER_INITIALIZED;
if( bvec == NULL ) {
if( bv == NULL ) {
/* nothing to add */
return 0;
}
*bvec = ber_memalloc( 2 * sizeof(struct berval *) );
if( *bvec == NULL ) {
return -1;
}
(*bvec)[0] = bv;
(*bvec)[1] = NULL;
return 1;
}
BER_MEM_VALID( bvec );
/* count entries */
for ( i = 0; bvec[i] != NULL; i++ ) {
/* EMPTY */;
}
if( bv == NULL ) {
return i;
}
new = ber_memrealloc( *bvec, (i+2) * sizeof(struct berval *));
if( new == NULL ) {
return -1;
}
*bvec = new;
(*bvec)[i++] = bv;
(*bvec)[i] = NULL;
return i;
}
struct berval * struct berval *
ber_bvdup( ber_bvdup(
......
...@@ -424,12 +424,12 @@ static int hex2value( int c ) ...@@ -424,12 +424,12 @@ static int hex2value( int c )
} }
char * char *
ldap_pvt_find_wildcard( char *s ) ldap_pvt_find_wildcard( const char *s )
{ {
for( ; *s != '\0' ; s++ ) { for( ; *s != '\0' ; s++ ) {
switch( *s ) { switch( *s ) {
case '*': /* found wildcard */ case '*': /* found wildcard */
return s; return (char *) s;
case '\\': case '\\':
s++; /* skip over escape */ s++; /* skip over escape */
......
...@@ -18,20 +18,37 @@ ...@@ -18,20 +18,37 @@
static AccessControl * acl_get( static AccessControl * acl_get(
AccessControl *ac, int *count, AccessControl *ac, int *count,
Backend *be, Operation *op, Backend *be, Operation *op,
Entry *e, char *attr, Entry *e,
#ifdef SLAPD_SCHEMA_NOT_COMPAT
AttributeType *type,
#else
const char *attr,
#endif
int nmatches, regmatch_t *matches ); int nmatches, regmatch_t *matches );
static slap_control_t acl_mask( static slap_control_t acl_mask(
AccessControl *ac, slap_access_mask_t *mask, AccessControl *ac, slap_access_mask_t *mask,
Backend *be, Connection *conn, Operation *op, Backend *be, Connection *conn, Operation *op,
Entry *e, char *attr, struct berval *val, Entry *e,
#ifdef SLAPD_SCHEMA_NOT_COMPAT
AttributeType *type,
#else
const char *attr,
#endif
struct berval *val,
regmatch_t *matches ); regmatch_t *matches );
#ifdef SLAPD_ACI_ENABLED #ifdef SLAPD_ACI_ENABLED
static int aci_mask( static int aci_mask(
Backend *be, Backend *be,
Operation *op, Operation *op,
Entry *e, char *attr, struct berval *val, struct berval *aci, Entry *e,
#ifdef SLAPD_SCHEMA_NOT_COMPAT
AttributeType *type,
#else
const char *attr,
#endif
struct berval *val, struct berval *aci,
regmatch_t *matches, slap_access_t *grant, slap_access_t *deny ); regmatch_t *matches, slap_access_t *grant, slap_access_t *deny );
char *supportedACIMechs[] = { char *supportedACIMechs[] = {
...@@ -41,8 +58,10 @@ char *supportedACIMechs[] = { ...@@ -41,8 +58,10 @@ char *supportedACIMechs[] = {
}; };
#endif #endif
static int regex_matches(char *pat, char *str, char *buf, regmatch_t *matches); static int regex_matches(
static void string_expand(char *newbuf, int bufsiz, char *pattern, char *pat, char *str, char *buf, regmatch_t *matches);
static void string_expand(
char *newbuf, int bufsiz, char *pattern,
char *match, regmatch_t *matches); char *match, regmatch_t *matches);
...@@ -67,10 +86,13 @@ access_allowed( ...@@ -67,10 +86,13 @@ access_allowed(
Connection *conn, Connection *conn,
Operation *op, Operation *op,
Entry *e, Entry *e,
char *attr, #ifdef SLAPD_SCHEMA_NOT_COMPAT
AttributeType *attr,
#else
const char *attr,
#endif
struct berval *val, struct berval *val,
slap_access_t access slap_access_t access )
)
{ {
int count; int count;
AccessControl *a; AccessControl *a;
...@@ -105,7 +127,12 @@ access_allowed( ...@@ -105,7 +127,12 @@ access_allowed(
* by ACL_WRITE checking as any found here are not provided * by ACL_WRITE checking as any found here are not provided
* by the user * by the user
*/ */
if ( access >= ACL_WRITE && oc_check_op_no_usermod_attr( attr ) ) { #ifdef SLAPD_SCHEMA_NOT_COMPAT
if ( access >= ACL_WRITE && is_at_no_user_mod( attr ) )
#else
if ( access >= ACL_WRITE && oc_check_op_no_usermod_attr( attr ) )
#endif
{
Debug( LDAP_DEBUG_ACL, "NoUserMod Operational attribute:" Debug( LDAP_DEBUG_ACL, "NoUserMod Operational attribute:"
" %s access granted\n", " %s access granted\n",
attr, 0, 0 ); attr, 0, 0 );
...@@ -202,10 +229,13 @@ acl_get( ...@@ -202,10 +229,13 @@ acl_get(
Backend *be, Backend *be,
Operation *op, Operation *op,
Entry *e, Entry *e,
char *attr, #ifdef SLAPD_SCHEMA_NOT_COMPAT
AttributeType *attr,
#else
const char *attr,
#endif
int nmatch, int nmatch,
regmatch_t *matches regmatch_t *matches )
)
{ {
assert( e != NULL ); assert( e != NULL );
assert( count != NULL ); assert( count != NULL );
...@@ -282,7 +312,11 @@ acl_mask( ...@@ -282,7 +312,11 @@ acl_mask(
Connection *conn, Connection *conn,
Operation *op, Operation *op,
Entry *e, Entry *e,
char *attr, #ifdef SLAPD_SCHEMA_NOT_COMPAT
AttributeType *attr,
#else
const char *attr,
#endif
struct berval *val, struct berval *val,
regmatch_t *matches regmatch_t *matches
) )
...@@ -398,7 +432,6 @@ acl_mask( ...@@ -398,7 +432,6 @@ acl_mask(
} }
if ( b->a_dn_at != NULL && op->o_ndn != NULL ) { if ( b->a_dn_at != NULL && op->o_ndn != NULL ) {
char *dn_at;
Attribute *at; Attribute *at;
struct berval bv; struct berval bv;
...@@ -408,14 +441,8 @@ acl_mask( ...@@ -408,14 +441,8 @@ acl_mask(
bv.bv_val = op->o_ndn; bv.bv_val = op->o_ndn;
bv.bv_len = strlen( bv.bv_val ); bv.bv_len = strlen( bv.bv_val );
#ifdef SLAPD_SCHEMA_NOT_COMPAT
dn_at = at_canonical_name( b->a_dn_at );
#else
dn_at = b->a_dn_at;
#endif
/* see if asker is listed in dnattr */ /* see if asker is listed in dnattr */
if ( (at = attr_find( e->e_attrs, dn_at )) != NULL if ( (at = attr_find( e->e_attrs, b->a_dn_at )) != NULL
#ifdef SLAPD_SCHEMA_NOT_COMPAT #ifdef SLAPD_SCHEMA_NOT_COMPAT
/* not yet implemented */ /* not yet implemented */
#else #else
...@@ -714,7 +741,7 @@ acl_check_modlist( ...@@ -714,7 +741,7 @@ acl_check_modlist(
#ifdef SLAPD_ACI_ENABLED #ifdef SLAPD_ACI_ENABLED
static char * static char *
aci_bvstrdup (struct berval *bv) aci_bvstrdup( struct berval *bv )
{ {
char *s; char *s;
...@@ -727,7 +754,9 @@ aci_bvstrdup (struct berval *bv) ...@@ -727,7 +754,9 @@ aci_bvstrdup (struct berval *bv)
} }
static int static int
aci_strbvcmp (char *s, struct berval *bv) aci_strbvcmp(
const char *s,
struct berval *bv )
{ {
int res, len; int res, len;
...@@ -743,7 +772,11 @@ aci_strbvcmp (char *s, struct berval *bv) ...@@ -743,7 +772,11 @@ aci_strbvcmp (char *s, struct berval *bv)
} }
static int static int
aci_get_part (struct berval *list, int ix, char sep, struct berval *bv) aci_get_part(
struct berval *list,
int ix,
char sep,
struct berval *bv )
{ {
int len; int len;
char *p; char *p;
...@@ -778,8 +811,8 @@ aci_get_part (struct berval *list, int ix, char sep, struct berval *bv) ...@@ -778,8 +811,8 @@ aci_get_part (struct berval *list, int ix, char sep, struct berval *bv)
} }
static int static int
aci_list_map_rights ( aci_list_map_rights(
struct berval *list) struct berval *list )
{ {
struct berval bv; struct berval bv;
slap_access_t mask; slap_access_t mask;
...@@ -823,7 +856,10 @@ aci_list_map_rights ( ...@@ -823,7 +856,10 @@ aci_list_map_rights (
} }
static int static int
aci_list_has_attr (struct berval *list, char *attr, struct berval *val) aci_list_has_attr(
struct berval *list,
const char *attr,
struct berval *val )
{ {
struct berval bv, left, right; struct berval bv, left, right;
int i; int i;
...@@ -869,7 +905,10 @@ aci_list_has_attr (struct berval *list, char *attr, struct berval *val) ...@@ -869,7 +905,10 @@ aci_list_has_attr (struct berval *list, char *attr, struct berval *val)
} }
static slap_access_t static slap_access_t
aci_list_get_attr_rights (struct berval *list, char *attr, struct berval *val) aci_list_get_attr_rights(
struct berval *list,
const char *attr,
struct berval *val )
{ {
struct berval bv; struct berval bv;
slap_access_t mask; slap_access_t mask;
...@@ -888,12 +927,12 @@ aci_list_get_attr_rights (struct berval *list, char *attr, struct berval *val) ...@@ -888,12 +927,12 @@ aci_list_get_attr_rights (struct berval *list, char *attr, struct berval *val)
} }
static int static int
aci_list_get_rights ( aci_list_get_rights(
struct berval *list, struct berval *list,
char *attr, const char *attr,
struct berval *val, struct berval *val,
slap_access_t *grant, slap_access_t *grant,
slap_access_t *deny) slap_access_t *deny )
{ {
struct berval perm, actn; struct berval perm, actn;
slap_access_t *mask; slap_access_t *mask;
...@@ -974,11 +1013,11 @@ aci_group_member ( ...@@ -974,11 +1013,11 @@ aci_group_member (
} }
static int static int
aci_mask ( aci_mask(
Backend *be, Backend *be,
Operation *op, Operation *op,
Entry *e, Entry *e,
char *attr, const char *attr,
struct berval *val, struct berval *val,
struct berval *aci, struct berval *aci,
regmatch_t *matches, regmatch_t *matches,
...@@ -1063,8 +1102,12 @@ aci_mask ( ...@@ -1063,8 +1102,12 @@ aci_mask (
bv.bv_val = op->o_ndn; bv.bv_val = op->o_ndn;
bv.bv_len = strlen( bv.bv_val ); bv.bv_len = strlen( bv.bv_val );
#ifdef SLAPD_SCHEMA_NOT_COMPAT
/* not yet implemented */
#else
if (value_find( at->a_vals, &bv, at->a_syntax, 3 ) == 0 ) if (value_find( at->a_vals, &bv, at->a_syntax, 3 ) == 0 )
return(1); return(1);
#endif
} }
} else if (aci_strbvcmp( "group", &bv ) == 0) { } else if (aci_strbvcmp( "group", &bv ) == 0) {
...@@ -1080,7 +1123,8 @@ aci_mask ( ...@@ -1080,7 +1123,8 @@ aci_mask (
} }
char * char *
get_supported_acimech (int index) get_supported_acimech(
int index )
{ {
if (index < 0 || index >= (sizeof(supportedACIMechs) / sizeof(char *))) if (index < 0 || index >= (sizeof(supportedACIMechs) / sizeof(char *)))
return(NULL); return(NULL);
......
/* acl.c - routines to parse and check acl's */ /* aclparse.c - routines to parse and check acl's */
/* $OpenLDAP$ */ /* $OpenLDAP$ */
/* /*
* Copyright 1998-1999 The OpenLDAP Foundation, All Rights Reserved. * Copyright 1998-1999 The OpenLDAP Foundation, All Rights Reserved.
...@@ -95,6 +95,12 @@ parse_acl( ...@@ -95,6 +95,12 @@ parse_acl(
char *left, *right; char *left, *right;
AccessControl *a; AccessControl *a;
Access *b; Access *b;
#ifdef SLAPD_SCHEMA_NOT_COMPAT
int rc;
char *text;
static AttributeDescription *member = NULL;
static AttributeDescription *aci = NULL;
#endif
a = NULL; a = NULL;
for ( i = 1; i < argc; i++ ) { for ( i = 1; i < argc; i++ ) {
...@@ -321,17 +327,17 @@ parse_acl( ...@@ -321,17 +327,17 @@ parse_acl(
} }
#ifdef SLAPD_SCHEMA_NOT_COMPAT #ifdef SLAPD_SCHEMA_NOT_COMPAT
b->a_dn_at = at_find( right ); rc = slap_str2ad( right, &b->a_dn_at, &text );
if( b->a_dn_at == NULL ) { if( rc != LDAP_SUCCESS ) {
fprintf( stderr, fprintf( stderr,
"%s: line %d: dnattr attribute type undefined.\n", "%s: line %d: dnattr \"%s\": %s\n",
fname, lineno ); fname, lineno, right, text );
acl_usage(); acl_usage();
} }
#ifdef SLAPD_OID_DN_SYNTAX #ifdef SLAPD_OID_DN_SYNTAX
if( strcmp( b->a_dn_at->sat_syntax_oid, if( strcmp( b->a_dn_at->ad_type->sat_syntax_oid,
SLAPD_OID_DN_SYNTAX ) != 0 ) SLAPD_OID_DN_SYNTAX ) != 0 )
{ {
fprintf( stderr, fprintf( stderr,
...@@ -379,7 +385,14 @@ parse_acl( ...@@ -379,7 +385,14 @@ parse_acl(
if (name && *name) { if (name && *name) {
#ifdef SLAPD_SCHEMA_NOT_COMPAT #ifdef SLAPD_SCHEMA_NOT_COMPAT
b->a_group_at = at_find( name ); rc = slap_str2ad( right, &b->a_group_at, &text );
if( rc != LDAP_SUCCESS ) {
fprintf( stderr,
"%s: line %d: group \"%s\": %s\n",
fname, lineno, right, text );
acl_usage();
}
#else #else
b->a_group_at = ch_strdup(name); b->a_group_at = ch_strdup(name);
#endif #endif
...@@ -387,7 +400,7 @@ parse_acl( ...@@ -387,7 +400,7 @@ parse_acl(
} else { } else {
#ifdef SLAPD_SCHEMA_NOT_COMPAT #ifdef SLAPD_SCHEMA_NOT_COMPAT
b->a_group_at = at_find("member"); b->a_group_at = member;
#else #else
b->a_group_at = ch_strdup("member");