-.TH LDAPSEARCH 1 "29 March 1996" "U-M LDAP LDVERSION"
+.TH LDAPSEARCH 1 "22 September 1998" "OpenLDAP LDVERSION"
.SH NAME
ldapsearch \- ldap search tool
.SH SYNOPSIS
wait at most \fItimelimit\fP seconds for a search to complete.
.TP
.B \-z sizelimit
-retrieve at most \fIsizelimit\fP seconds for a search to complete.
+retrieve at most \fIsizelimit\fP entries for a search.
.SH OUTPUT FORMAT
If one or more entries are found, each entry is written to standard output
in the form:
.SM RFC
1558,
University of Michigan, December 1993.
+.SH ACKNOWLEDGEMENTS
+.B OpenLDAP
+is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
+.B OpenLDAP
+is derived from University of Michigan LDAP 3.3 Release.
/* acl.c - routines to parse and check acl's */
+#include "portable.h"
+
#include <stdio.h>
-#include <string.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <netdb.h>
-#ifdef sunos5
-#include "regexpr.h"
-#else
-#include "regex.h"
-#endif
+
+#include <ac/regex.h>
+#include <ac/socket.h>
+#include <ac/string.h>
+
#include "slap.h"
extern Attribute *attr_find();
-extern char *re_comp();
extern struct acl *global_acl;
extern int global_default_access;
extern char *access2str();
static int regex_matches();
-extern pthread_mutex_t regex_mutex;
+static string_expand(char *newbuf, int bufsiz, char *pattern,
+ char *match, regmatch_t *matches);
+
/*
* access_allowed - check whether dn is allowed the requested access
int access
)
{
- int rc;
- struct acl *a;
+ int rc;
+ struct acl *a;
+ char *edn;
+
+ regmatch_t matches[MAXREMATCHES];
+ int i;
+ int n;
if ( be == NULL ) {
return( 0 );
}
- a = acl_get_applicable( be, op, e, attr );
- rc = acl_access_allowed( a, be, conn, e, val, op, access );
+ edn = dn_normalize_case( strdup( e->e_dn ) );
+ Debug( LDAP_DEBUG_ACL, "\n=> access_allowed: entry (%s) attr (%s)\n",
+ e->e_dn, attr, 0 );
+
+ /* the lastmod attributes are ignored by ACL checking */
+ if ( strcasecmp( attr, "modifiersname" ) == 0 ||
+ strcasecmp( attr, "modifytimestamp" ) == 0 ||
+ strcasecmp( attr, "creatorsname" ) == 0 ||
+ strcasecmp( attr, "createtimestamp" ) == 0 )
+ {
+ Debug( LDAP_DEBUG_ACL, "LASTMOD attribute: %s access allowed\n",
+ attr, 0, 0 );
+ free( edn );
+ return(1);
+ }
+
+ memset(matches, 0, sizeof(matches));
+
+ a = acl_get_applicable( be, op, e, attr, edn, MAXREMATCHES, matches );
+
+ if (a) {
+ for (i = 0; i < MAXREMATCHES && matches[i].rm_so > 0; i++) {
+ Debug( LDAP_DEBUG_ARGS, "=> match[%d]: %d %d ",
+ i, matches[i].rm_so, matches[i].rm_eo );
+
+ if( matches[i].rm_so <= matches[0].rm_eo ) {
+ for ( n = matches[i].rm_so; n < matches[i].rm_eo; n++) {
+ Debug( LDAP_DEBUG_ARGS, "%c", edn[n], 0, 0 );
+ }
+ }
+ Debug( LDAP_DEBUG_ARGS, "\n", 0, 0, 0 );
+ }
+ }
+
+ rc = acl_access_allowed( a, be, conn, e, val, op, access, edn, matches );
+ free( edn );
+
+ Debug( LDAP_DEBUG_ACL, "\n=> access_allowed: exit (%s) attr (%s)\n",
+ e->e_dn, attr, 0);
return( rc );
}
Backend *be,
Operation *op,
Entry *e,
- char *attr
+ char *attr,
+ char *edn,
+ int nmatch,
+ regmatch_t *matches
)
{
- int i;
+ int i, j;
struct acl *a;
- char *edn;
- Debug( LDAP_DEBUG_ACL, "=> acl_get: entry (%s) attr (%s)\n", e->e_dn,
- attr, 0 );
+ Debug( LDAP_DEBUG_ACL, "\n=> acl_get: entry (%s) attr (%s)\n",
+ e->e_dn, attr, 0 );
if ( be_isroot( be, op->o_dn ) ) {
Debug( LDAP_DEBUG_ACL,
return( NULL );
}
+ Debug( LDAP_DEBUG_ARGS, "=> acl_get: edn %s\n", edn, 0, 0 );
+
/* check for a backend-specific acl that matches the entry */
for ( i = 1, a = be->be_acl; a != NULL; a = a->acl_next, i++ ) {
- if ( a->acl_dnpat != NULL ) {
- edn = dn_normalize_case( strdup( e->e_dn ) );
- if ( ! regex_matches( a->acl_dnpat, edn ) ) {
- free( edn );
+ if (a->acl_dnpat != NULL) {
+ Debug( LDAP_DEBUG_TRACE, "=> dnpat: [%d] %s nsub: %d\n",
+ i, a->acl_dnpat, a->acl_dnre.re_nsub);
+
+ if (regexec(&a->acl_dnre, edn, nmatch, matches, 0))
continue;
- }
- free( edn );
+ else
+ Debug( LDAP_DEBUG_TRACE, "=> acl_get:[%d] backend ACL match\n",
+ i, 0, 0);
}
+
if ( a->acl_filter != NULL ) {
- if ( test_filter( NULL, NULL, NULL, e, a->acl_filter )
- != 0 ) {
+ if ( test_filter( NULL, NULL, NULL, e, a->acl_filter ) != 0 ) {
continue;
}
}
+
+ Debug( LDAP_DEBUG_ARGS, "=> acl_get: [%d] check attr %s\n", i, attr, 0);
+
if ( attr == NULL || a->acl_attrs == NULL ||
- charray_inlist( a->acl_attrs, attr ) ) {
- Debug( LDAP_DEBUG_ACL, "<= acl_get: backend acl #%d\n",
- i, e->e_dn, attr );
+ charray_inlist( a->acl_attrs, attr ) )
+ {
+ Debug( LDAP_DEBUG_ACL, "<= acl_get: [%d] backend acl %s attr: %s\n",
+ i, e->e_dn, attr );
return( a );
}
+ matches[0].rm_so = matches[0].rm_eo = -1;
}
/* check for a global acl that matches the entry */
for ( i = 1, a = global_acl; a != NULL; a = a->acl_next, i++ ) {
- if ( a->acl_dnpat != NULL ) {
- edn = dn_normalize_case( strdup( e->e_dn ) );
- if ( ! regex_matches( a->acl_dnpat, edn ) ) {
- free( edn );
+ if (a->acl_dnpat != NULL) {
+ Debug( LDAP_DEBUG_TRACE, "=> dnpat: [%d] %s nsub: %d\n",
+ i, a->acl_dnpat, a->acl_dnre.re_nsub);
+
+ if (regexec(&a->acl_dnre, edn, nmatch, matches, 0)) {
continue;
+ } else {
+ Debug( LDAP_DEBUG_TRACE, "=> acl_get: [%d] global ACL match\n",
+ i, 0, 0);
}
- free( edn );
}
+
if ( a->acl_filter != NULL ) {
- if ( test_filter( NULL, NULL, NULL, e, a->acl_filter )
- != 0 ) {
+ if ( test_filter( NULL, NULL, NULL, e, a->acl_filter ) != 0 ) {
continue;
}
}
- if ( attr == NULL || a->acl_attrs == NULL || charray_inlist(
- a->acl_attrs, attr ) ) {
- Debug( LDAP_DEBUG_ACL, "<= acl_get: global acl #%d\n",
- i, e->e_dn, attr );
+
+ Debug( LDAP_DEBUG_ARGS, "=> acl_get: [%d] check attr\n", i, 0, 0);
+
+ if ( attr == NULL || a->acl_attrs == NULL ||
+ charray_inlist( a->acl_attrs, attr ) )
+ {
+ Debug( LDAP_DEBUG_ACL, "<= acl_get: [%d] global acl %s attr: %s\n",
+ i, e->e_dn, attr );
return( a );
}
+
+ matches[0].rm_so = matches[0].rm_eo = -1;
}
- Debug( LDAP_DEBUG_ACL, "<= acl_get: no match\n", 0, 0, 0 );
+ Debug( LDAP_DEBUG_ACL, "<= acl_get: no match\n", 0, 0, 0 );
return( NULL );
}
Entry *e,
struct berval *val,
Operation *op,
- int access
+ int access,
+ char *edn,
+ regmatch_t *matches
)
{
int i;
- char *edn, *odn;
+ char *odn;
struct access *b;
Attribute *at;
struct berval bv;
int default_access;
- Debug( LDAP_DEBUG_ACL, "=> acl: %s access to value \"%s\" by \"%s\"\n",
- access2str( access ), val ? val->bv_val : "any", op->o_dn ?
- op->o_dn : "" );
+ Debug( LDAP_DEBUG_ACL,
+ "\n=> acl_access_allowed: %s access to entry \"%s\"\n",
+ access2str( access ), e->e_dn, 0 );
+
+ Debug( LDAP_DEBUG_ACL,
+ "\n=> acl_access_allowed: %s access to value \"%s\" by \"%s\"\n",
+ access2str( access ),
+ val ? val->bv_val : "any",
+ op->o_dn ? op->o_dn : "" );
if ( be_isroot( be, op->o_dn ) ) {
- Debug( LDAP_DEBUG_ACL, "<= acl: granted to database root\n",
+ Debug( LDAP_DEBUG_ACL,
+ "<= acl_access_allowed: granted to database root\n",
0, 0, 0 );
return( 1 );
}
- default_access = be->be_dfltaccess ? be->be_dfltaccess :
- global_default_access;
+ default_access = be->be_dfltaccess ? be->be_dfltaccess : global_default_access;
+
if ( a == NULL ) {
Debug( LDAP_DEBUG_ACL,
- "<= acl: %s by default (no matching to)\n",
+ "<= acl_access_allowed: %s by default (no matching to)\n",
default_access >= access ? "granted" : "denied", 0, 0 );
return( default_access >= access );
}
}
for ( i = 1, b = a->acl_access; b != NULL; b = b->a_next, i++ ) {
if ( b->a_dnpat != NULL ) {
+ Debug( LDAP_DEBUG_TRACE, "<= check a_dnpat: %s\n",
+ b->a_dnpat, 0, 0);
/*
* if access applies to the entry itself, and the
* user is bound as somebody in the same namespace as
* the entry, OR the given dn matches the dn pattern
*/
- if ( strcasecmp( b->a_dnpat, "self" ) == 0 && op->o_dn
- != NULL && *(op->o_dn) && e->e_dn != NULL ) {
- edn = dn_normalize_case( strdup( e->e_dn ) );
+ if ( strcasecmp( b->a_dnpat, "self" ) == 0 &&
+ op->o_dn != NULL && *(op->o_dn) && e->e_dn != NULL )
+ {
if ( strcasecmp( edn, op->o_dn ) == 0 ) {
- free( edn );
- if ( odn ) free( odn );
Debug( LDAP_DEBUG_ACL,
- "<= acl: matched by clause #%d access %s\n",
+ "<= acl_access_allowed: matched by clause #%d access %s\n",
i, (b->a_access & ~ACL_SELF) >=
access ? "granted" : "denied", 0 );
- return( (b->a_access & ~ACL_SELF)
- >= access );
+ if ( odn ) free( odn );
+ return( (b->a_access & ~ACL_SELF) >= access );
}
- free( edn );
} else {
- if ( regex_matches( b->a_dnpat, odn ) ) {
- if ( odn ) free( odn );
+ if ( regex_matches( b->a_dnpat, odn, edn, matches ) ) {
Debug( LDAP_DEBUG_ACL,
- "<= acl: matched by clause #%d access %s\n",
+ "<= acl_access_allowed: matched by clause #%d access %s\n",
i, (b->a_access & ~ACL_SELF) >= access ?
"granted" : "denied", 0 );
- return( (b->a_access & ~ACL_SELF)
- >= access );
+ if ( odn ) free( odn );
+ return( (b->a_access & ~ACL_SELF) >= access );
}
}
}
if ( b->a_addrpat != NULL ) {
- if ( regex_matches( b->a_addrpat, conn->c_addr ) ) {
- if ( odn ) free( odn );
+ if ( regex_matches( b->a_addrpat, conn->c_addr, edn, matches ) ) {
Debug( LDAP_DEBUG_ACL,
- "<= acl: matched by clause #%d access %s\n",
+ "<= acl_access_allowed: matched by clause #%d access %s\n",
i, (b->a_access & ~ACL_SELF) >= access ?
"granted" : "denied", 0 );
+ if ( odn ) free( odn );
return( (b->a_access & ~ACL_SELF) >= access );
}
}
if ( b->a_domainpat != NULL ) {
- if ( regex_matches( b->a_domainpat, conn->c_domain ) ) {
- if ( odn ) free( odn );
+ Debug( LDAP_DEBUG_ARGS, "<= check a_domainpath: %s\n",
+ b->a_domainpat, 0, 0 );
+ if ( regex_matches( b->a_domainpat, conn->c_domain, edn, matches ) )
+ {
Debug( LDAP_DEBUG_ACL,
- "<= acl: matched by clause #%d access %s\n",
+ "<= acl_access_allowed: matched by clause #%d access %s\n",
i, (b->a_access & ~ACL_SELF) >= access ?
"granted" : "denied", 0 );
+ if ( odn ) free( odn );
return( (b->a_access & ~ACL_SELF) >= access );
}
}
if ( b->a_dnattr != NULL && op->o_dn != NULL ) {
+ Debug( LDAP_DEBUG_ARGS, "<= check a_dnattr: %s\n",
+ b->a_dnattr, 0, 0);
/* see if asker is listed in dnattr */
- if ( (at = attr_find( e->e_attrs, b->a_dnattr ))
- != NULL && value_find( at->a_vals, &bv,
- at->a_syntax, 3 ) == 0 )
+ if ( (at = attr_find( e->e_attrs, b->a_dnattr )) != NULL &&
+ value_find( at->a_vals, &bv, at->a_syntax, 3 ) == 0 )
{
- if ( (b->a_access & ACL_SELF) && (val == NULL
- || value_cmp( &bv, val, at->a_syntax,
- 2 )) ) {
+ if ( (b->a_access & ACL_SELF) &&
+ (val == NULL || value_cmp( &bv, val, at->a_syntax, 2 )) )
+ {
continue;
}
if ( odn ) free( odn );
Debug( LDAP_DEBUG_ACL,
- "<= acl: matched by clause #%d access %s\n",
+ "<= acl_acces_allowed: matched by clause #%d access %s\n",
i, (b->a_access & ~ACL_SELF) >= access ?
"granted" : "denied", 0 );
/* asker not listed in dnattr - check for self access */
if ( ! (b->a_access & ACL_SELF) || val == NULL ||
- value_cmp( &bv, val, at->a_syntax, 2 ) != 0 ) {
+ value_cmp( &bv, val, at->a_syntax, 2 ) != 0 )
+ {
continue;
}
if ( odn ) free( odn );
Debug( LDAP_DEBUG_ACL,
- "<= acl: matched by clause #%d (self) access %s\n",
+ "<= acl_access_allowed: matched by clause #%d (self) access %s\n",
i, (b->a_access & ~ACL_SELF) >= access ? "granted"
: "denied", 0 );
return( (b->a_access & ~ACL_SELF) >= access );
}
+#ifdef SLAPD_ACLGROUPS
+ if ( b->a_group != NULL && op->o_dn != NULL ) {
+ char buf[512];
+
+ /* b->a_group is an unexpanded entry name, expanded it should be an
+ * entry with objectclass group* and we test to see if odn is one of
+ * the values in the attribute group
+ */
+ /* see if asker is listed in dnattr */
+ string_expand(buf, sizeof(buf), b->a_group, edn, matches);
+
+ if (be_group(be, buf, odn, b->a_objectclassvalue, b->a_groupattrname) == 0) {
+ Debug( LDAP_DEBUG_ACL,
+ "<= acl_access_allowed: matched by clause #%d (group) access granted\n",
+ i, 0, 0 );
+ if ( odn ) free( odn );
+ return( (b->a_access & ~ACL_SELF) >= access );
+ }
+ }
+#endif /* SLAPD_ACLGROUPS */
}
if ( odn ) free( odn );
- Debug( LDAP_DEBUG_ACL, "<= acl: %s by default (no matching by)\n",
+ Debug( LDAP_DEBUG_ACL,
+ "<= acl_access_allowed: %s by default (no matching by)\n",
default_access >= access ? "granted" : "denied", 0, 0 );
return( default_access >= access );
{
int i;
struct acl *a;
+ char *edn;
+
+ edn = dn_normalize_case( strdup( e->e_dn ) );
for ( ; mods != NULL; mods = mods->mod_next ) {
+ regmatch_t matches[MAXREMATCHES];
+
+ /* the lastmod attributes are ignored by ACL checking */
if ( strcasecmp( mods->mod_type, "modifiersname" ) == 0 ||
- strcasecmp( mods->mod_type, "modifytimestamp" ) == 0 ) {
+ strcasecmp( mods->mod_type, "modifytimestamp" ) == 0 ||
+ strcasecmp( mods->mod_type, "creatorsname" ) == 0 ||
+ strcasecmp( mods->mod_type, "createtimestamp" ) == 0 )
+ {
+ Debug( LDAP_DEBUG_ACL, "LASTMOD attribute: %s access allowed\n",
+ mods->mod_type, 0, 0 );
continue;
}
- a = acl_get_applicable( be, op, e, mods->mod_type );
+ a = acl_get_applicable( be, op, e, mods->mod_type, edn,
+ MAXREMATCHES, matches );
switch ( mods->mod_op & ~LDAP_MOD_BVALUES ) {
case LDAP_MOD_REPLACE:
break;
}
for ( i = 0; mods->mod_bvalues[i] != NULL; i++ ) {
- if ( ! acl_access_allowed( a, be, conn, e,
- mods->mod_bvalues[i], op, ACL_WRITE ) ) {
+ if ( ! acl_access_allowed( a, be, conn, e, mods->mod_bvalues[i],
+ op, ACL_WRITE, edn, matches) )
+ {
+ free(edn);
return( LDAP_INSUFFICIENT_ACCESS );
}
}
case LDAP_MOD_DELETE:
if ( mods->mod_bvalues == NULL ) {
if ( ! acl_access_allowed( a, be, conn, e,
- NULL, op, ACL_WRITE ) ) {
+ NULL, op, ACL_WRITE, edn, matches) )
+ {
+ free(edn);
return( LDAP_INSUFFICIENT_ACCESS );
}
break;
}
for ( i = 0; mods->mod_bvalues[i] != NULL; i++ ) {
- if ( ! acl_access_allowed( a, be, conn, e,
- mods->mod_bvalues[i], op, ACL_WRITE ) ) {
+ if ( ! acl_access_allowed( a, be, conn, e, mods->mod_bvalues[i],
+ op, ACL_WRITE, edn, matches) )
+ {
+ free(edn);
return( LDAP_INSUFFICIENT_ACCESS );
}
}
}
}
+ free(edn);
return( LDAP_SUCCESS );
}
-#ifdef sunos5
-
-static int
-regex_matches( char *pat, char *str )
+static string_expand(
+ char *newbuf,
+ int bufsiz,
+ char *pat,
+ char *match,
+ regmatch_t *matches)
{
- char *e;
- int rc;
-
- if ( (e = compile( pat, NULL, NULL )) == NULL ) {
- Debug( LDAP_DEBUG_ANY,
- "compile( \"%s\", \"%s\") failed\n", pat, str, 0 );
- return( 0 );
+ int size;
+ char *sp;
+ char *dp;
+ int flag;
+
+ size = 0;
+ newbuf[0] = '\0';
+
+ flag = 0;
+ for ( dp = newbuf, sp = pat; size < 512 && *sp ; sp++) {
+ /* did we previously see a $ */
+ if (flag) {
+ if (*sp == '$') {
+ *dp++ = '$';
+ size++;
+ } else if (*sp >= '0' && *sp <= '9' ) {
+ int n;
+ int i;
+ char *ep;
+ int l;
+
+ n = *sp - '0';
+ *dp = '\0';
+ i = matches[n].rm_so;
+ l = matches[n].rm_eo;
+ for ( ; size < 512 && i < l; size++, i++ ) {
+ *dp++ = match[i];
+ size++;
+ }
+ *dp = '\0';
+ }
+ flag = 0;
+ } else {
+ if (*sp == '$') {
+ flag = 1;
+ } else {
+ *dp++ = *sp;
+ size++;
+ }
+ }
}
- rc = step( str ? str : "", e );
- free( e );
+ *dp = '\0';
- return( rc );
+ Debug( LDAP_DEBUG_TRACE, "=> string_expand: pattern: %s\n", pat, 0, 0 );
+ Debug( LDAP_DEBUG_TRACE, "=> string_expand: expanded: %s\n", newbuf, 0, 0 );
}
-#else /* sunos5 */
-
static int
-regex_matches( char *pat, char *str )
+regex_matches(
+ char *pat, /* pattern to expand and match against */
+ char *str, /* string to match against pattern */
+ char *buf, /* buffer with $N expansion variables */
+ regmatch_t *matches /* offsets in buffer for $N expansion variables */
+)
{
- char *e;
+ regex_t re;
+ char newbuf[512];
int rc;
- pthread_mutex_lock( ®ex_mutex );
- if ( (e = re_comp( pat )) != NULL ) {
- Debug( LDAP_DEBUG_ANY,
- "re_comp( \"%s\", \"%s\") failed because (%s)\n", pat, str,
- e );
- pthread_mutex_unlock( ®ex_mutex );
+ string_expand(newbuf, sizeof(newbuf), pat, buf, matches);
+ if (( rc = regcomp(&re, newbuf, REG_EXTENDED|REG_ICASE))) {
+ char error[512];
+ regerror(rc, &re, error, sizeof(error));
+
+ Debug( LDAP_DEBUG_TRACE,
+ "compile( \"%s\", \"%s\") failed %s\n",
+ pat, str, error );
return( 0 );
}
- rc = re_exec( str ? str : "" );
- pthread_mutex_unlock( ®ex_mutex );
- return( rc == 1 );
+ rc = regexec(&re, str, 0, NULL, 0);
+ regfree( &re );
+
+ Debug( LDAP_DEBUG_TRACE,
+ "=> regex_matches: string: %s\n", str, 0, 0 );
+ Debug( LDAP_DEBUG_TRACE,
+ "=> regex_matches: rc: %d %s\n",
+ rc, !rc ? "matches" : "no matches", 0 );
+ return( !rc );
}
-#endif /* sunos5 */
/* acl.c - routines to parse and check acl's */
+#include "portable.h"
#include <stdio.h>
-#include <string.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <netdb.h>
-#include "regex.h"
+
+#include <ac/ctype.h>
+#include <ac/regex.h>
+#include <ac/socket.h>
+#include <ac/string.h>
+#include <ac/unistd.h>
+
#include "slap.h"
-#include "portable.h"
extern Filter *str2filter();
-extern char *re_comp();
extern struct acl *global_acl;
extern char **str2charray();
extern char *dn_upcase();
static void print_access();
#endif
+int
+regtest(char *fname, int lineno, char *pat) {
+ int e;
+ regex_t re;
+
+ char buf[512];
+ int size;
+
+ char *sp;
+ char *dp;
+ int flag;
+
+ sp = pat;
+ dp = buf;
+ size = 0;
+ buf[0] = '\0';
+
+ for (size = 0, flag = 0; (size < sizeof(buf)) && *sp; sp++) {
+ if (flag) {
+ if (*sp == '$'|| (*sp >= '0' && *sp <= '9')) {
+ *dp++ = *sp;
+ size++;
+ }
+ flag = 0;
+
+ } else {
+ if (*sp == '$') {
+ flag = 1;
+ } else {
+ *dp++ = *sp;
+ size++;
+ }
+ }
+ }
+
+ *dp = '\0';
+ if ( size >= (sizeof(buf)-1) ) {
+ fprintf( stderr,
+ "%s: line %d: regular expression \"%s\" too large\n",
+ fname, lineno, pat, 0 );
+ acl_usage();
+ }
+
+ if ((e = regcomp(&re, buf, REG_EXTENDED|REG_ICASE))) {
+ char error[512];
+ regerror(e, &re, error, sizeof(error));
+ fprintf( stderr,
+ "%s: line %d: regular expression \"%s\" bad because of %s\n",
+ fname, lineno, pat, error );
+ acl_usage();
+ return(0);
+ }
+ regfree(&re);
+ return(1);
+}
+
void
parse_acl(
Backend *be,
}
if ( strcasecmp( argv[i], "*" ) == 0 ) {
+ int e;
+ if ((e = regcomp( &a->acl_dnre, ".*",
+ REG_EXTENDED|REG_ICASE)))
+ {
+ char buf[512];
+ regerror(e, &a->acl_dnre, buf, sizeof(buf));
+ fprintf( stderr,
+ "%s: line %d: regular expression \"%s\" bad because of %s\n",
+ fname, lineno, right, buf );
+ acl_usage();
+ }
a->acl_dnpat = strdup( ".*" );
continue;
}
acl_usage();
}
} else if ( strcasecmp( left, "dn" ) == 0 ) {
- if ( (e = re_comp( right )) != NULL ) {
+ int e;
+ if ((e = regcomp(&a->acl_dnre, right,
+ REG_EXTENDED|REG_ICASE))) {
+ char buf[512];
+ regerror(e, &a->acl_dnre, buf, sizeof(buf));
fprintf( stderr,
- "%s: line %d: regular expression \"%s\" bad because of %s\n",
- fname, lineno, right, e );
+ "%s: line %d: regular expression \"%s\" bad because of %s\n",
+ fname, lineno, right, buf );
acl_usage();
+
+ } else {
+ a->acl_dnpat = dn_upcase(strdup( right ));
}
- a->acl_dnpat = dn_upcase( strdup(
- right ) );
} else if ( strncasecmp( left, "attr", 4 )
== 0 ) {
char **alist;
free( alist );
} else {
fprintf( stderr,
- "%s: line %d: expecting <what> got \"%s\"\n",
+ "%s: line %d: expecting <what> got \"%s\"\n",
fname, lineno, left );
acl_usage();
}
} else if ( strcasecmp( argv[i], "by" ) == 0 ) {
if ( a == NULL ) {
fprintf( stderr,
- "%s: line %d: to clause required before by clause in access line\n",
+ "%s: line %d: to clause required before by clause in access line\n",
fname, lineno );
acl_usage();
}
} else if ( strcasecmp( argv[i], "self" ) == 0 ) {
b->a_dnpat = strdup( "self" );
} else if ( strcasecmp( left, "dn" ) == 0 ) {
- if ( (e = re_comp( right )) != NULL ) {
- fprintf( stderr,
- "%s: line %d: regular expression \"%s\" bad: %s\n",
- fname, lineno, right, e );
- acl_usage();
- }
+ regtest(fname, lineno, right);
b->a_dnpat = dn_upcase( strdup( right ) );
- } else if ( strcasecmp( left, "dnattr" )
- == 0 ) {
+ } else if ( strcasecmp( left, "dnattr" ) == 0 ) {
b->a_dnattr = strdup( right );
- } else if ( strcasecmp( left, "domain" )
- == 0 ) {
- char *s;
- if ( (e = re_comp( right )) != NULL ) {
- fprintf( stderr,
- "%s: line %d: regular expression \"%s\" bad: %s\n",
- fname, lineno, right, e );
- acl_usage();
- }
+#ifdef SLAPD_ACLGROUPS
+ } else if ( strcasecmp( left, "group" ) == 0 ) {
+ char *name = NULL;
+ char *value = NULL;
+ regtest(fname, lineno, right);
+
+ /* format of string is "group/objectClassValue/groupAttrName"
+ */
+ if ((value = strchr(right, '/')) != NULL) {
+ *value++ = '\0';
+ if (value && *value && (name = strchr(value, '/')) != NULL)
+ *name++ = '\0';
+ }
+
+ b->a_group = dn_upcase(strdup( right ));
+
+ if (value && *value) {
+ b->a_objectclassvalue = strdup(value);
+ *--value = '/';
+ }
+ else
+ b->a_objectclassvalue = strdup("groupOfNames");
+
+ if (name && *name) {
+ b->a_groupattrname = strdup(name);
+ *--name = '/';
+ }
+ else
+ b->a_groupattrname = strdup("member");
+
+
+
+#endif /* SLAPD_ACLGROUPS */
+ } else if ( strcasecmp( left, "domain" ) == 0 ) {
+ char *s;
+ regtest(fname, lineno, right);
b->a_domainpat = strdup( right );
+
/* normalize the domain */
for ( s = b->a_domainpat; *s; s++ ) {
*s = TOLOWER( *s );
}
} else if ( strcasecmp( left, "addr" ) == 0 ) {
- if ( (e = re_comp( right )) != NULL ) {
- fprintf( stderr,
- "%s: line %d: regular expression \"%s\" bad: %s\n",
- fname, lineno, right, e );
- acl_usage();
- }
+ regtest(fname, lineno, right);
b->a_addrpat = strdup( right );
} else {
fprintf( stderr,
/* if we have no real access clause, complain and do nothing */
if ( a == NULL ) {
-
fprintf( stderr,
- "%s: line %d: warning: no access clause(s) specified in access line\n",
+ "%s: line %d: warning: no access clause(s) specified in access line\n",
fname, lineno );
} else {
+
+ if (ldap_debug&LDAP_DEBUG_ACL)
+ print_acl(a);
+
if ( a->acl_access == NULL ) {
fprintf( stderr,
- "%s: line %d: warning: no by clause(s) specified in access line\n",
+ "%s: line %d: warning: no by clause(s) specified in access line\n",
fname, lineno );
}
{
printf( "\tby" );
if ( b->a_dnpat != NULL ) {
- printf( " dn=%s", b->a_dnpat );
+ fprintf( stderr, " dn=%s", b->a_dnpat );
} else if ( b->a_addrpat != NULL ) {
- printf( " addr=%s", b->a_addrpat );
+ fprintf( stderr, " addr=%s", b->a_addrpat );
} else if ( b->a_domainpat != NULL ) {
- printf( " domain=%s", b->a_domainpat );
+ fprintf( stderr, " domain=%s", b->a_domainpat );
} else if ( b->a_dnattr != NULL ) {
- printf( " dnattr=%s", b->a_dnattr );
+ fprintf( stderr, " dnattr=%s", b->a_dnattr );
}
- printf( " %s\n", access2str( b->a_access ) );
+#ifdef SLAPD_ACLGROUPS
+ else if ( b->a_group != NULL ) {
+ fprintf( stderr, " group: %s", b->a_group );
+ if ( b->a_objectclassvalue )
+ fprintf( stderr, " objectClassValue: %s", b->a_objectclassvalue );
+ if ( b->a_groupattrname )
+ fprintf( stderr, " groupAttrName: %s", b->a_groupattrname );
+ }
+#endif
+ fprintf( stderr, "\n" );
}
static void
struct access *b;
if ( a == NULL ) {
- printf( "NULL\n" );
+ fprintf( stderr, "NULL\n" );
}
- printf( "access to" );
+ fprintf( stderr, "ACL: access to" );
if ( a->acl_filter != NULL ) {
- printf( " filter=" );
+ fprintf( stderr," filter=" );
filter_print( a->acl_filter );
}
if ( a->acl_dnpat != NULL ) {
- printf( " dn=" );
- printf( a->acl_dnpat );
+ fprintf( stderr, " dn=" );
+ fprintf( stderr, a->acl_dnpat );
}
if ( a->acl_attrs != NULL ) {
int first = 1;
- printf( " attrs=" );
+ fprintf( stderr, "\n attrs=" );
for ( i = 0; a->acl_attrs[i] != NULL; i++ ) {
if ( ! first ) {
- printf( "," );
+ fprintf( stderr, "," );
}
- printf( a->acl_attrs[i] );
+ fprintf( stderr, a->acl_attrs[i] );
first = 0;
}
}
- printf( "\n" );
+ fprintf( stderr, "\n" );
for ( b = a->acl_access; b != NULL; b = b->a_next ) {
print_access( b );
}
+ fprintf( stderr, "\n" );
}
-#endif
+#endif /* LDAP_DEBUG */
#ifdef SLAPD_ACLGROUPS
-/* return 0 IFF edn is a value in uniqueMember attribute
+/* return 0 IFF edn is a value in member attribute
* of entry with bdn AND that entry has an objectClass
* value of groupOfNames
*/
ldbm_back_group(
Backend *be,
char *bdn,
- char *edn
+ char *edn,
+ char *objectclassValue,
+ char *groupattrName
)
{
struct ldbminfo *li = (struct ldbminfo *) be->be_private;
Debug( LDAP_DEBUG_TRACE, "=> ldbm_back_group: bdn: %s\n", bdn, 0, 0 );
Debug( LDAP_DEBUG_TRACE, "=> ldbm_back_group: edn: %s\n", edn, 0, 0 );
+ Debug( LDAP_DEBUG_TRACE, "=> ldbm_back_group: objectClass: %s attrName: %s\n",
+ objectclassValue, groupattrName, 0 );
/* can we find bdn entry with reader lock */
if ((e = dn2entry_r(be, bdn, &matched )) == NULL) {
if ((objectClass = attr_find(e->e_attrs, "objectclass")) == NULL) {
Debug( LDAP_DEBUG_TRACE, "<= ldbm_back_group: failed to find objectClass\n", 0, 0, 0 );
}
- else if ((member = attr_find(e->e_attrs, "member")) == NULL) {
- Debug( LDAP_DEBUG_TRACE, "<= ldbm_back_group: failed to find member\n", 0, 0, 0 );
+ else if ((member = attr_find(e->e_attrs, groupattrName)) == NULL) {
+ Debug( LDAP_DEBUG_TRACE, "<= ldbm_back_group: failed to find %s\n", groupattrName, 0, 0 );
}
else {
struct berval bvObjectClass;
struct berval bvMembers;
- Debug( LDAP_DEBUG_ARGS, "<= ldbm_back_group: found objectClass and members\n", 0, 0, 0 );
+ Debug( LDAP_DEBUG_ARGS, "<= ldbm_back_group: found objectClass and %s\n", groupattrName, 0, 0 );
- bvObjectClass.bv_val = "groupofnames";
+ bvObjectClass.bv_val = objectclassValue;
bvObjectClass.bv_len = strlen( bvObjectClass.bv_val );
+
bvMembers.bv_val = edn;
bvMembers.bv_len = strlen( edn );
if (value_find(objectClass->a_vals, &bvObjectClass, SYNTAX_CIS, 1) != 0) {
Debug( LDAP_DEBUG_TRACE,
- "<= ldbm_back_group: failed to find objectClass in groupOfNames\n",
- 0, 0, 0 );
+ "<= ldbm_back_group: failed to find %s in objectClass\n",
+ objectclassValue, 0, 0 );
}
else if (value_find(member->a_vals, &bvMembers, SYNTAX_CIS, 1) != 0) {
- Debug( LDAP_DEBUG_ACL, "<= ldbm_back_group: %s not in %s: groupOfNames\n",
- edn, bdn, 0 );
+ Debug( LDAP_DEBUG_ACL, "<= ldbm_back_group: %s not in %s: %s\n",
+ edn, bdn, groupattrName );
}
else {
- Debug( LDAP_DEBUG_ACL, "<= ldbm_back_group: %s is in %s: groupOfNames\n",
- edn, bdn, 0 );
+ Debug( LDAP_DEBUG_ACL, "<= ldbm_back_group: %s is in %s: %s\n",
+ edn, bdn, groupattrName );
rc = 0;
}
}
Debug( LDAP_DEBUG_ARGS, "ldbm_back_group: rc: %d\n", rc, 0, 0 );
return(rc);
}
-#endif
+#endif /* SLAPD_ACLGROUPS */
/* search.c - ldbm backend search function */
+#include "portable.h"
+
#include <stdio.h>
-#include <string.h>
-#include <sys/types.h>
-#include <sys/socket.h>
+
+#include <ac/string.h>
+#include <ac/socket.h>
+
#include "slap.h"
#include "back-ldbm.h"
+#include "proto-back-ldbm.h"
extern time_t currenttime;
extern pthread_mutex_t currenttime_mutex;
-extern ID dn2id();
extern IDList *idl_alloc();
-extern Entry *id2entry();
-extern Entry *dn2entry();
extern Attribute *attr_find();
extern IDList *filter_candidates();
extern char *ch_realloc();
int rmaxsize, nrefs;
char *rbuf, *rcur, *r;
int nentries = 0;
+ char *realBase;
+
+ Debug(LDAP_DEBUG_ARGS, "=> ldbm_back_search\n", 0, 0, 0);
if ( tlimit == 0 && be_isroot( be, op->o_dn ) ) {
tlimit = -1; /* allow root to set no limit */
be->be_sizelimit : slimit;
}
+ /*
+ * check and apply aliasing where the dereferencing applies to
+ * the subordinates of the base
+ */
+ realBase = strdup (base);
+ switch ( deref ) {
+ case LDAP_DEREF_FINDING:
+ case LDAP_DEREF_ALWAYS:
+ free (realBase);
+ realBase = derefDN ( be, conn, op, base );
+ break;
+ }
+
+ (void) dn_normalize (realBase);
+
+ Debug( LDAP_DEBUG_TRACE, "using base %s\n",
+ realBase, 0, 0 );
+
switch ( scope ) {
case LDAP_SCOPE_BASE:
- candidates = base_candidates( be, conn, op, base, filter,
+ candidates = base_candidates( be, conn, op, realBase, filter,
attrs, attrsonly, &matched, &err );
break;
case LDAP_SCOPE_ONELEVEL:
- candidates = onelevel_candidates( be, conn, op, base, filter,
+ candidates = onelevel_candidates( be, conn, op, realBase, filter,
attrs, attrsonly, &matched, &err );
break;
case LDAP_SCOPE_SUBTREE:
- candidates = subtree_candidates( be, conn, op, base, filter,
+ candidates = subtree_candidates( be, conn, op, realBase, filter,
attrs, attrsonly, &matched, NULL, &err, 1 );
break;
}
pthread_mutex_unlock( ¤ttime_mutex );
- /* get the entry */
- if ( (e = id2entry( be, id )) == NULL ) {
- Debug( LDAP_DEBUG_ARGS, "candidate %d not found\n", id,
- 0, 0 );
+ /* get the entry with reader lock */
+ if ( (e = id2entry_r( be, id )) == NULL ) {
+ Debug( LDAP_DEBUG_ARGS, "candidate %d not found\n", id, 0, 0 );
continue;
}
* this for subtree searches, and don't check the filter explicitly
* here since it's only a candidate anyway.
*/
- if ( e->e_dn != NULL && strncasecmp( e->e_dn, "ref=", 4 )
- == 0 && (ref = attr_find( e->e_attrs, "ref" )) != NULL &&
- scope == LDAP_SCOPE_SUBTREE )
+ if ( e->e_dn != NULL &&
+ strncasecmp( e->e_dn, "ref=", 4 ) == 0 &&
+ (ref = attr_find( e->e_attrs, "ref" )) != NULL &&
+ scope == LDAP_SCOPE_SUBTREE )
{
int i, len;
if ( ref->a_vals == NULL ) {
- Debug( LDAP_DEBUG_ANY, "null ref in (%s)\n", 0,
- 0, 0 );
+ Debug( LDAP_DEBUG_ANY, "null ref in (%s)\n",
+ e->e_dn, 0, 0 );
} else {
for ( i = 0; ref->a_vals[i] != NULL; i++ ) {
/* referral + newline + null */
MAKE_SPACE( ref->a_vals[i]->bv_len + 2 );
*rcur++ = '\n';
strncpy( rcur, ref->a_vals[i]->bv_val,
- ref->a_vals[i]->bv_len );
+ ref->a_vals[i]->bv_len );
rcur = rcur + ref->a_vals[i]->bv_len;
*rcur = '\0';
nrefs++;
if ( scope == LDAP_SCOPE_ONELEVEL ) {
if ( (dn = dn_parent( be, e->e_dn )) != NULL ) {
(void) dn_normalize( dn );
- scopeok = (dn == base) ? 1 : (! strcasecmp( dn, base ));
+ scopeok = (dn == realBase) ? 1 : (! strcasecmp( dn, realBase ));
} else {
- scopeok = (base == NULL || *base == '\0');
+ scopeok = (realBase == NULL || *realBase == '\0');
}
free( dn );
} else if ( scope == LDAP_SCOPE_SUBTREE ) {
dn = strdup( e->e_dn );
(void) dn_normalize( dn );
- scopeok = dn_issuffix( dn, base );
+ scopeok = dn_issuffix( dn, realBase );
free( dn );
}
if ( scopeok ) {
/* check size limit */
if ( --slimit == -1 ) {
- cache_return_entry( &li->li_cache, e );
+ cache_return_entry_r( &li->li_cache, e );
send_ldap_search_result( conn, op,
LDAP_SIZELIMIT_EXCEEDED, NULL,
nrefs > 0 ? rbuf : NULL, nentries );
return( 0 );
}
+ /*
+ * check and apply aliasing where the dereferencing applies to
+ * the subordinates of the base
+ */
+ switch ( deref ) {
+ case LDAP_DEREF_SEARCHING:
+ case LDAP_DEREF_ALWAYS:
+ {
+ Entry *newe = derefAlias_r( be, conn, op, e );
+ cache_return_entry_r( &li->li_cache, e );
+ e = newe;
+ }
+ break;
+ }
+
switch ( send_search_entry( be, conn, op, e,
attrs, attrsonly ) ) {
case 0: /* entry sent ok */
case 1: /* entry not sent */
break;
case -1: /* connection closed */
- cache_return_entry( &li->li_cache, e );
+ cache_return_entry_r( &li->li_cache, e );
idl_free( candidates );
free( rbuf );
return( 0 );
}
}
- cache_return_entry( &li->li_cache, e );
+ if( e != NULL ) {
+ /* free reader lock */
+ cache_return_entry_r( &li->li_cache, e );
+ }
pthread_yield();
}
IDList *idl;
Entry *e;
+ Debug(LDAP_DEBUG_TRACE, "base_candidates: base: %s\n", base, 0, 0);
+
*err = LDAP_SUCCESS;
- if ( (e = dn2entry( be, base, matched )) == NULL ) {
+
+ /* get entry with reader lock */
+ if ( (e = dn2entry_r( be, base, matched )) == NULL ) {
*err = LDAP_NO_SUCH_OBJECT;
return( NULL );
}
+ /* check for deleted */
+
idl = idl_alloc( 1 );
idl_insert( &idl, e->e_id, 1 );
- cache_return_entry( &li->li_cache, e );
+
+ /* free reader lock */
+ cache_return_entry_r( &li->li_cache, e );
return( idl );
}
char buf[20];
IDList *candidates;
+ Debug(LDAP_DEBUG_TRACE, "onelevel_candidates: base: %s\n", base, 0, 0);
+
*err = LDAP_SUCCESS;
e = NULL;
- /* get the base object */
- if ( base != NULL && *base != '\0' && (e = dn2entry( be, base,
- matched )) == NULL ) {
+ /* get the base object with reader lock */
+ if ( base != NULL && *base != '\0' &&
+ (e = dn2entry_r( be, base, matched )) == NULL )
+ {
*err = LDAP_NO_SUCH_OBJECT;
return( NULL );
}
f->f_and->f_next = NULL;
filter_free( f );
+ /* free entry and reader lock */
+ cache_return_entry_r( &li->li_cache, e );
return( candidates );
}
Filter *f;
IDList *candidates;
+ Debug(LDAP_DEBUG_TRACE, "subtree_candidates: base: %s\n",
+ base ? base : "NULL", 0, 0);
+
/*
* get the base object - unless we already have it (from one-level).
* also, unless this is a one-level search or a subtree search
*err = LDAP_SUCCESS;
f = NULL;
if ( lookupbase ) {
- if ( base != NULL && *base != '\0' && (e = dn2entry( be, base,
- matched )) == NULL ) {
+ if ( base != NULL && *base != '\0' &&
+ (e = dn2entry_r( be, base, matched )) == NULL )
+ {
*err = LDAP_NO_SUCH_OBJECT;
return( NULL );
}
+ if (e) {
+ cache_return_entry_r( &li->li_cache, e );
+ }
+
f = (Filter *) ch_malloc( sizeof(Filter) );
f->f_next = NULL;
f->f_choice = LDAP_FILTER_OR;
f->f_or = (Filter *) ch_malloc( sizeof(Filter) );
f->f_or->f_choice = LDAP_FILTER_EQUALITY;
f->f_or->f_avtype = strdup( "objectclass" );
- f->f_or->f_avvalue.bv_val = strdup( "referral" );
- f->f_or->f_avvalue.bv_len = strlen( "referral" );
+ /* Patch to use normalized uppercase */
+ f->f_or->f_avvalue.bv_val = strdup( "REFERRAL" );
+ f->f_or->f_avvalue.bv_len = strlen( "REFERRAL" );
f->f_or->f_next = filter;
filter = f;
filter_free( f );
}
- if ( e != NULL ) {
- cache_return_entry( &li->li_cache, e );
- }
-
return( candidates );
}
/* search.c - /etc/passwd backend search function */
+#include "portable.h"
+
#include <stdio.h>
-#include <string.h>
-#include <sys/time.h>
-#include <sys/types.h>
-#include <sys/socket.h>
+
+#include <ac/socket.h>
+#include <ac/string.h>
+#include <ac/time.h>
+
#include <pwd.h>
-#include "portable.h"
+
#include "slap.h"
extern time_t currenttime;
}
pthread_mutex_unlock( &op->o_abandonmutex );
- /* check size limit */
- if ( --slimit == -1 ) {
- send_ldap_result( conn, op, LDAP_SIZELIMIT_EXCEEDED,
- NULL, NULL );
- endpwent();
- return( 0 );
- }
-
/* check time limit */
pthread_mutex_lock( ¤ttime_mutex );
time( ¤ttime );
e = pw2entry( be, pw );
if ( test_filter( be, conn, op, e, filter ) == 0 ) {
+ /* check size limit */
+ if ( --slimit == -1 ) {
+ send_ldap_result( conn, op, LDAP_SIZELIMIT_EXCEEDED,
+ NULL, NULL );
+ endpwent();
+ return( 0 );
+ }
+
send_search_entry( be, conn, op, e, attrs, attrsonly );
}
/* backend.c - routines for dealing with back-end databases */
+#include "portable.h"
+
#include <stdio.h>
-#include <string.h>
-#include <sys/types.h>
-#include <sys/socket.h>
+
+#include <ac/string.h>
+#include <ac/socket.h>
+
#include <sys/stat.h>
+
#include "slap.h"
-#ifdef LDAP_LDBM
+#ifdef SLAPD_LDBM
extern int ldbm_back_bind();
extern int ldbm_back_unbind();
extern int ldbm_back_search();
extern int ldbm_back_config();
extern int ldbm_back_init();
extern int ldbm_back_close();
+extern int ldbm_back_group();
#endif
-#ifdef LDAP_PASSWD
+#ifdef SLAPD_PASSWD
extern int passwd_back_search();
extern int passwd_back_config();
#endif
-#ifdef LDAP_SHELL
+#ifdef SLAPD_SHELL
extern int shell_back_bind();
extern int shell_back_unbind();
extern int shell_back_search();
be->be_timelimit = deftime;
foundit = 0;
-#ifdef LDAP_LDBM
+#ifdef SLAPD_LDBM
if ( strcasecmp( type, "ldbm" ) == 0 ) {
be->be_bind = ldbm_back_bind;
be->be_unbind = ldbm_back_unbind;
be->be_config = ldbm_back_config;
be->be_init = ldbm_back_init;
be->be_close = ldbm_back_close;
+#ifdef SLAPD_ACLGROUPS
+ be->be_group = ldbm_back_group;
+#endif
be->be_type = "ldbm";
foundit = 1;
}
#endif
-#ifdef LDAP_PASSWD
+#ifdef SLAPD_PASSWD
if ( strcasecmp( type, "passwd" ) == 0 ) {
be->be_bind = NULL;
be->be_unbind = NULL;
be->be_config = passwd_back_config;
be->be_init = NULL;
be->be_close = NULL;
+#ifdef SLAPD_ACLGROUPS
+ be->be_group = NULL;
+#endif
be->be_type = "passwd";
foundit = 1;
}
#endif
-#ifdef LDAP_SHELL
+#ifdef SLAPD_SHELL
if ( strcasecmp( type, "shell" ) == 0 ) {
be->be_bind = shell_back_bind;
be->be_unbind = shell_back_unbind;
be->be_config = shell_back_config;
be->be_init = shell_back_init;
be->be_close = NULL;
+#ifdef SLAPD_ACLGROUPS
+ be->be_group = NULL;
+#endif
be->be_type = "shell";
foundit = 1;
}
dnlen = strlen( dn );
for ( i = 0; i < nbackends; i++ ) {
for ( j = 0; backends[i].be_suffix != NULL &&
- backends[i].be_suffix[j] != NULL; j++ ) {
+ backends[i].be_suffix[j] != NULL; j++ )
+ {
+#ifdef LDAP_ALLOW_NULL_SEARCH_BASE
+ /* Add greg@greg.rim.or.jp
+ * It's quick hack for cheap client
+ * Some browser offer a NULL base at ldap_search
+ */
+ if(dnlen == 0) {
+ Debug( LDAP_DEBUG_TRACE,
+ "select_backend: use default backend\n", 0, 0, 0 );
+ return (&backends[i]);
+ }
+#endif /* LDAP_ALLOW_NULL_SEARCH_BASE */
+
len = strlen( backends[i].be_suffix[j] );
if ( len > dnlen ) {
}
}
+ /* if no proper suffix could be found then check for aliases */
+ for ( i = 0; i < nbackends; i++ ) {
+ for ( j = 0;
+ backends[i].be_suffixAlias != NULL &&
+ backends[i].be_suffixAlias[j] != NULL;
+ j += 2 )
+ {
+ len = strlen( backends[i].be_suffixAlias[j] );
+
+ if ( len > dnlen ) {
+ continue;
+ }
+
+ if ( strcasecmp( backends[i].be_suffixAlias[j],
+ dn + (dnlen - len) ) == 0 ) {
+ return( &backends[i] );
+ }
+ }
+ }
+
+
return( NULL );
}
}
}
}
+
+#ifdef SLAPD_ACLGROUPS
+int
+be_group(Backend *be, char *bdn, char *edn, char *objectclassValue, char *groupattrName)
+{
+ if (be->be_group)
+ return(be->be_group(be, bdn, edn, objectclassValue, groupattrName));
+ else
+ return(1);
+}
+#endif
/* filter.c - routines for parsing and dealing with filters */
+#include "portable.h"
+
#include <stdio.h>
-#include <string.h>
-#include <sys/types.h>
-#include <sys/socket.h>
+
+#include <ac/socket.h>
+#include <ac/string.h>
+
#include "slap.h"
static int get_filter_list();
err = 0;
*fstr = NULL;
f->f_choice = ber_peek_tag( ber, &len );
-#ifdef COMPAT30
+#ifdef LDAP_COMPAT30
if ( conn->c_version == 30 ) {
switch ( f->f_choice ) {
case LDAP_FILTER_EQUALITY:
Debug( LDAP_DEBUG_FILTER, "AND\n", 0, 0, 0 );
if ( (err = get_filter_list( conn, ber, &f->f_and, &ftmp ))
== 0 ) {
+ if (ftmp == NULL) ftmp = strdup("");
*fstr = ch_malloc( 4 + strlen( ftmp ) );
sprintf( *fstr, "(&%s)", ftmp );
free( ftmp );
Debug( LDAP_DEBUG_FILTER, "OR\n", 0, 0, 0 );
if ( (err = get_filter_list( conn, ber, &f->f_or, &ftmp ))
== 0 ) {
+ if (ftmp == NULL) ftmp = strdup("");
*fstr = ch_malloc( 4 + strlen( ftmp ) );
sprintf( *fstr, "(|%s)", ftmp );
free( ftmp );
Debug( LDAP_DEBUG_FILTER, "NOT\n", 0, 0, 0 );
(void) ber_skip_tag( ber, &len );
if ( (err = get_filter( conn, ber, &f->f_not, &ftmp )) == 0 ) {
+ if (ftmp == NULL) ftmp = strdup("");
*fstr = ch_malloc( 4 + strlen( ftmp ) );
sprintf( *fstr, "(!%s)", ftmp );
free( ftmp );
Debug( LDAP_DEBUG_FILTER, "begin get_filter_list\n", 0, 0, 0 );
-#ifdef COMPAT30
+#ifdef LDAP_COMPAT30
if ( conn->c_version == 30 ) {
(void) ber_skip_tag( ber, &len );
}
Debug( LDAP_DEBUG_FILTER, "begin get_substring_filter\n", 0, 0, 0 );
-#ifdef COMPAT30
+#ifdef LDAP_COMPAT30
if ( conn->c_version == 30 ) {
(void) ber_skip_tag( ber, &len );
}
sprintf( *fstr, "(%s=", f->f_sub_type );
for ( tag = ber_first_element( ber, &len, &last ); tag != LBER_DEFAULT;
tag = ber_next_element( ber, &len, last ) ) {
-#ifdef COMPAT30
+#ifdef LDAP_COMPAT30
if ( conn->c_version == 30 ) {
rc = ber_scanf( ber, "{a}", &val );
} else
value_normalize( val, syntax );
switch ( tag ) {
-#ifdef COMPAT30
+#ifdef LDAP_COMPAT30
case LDAP_SUBSTRING_INITIAL_30:
#endif
case LDAP_SUBSTRING_INITIAL:
strcat( *fstr, val );
break;
-#ifdef COMPAT30
+#ifdef LDAP_COMPAT30
case LDAP_SUBSTRING_ANY_30:
#endif
case LDAP_SUBSTRING_ANY:
strcat( *fstr, val );
break;
-#ifdef COMPAT30
+#ifdef LDAP_COMPAT30
case LDAP_SUBSTRING_FINAL_30:
#endif
case LDAP_SUBSTRING_FINAL:
Filter *p;
if ( f == NULL ) {
- printf( "NULL" );
+ fprintf( stderr, "NULL" );
}
switch ( f->f_choice ) {
case LDAP_FILTER_EQUALITY:
- printf( "(%s=%s)", f->f_ava.ava_type,
+ fprintf( stderr, "(%s=%s)", f->f_ava.ava_type,
f->f_ava.ava_value.bv_val );
break;
case LDAP_FILTER_GE:
- printf( "(%s>=%s)", f->f_ava.ava_type,
+ fprintf( stderr, "(%s>=%s)", f->f_ava.ava_type,
f->f_ava.ava_value.bv_val );
break;
case LDAP_FILTER_LE:
- printf( "(%s<=%s)", f->f_ava.ava_type,
+ fprintf( stderr, "(%s<=%s)", f->f_ava.ava_type,
f->f_ava.ava_value.bv_val );
break;
case LDAP_FILTER_APPROX:
- printf( "(%s~=%s)", f->f_ava.ava_type,
+ fprintf( stderr, "(%s~=%s)", f->f_ava.ava_type,
f->f_ava.ava_value.bv_val );
break;
case LDAP_FILTER_SUBSTRINGS:
- printf( "(%s=", f->f_sub_type );
+ fprintf( stderr, "(%s=", f->f_sub_type );
if ( f->f_sub_initial != NULL ) {
- printf( "%s", f->f_sub_initial );
+ fprintf( stderr, "%s", f->f_sub_initial );
}
if ( f->f_sub_any != NULL ) {
for ( i = 0; f->f_sub_any[i] != NULL; i++ ) {
- printf( "*%s", f->f_sub_any[i] );
+ fprintf( stderr, "*%s", f->f_sub_any[i] );
}
}
charray_free( f->f_sub_any );
if ( f->f_sub_final != NULL ) {
- printf( "*%s", f->f_sub_final );
+ fprintf( stderr, "*%s", f->f_sub_final );
}
break;
case LDAP_FILTER_PRESENT:
- printf( "%s=*", f->f_type );
+ fprintf( stderr, "%s=*", f->f_type );
break;
case LDAP_FILTER_AND:
case LDAP_FILTER_OR:
case LDAP_FILTER_NOT:
- printf( "(%c", f->f_choice == LDAP_FILTER_AND ? '&' :
+ fprintf( stderr, "(%c", f->f_choice == LDAP_FILTER_AND ? '&' :
f->f_choice == LDAP_FILTER_OR ? '|' : '!' );
for ( p = f->f_list; p != NULL; p = p->f_next ) {
filter_print( p );
}
- printf( ")" );
+ fprintf( stderr, ")" );
break;
default:
- printf( "unknown type %d", f->f_choice );
+ fprintf( stderr, "unknown type %d", f->f_choice );
break;
}
}
#ifndef _SLDAPD_H_
#define _SLDAPD_H_
-#define LDAP_SYSLOG
+#include "portable.h"
+
+#include <stdlib.h>
+
+#include <sys/types.h>
+#include <ac/syslog.h>
+#include <ac/regex.h>
+
+#undef NDEBUG
+#include <assert.h>
-#include <syslog.h>
#include "avl.h"
#include "lber.h"
#include "ldap.h"
#include "lthread.h"
+#include "lthread_rdwr.h"
#include "ldif.h"
#define DN_DNS 0
#define ON 1
#define OFF (-1)
+#define UNDEFINED 0
+
+#define MAXREMATCHES 10
+
+LDAP_BEGIN_DECL
/*
* represents an attribute value assertion (i.e., attr=value)
ID e_id; /* id of this entry - this should */
/* really be private to back-ldbm */
char e_state; /* for the cache */
+
+ pthread_rdwr_t e_rdwr; /* reader/writer lock */
+
#define ENTRY_STATE_DELETED 1
#define ENTRY_STATE_CREATING 2
int e_refcnt; /* # threads ref'ing this entry */
char *a_domainpat;
char *a_dnattr;
long a_access;
+
+#ifdef SLAPD_ACLGROUPS
+ char *a_group;
+ char *a_objectclassvalue;
+ char *a_groupattrname;
+#endif
+
#define ACL_NONE 0x01
#define ACL_COMPARE 0x02
#define ACL_SEARCH 0x04
struct acl {
/* "to" part: the entries this acl applies to */
Filter *acl_filter;
+ regex_t acl_dnre;
char *acl_dnpat;
char **acl_attrs;
typedef struct backend {
char **be_suffix; /* the DN suffixes of data in this backend */
+ char **be_suffixAlias; /* the DN suffix aliases of data in this backend */
char *be_rootdn; /* the magic "root" dn for this db */
char *be_rootpw; /* the magic "root" password for this db */
int be_readonly; /* 1 => db is in "read only" mode */
+ int be_maxDerefDepth; /* limit for depth of an alias deref */
int be_sizelimit; /* size limit for this backend */
int be_timelimit; /* time limit for this backend */
struct acl *be_acl; /* access control list for this backend */
IFP be_config; /* backend config routine */
IFP be_init; /* backend init routine */
IFP be_close; /* backend close routine */
+
+#ifdef SLAPD_ACLGROUPS
+ IFP be_group; /* backend group member test */
+#endif
} Backend;
/*
unsigned long o_tag; /* tag of the request */
time_t o_time; /* time op was initiated */
char *o_dn; /* dn bound when op was initiated */
+ char *o_suffix; /* suffix if aliased */
+ char *o_suffixAliased; /* pending suffix translation */
int o_authtype; /* auth method used to bind dn */
/* values taken from ldap.h */
/* LDAP_AUTH_* */
int o_opid; /* id of this operation */
int o_connid; /* id of conn initiating this op */
-#ifdef CLDAP
+#ifdef LDAP_CONNECTIONLESS
int o_cldap; /* != 0 if this came in via CLDAP */
struct sockaddr o_clientaddr; /* client address if via CLDAP */
char o_searchbase; /* search base if via CLDAP */
char *c_dn; /* current DN bound to this conn */
pthread_mutex_t c_dnmutex; /* mutex for c_dn field */
int c_authtype; /* auth method used to bind c_dn */
-#ifdef COMPAT
+#ifdef LDAP_COMPAT
int c_version; /* for compatibility w/2.0, 3.0 */
#endif
char *c_addr; /* address of client on this conn */
#define Statslog( level, fmt, connid, opid, arg1, arg2, arg3 )
#endif
-#ifdef NEEDPROTOS
#include "proto-slap.h"
-#endif
+
+LDAP_END_DECL
#endif /* _slap_h_ */
projects / thirdparty / openldap.git / commitdiff
