partially fix ACI compatibility with OL2.1

diff --git a/CHANGES b/CHANGES
index 7d3ce53002203e7aa3cf1d8e563d9c921947928d..166c68eee25cbb186b245b23b8e349e52016fe15 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -5,6 +5,7 @@ OpenLDAP 2.3.34 Engineering
        Fixed ldapmodify printing error from ldap_result() (ITS#4812)
        Fixed slapadd LDIF parsing (ITS#4817)
        Fixed slapd syncrepl memory leaks (ITS#4805)
+       Fixed slapd dynacl/ACI compatibility with 2.1
        Fixed slapd-bdb/hdb be_entry_get with aliases/referrals (ITS#4810)
        Fixed slapd-ldap more response handling bugs (ITS#4782)
        Fixed slapd-ldap C-API code tests (ITS#4808)

diff --git a/servers/slapd/aci.c b/servers/slapd/aci.c
index 1882f15e77b4613fbac851e9236679cbc080e19c..24b33bf2a5cef52f2154d432ac6ccb3633044036 100644 (file)
--- a/servers/slapd/aci.c
+++ b/servers/slapd/aci.c
@@ -291,10 +291,8 @@ aci_list_get_rights(
        slap_access_t   *mask;
        int             i, found;
 
-       if ( attr == NULL || BER_BVISEMPTY( attr )
-                       || ber_bvstrcasecmp( attr, &aci_bv[ ACI_BV_ENTRY ] ) == 0 )
-       {
-               attr = &aci_bv[ ACI_BV_BR_ENTRY ];
+       if ( attr == NULL || BER_BVISEMPTY( attr ) ) {
+               attr = &aci_bv[ ACI_BV_ENTRY ];
        }
 
        found = 0;
@@ -433,7 +431,7 @@ aci_mask(
           This routine now supports scope={ENTRY,CHILDREN}
           with the semantics:
             - ENTRY applies to "entry" and "subtree";
-            - CHILDREN aplies to "children" and "subtree"
+            - CHILDREN applies to "children" and "subtree"
         */
 
        /* check that the aci has all 5 components */
@@ -1027,7 +1025,7 @@ bv_get_tail(
  *    action    := perms;attr[[;perms;attr]...]
  *    perms     := perm[[,perm]...]
  *    perm      := c|s|r|w|x
- *    attr      := attributeType|[all]
+ *    attr      := attributeType|"[all]"
  *    type      :=  public|users|self|dnattr|group|role|set|set-ref|
  *                  access_id|subtree|onelevel|children
  */
@@ -1110,6 +1108,11 @@ OpenLDAPaciValidateRight(
                                continue;
                        }
 
+                       /* "[entry]" is tolerated for backward compatibility */
+                       if ( ber_bvstrcasecmp( &bv, &aci_bv[ ACI_BV_BR_ENTRY ] ) == 0 ) {
+                               continue;
+                       }
+
                        if ( slap_bv2ad( &bv, &ad, &text ) != LDAP_SUCCESS ) {
                                return LDAP_INVALID_SYNTAX;
                        }
@@ -1167,6 +1170,10 @@ OpenLDAPaciNormalizeRight(
                        if ( ber_bvstrcasecmp( &bv, &aci_bv[ ACI_BV_BR_ALL ] ) == 0 ) {
                                bv = aci_bv[ ACI_BV_BR_ALL ];
 
+                       /* "[entry]" is tolerated for backward compatibility */
+                       } else if ( ber_bvstrcasecmp( &bv, &aci_bv[ ACI_BV_BR_ENTRY ] ) == 0 ) {
+                               bv = aci_bv[ ACI_BV_ENTRY ];
+
                        } else {
                                AttributeDescription    *ad = NULL;
                                const char              *text = NULL;
@@ -1456,6 +1463,8 @@ OpenLDAPaciPrettyNormal(
                        freetype = 0;
        char            *ptr;
 
+       BER_BVZERO( out );
+
        if ( BER_BVISEMPTY( val ) ) {
                return LDAP_INVALID_SYNTAX;
        }
@@ -1626,7 +1635,7 @@ OpenLDAPaciPrettyNormal(
        out->bv_len = 
                oid.bv_len + STRLENOF( "#" )
                + scope.bv_len + STRLENOF( "#" )
-               + rights.bv_len + STRLENOF( "#" )
+               + nrights.bv_len + STRLENOF( "#" )
                + ntype.bv_len + STRLENOF( "#" )
                + nsubject.bv_len;