From: Kurt Zeilenga Date: Wed, 28 Oct 1998 00:04:01 +0000 (+0000) Subject: Merge in fixes/minor enhancements from from -devel. X-Git-Tag: OPENLDAP_REL_ENG_1_1_ALPHA~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ea9c01404eddb8b4666cca2f9dc46d2acdef1ff3;p=thirdparty%2Fopenldap.git Merge in fixes/minor enhancements from from -devel. --- diff --git a/doc/man/man1/ldapsearch.1 b/doc/man/man1/ldapsearch.1 index 2d66334d80..f1b5d43a55 100644 --- a/doc/man/man1/ldapsearch.1 +++ b/doc/man/man1/ldapsearch.1 @@ -1,4 +1,4 @@ -.TH LDAPSEARCH 1 "29 March 1996" "U-M LDAP LDVERSION" +.TH LDAPSEARCH 1 "22 September 1998" "OpenLDAP LDVERSION" .SH NAME ldapsearch \- ldap search tool .SH SYNOPSIS @@ -164,7 +164,7 @@ base object for the search. The default is to never dereference aliases. wait at most \fItimelimit\fP seconds for a search to complete. .TP .B \-z sizelimit -retrieve at most \fIsizelimit\fP seconds for a search to complete. +retrieve at most \fIsizelimit\fP entries for a search. .SH OUTPUT FORMAT If one or more entries are found, each entry is written to standard output in the form: @@ -289,3 +289,8 @@ Howes, T., .SM RFC 1558, University of Michigan, December 1993. +.SH ACKNOWLEDGEMENTS +.B OpenLDAP +is developed and maintained by The OpenLDAP Project (http://www.openldap.org/). +.B OpenLDAP +is derived from University of Michigan LDAP 3.3 Release. diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c index 6c3b22ee85..a9fcc6a120 100644 --- a/servers/slapd/acl.c +++ b/servers/slapd/acl.c @@ -1,20 +1,16 @@ /* acl.c - routines to parse and check acl's */ +#include "portable.h" + #include -#include -#include -#include -#include -#include -#ifdef sunos5 -#include "regexpr.h" -#else -#include "regex.h" -#endif + +#include +#include +#include + #include "slap.h" extern Attribute *attr_find(); -extern char *re_comp(); extern struct acl *global_acl; extern int global_default_access; extern char *access2str(); @@ -26,7 +22,9 @@ struct acl *acl_get_applicable(); static int regex_matches(); -extern pthread_mutex_t regex_mutex; +static string_expand(char *newbuf, int bufsiz, char *pattern, + char *match, regmatch_t *matches); + /* * access_allowed - check whether dn is allowed the requested access @@ -51,15 +49,57 @@ access_allowed( int access ) { - int rc; - struct acl *a; + int rc; + struct acl *a; + char *edn; + + regmatch_t matches[MAXREMATCHES]; + int i; + int n; if ( be == NULL ) { return( 0 ); } - a = acl_get_applicable( be, op, e, attr ); - rc = acl_access_allowed( a, be, conn, e, val, op, access ); + edn = dn_normalize_case( strdup( e->e_dn ) ); + Debug( LDAP_DEBUG_ACL, "\n=> access_allowed: entry (%s) attr (%s)\n", + e->e_dn, attr, 0 ); + + /* the lastmod attributes are ignored by ACL checking */ + if ( strcasecmp( attr, "modifiersname" ) == 0 || + strcasecmp( attr, "modifytimestamp" ) == 0 || + strcasecmp( attr, "creatorsname" ) == 0 || + strcasecmp( attr, "createtimestamp" ) == 0 ) + { + Debug( LDAP_DEBUG_ACL, "LASTMOD attribute: %s access allowed\n", + attr, 0, 0 ); + free( edn ); + return(1); + } + + memset(matches, 0, sizeof(matches)); + + a = acl_get_applicable( be, op, e, attr, edn, MAXREMATCHES, matches ); + + if (a) { + for (i = 0; i < MAXREMATCHES && matches[i].rm_so > 0; i++) { + Debug( LDAP_DEBUG_ARGS, "=> match[%d]: %d %d ", + i, matches[i].rm_so, matches[i].rm_eo ); + + if( matches[i].rm_so <= matches[0].rm_eo ) { + for ( n = matches[i].rm_so; n < matches[i].rm_eo; n++) { + Debug( LDAP_DEBUG_ARGS, "%c", edn[n], 0, 0 ); + } + } + Debug( LDAP_DEBUG_ARGS, "\n", 0, 0, 0 ); + } + } + + rc = acl_access_allowed( a, be, conn, e, val, op, access, edn, matches ); + free( edn ); + + Debug( LDAP_DEBUG_ACL, "\n=> access_allowed: exit (%s) attr (%s)\n", + e->e_dn, attr, 0); return( rc ); } @@ -75,15 +115,17 @@ acl_get_applicable( Backend *be, Operation *op, Entry *e, - char *attr + char *attr, + char *edn, + int nmatch, + regmatch_t *matches ) { - int i; + int i, j; struct acl *a; - char *edn; - Debug( LDAP_DEBUG_ACL, "=> acl_get: entry (%s) attr (%s)\n", e->e_dn, - attr, 0 ); + Debug( LDAP_DEBUG_ACL, "\n=> acl_get: entry (%s) attr (%s)\n", + e->e_dn, attr, 0 ); if ( be_isroot( be, op->o_dn ) ) { Debug( LDAP_DEBUG_ACL, @@ -92,55 +134,73 @@ acl_get_applicable( return( NULL ); } + Debug( LDAP_DEBUG_ARGS, "=> acl_get: edn %s\n", edn, 0, 0 ); + /* check for a backend-specific acl that matches the entry */ for ( i = 1, a = be->be_acl; a != NULL; a = a->acl_next, i++ ) { - if ( a->acl_dnpat != NULL ) { - edn = dn_normalize_case( strdup( e->e_dn ) ); - if ( ! regex_matches( a->acl_dnpat, edn ) ) { - free( edn ); + if (a->acl_dnpat != NULL) { + Debug( LDAP_DEBUG_TRACE, "=> dnpat: [%d] %s nsub: %d\n", + i, a->acl_dnpat, a->acl_dnre.re_nsub); + + if (regexec(&a->acl_dnre, edn, nmatch, matches, 0)) continue; - } - free( edn ); + else + Debug( LDAP_DEBUG_TRACE, "=> acl_get:[%d] backend ACL match\n", + i, 0, 0); } + if ( a->acl_filter != NULL ) { - if ( test_filter( NULL, NULL, NULL, e, a->acl_filter ) - != 0 ) { + if ( test_filter( NULL, NULL, NULL, e, a->acl_filter ) != 0 ) { continue; } } + + Debug( LDAP_DEBUG_ARGS, "=> acl_get: [%d] check attr %s\n", i, attr, 0); + if ( attr == NULL || a->acl_attrs == NULL || - charray_inlist( a->acl_attrs, attr ) ) { - Debug( LDAP_DEBUG_ACL, "<= acl_get: backend acl #%d\n", - i, e->e_dn, attr ); + charray_inlist( a->acl_attrs, attr ) ) + { + Debug( LDAP_DEBUG_ACL, "<= acl_get: [%d] backend acl %s attr: %s\n", + i, e->e_dn, attr ); return( a ); } + matches[0].rm_so = matches[0].rm_eo = -1; } /* check for a global acl that matches the entry */ for ( i = 1, a = global_acl; a != NULL; a = a->acl_next, i++ ) { - if ( a->acl_dnpat != NULL ) { - edn = dn_normalize_case( strdup( e->e_dn ) ); - if ( ! regex_matches( a->acl_dnpat, edn ) ) { - free( edn ); + if (a->acl_dnpat != NULL) { + Debug( LDAP_DEBUG_TRACE, "=> dnpat: [%d] %s nsub: %d\n", + i, a->acl_dnpat, a->acl_dnre.re_nsub); + + if (regexec(&a->acl_dnre, edn, nmatch, matches, 0)) { continue; + } else { + Debug( LDAP_DEBUG_TRACE, "=> acl_get: [%d] global ACL match\n", + i, 0, 0); } - free( edn ); } + if ( a->acl_filter != NULL ) { - if ( test_filter( NULL, NULL, NULL, e, a->acl_filter ) - != 0 ) { + if ( test_filter( NULL, NULL, NULL, e, a->acl_filter ) != 0 ) { continue; } } - if ( attr == NULL || a->acl_attrs == NULL || charray_inlist( - a->acl_attrs, attr ) ) { - Debug( LDAP_DEBUG_ACL, "<= acl_get: global acl #%d\n", - i, e->e_dn, attr ); + + Debug( LDAP_DEBUG_ARGS, "=> acl_get: [%d] check attr\n", i, 0, 0); + + if ( attr == NULL || a->acl_attrs == NULL || + charray_inlist( a->acl_attrs, attr ) ) + { + Debug( LDAP_DEBUG_ACL, "<= acl_get: [%d] global acl %s attr: %s\n", + i, e->e_dn, attr ); return( a ); } + + matches[0].rm_so = matches[0].rm_eo = -1; } - Debug( LDAP_DEBUG_ACL, "<= acl_get: no match\n", 0, 0, 0 ); + Debug( LDAP_DEBUG_ACL, "<= acl_get: no match\n", 0, 0, 0 ); return( NULL ); } @@ -161,31 +221,40 @@ acl_access_allowed( Entry *e, struct berval *val, Operation *op, - int access + int access, + char *edn, + regmatch_t *matches ) { int i; - char *edn, *odn; + char *odn; struct access *b; Attribute *at; struct berval bv; int default_access; - Debug( LDAP_DEBUG_ACL, "=> acl: %s access to value \"%s\" by \"%s\"\n", - access2str( access ), val ? val->bv_val : "any", op->o_dn ? - op->o_dn : "" ); + Debug( LDAP_DEBUG_ACL, + "\n=> acl_access_allowed: %s access to entry \"%s\"\n", + access2str( access ), e->e_dn, 0 ); + + Debug( LDAP_DEBUG_ACL, + "\n=> acl_access_allowed: %s access to value \"%s\" by \"%s\"\n", + access2str( access ), + val ? val->bv_val : "any", + op->o_dn ? op->o_dn : "" ); if ( be_isroot( be, op->o_dn ) ) { - Debug( LDAP_DEBUG_ACL, "<= acl: granted to database root\n", + Debug( LDAP_DEBUG_ACL, + "<= acl_access_allowed: granted to database root\n", 0, 0, 0 ); return( 1 ); } - default_access = be->be_dfltaccess ? be->be_dfltaccess : - global_default_access; + default_access = be->be_dfltaccess ? be->be_dfltaccess : global_default_access; + if ( a == NULL ) { Debug( LDAP_DEBUG_ACL, - "<= acl: %s by default (no matching to)\n", + "<= acl_access_allowed: %s by default (no matching to)\n", default_access >= access ? "granted" : "denied", 0, 0 ); return( default_access >= access ); } @@ -198,76 +267,78 @@ acl_access_allowed( } for ( i = 1, b = a->acl_access; b != NULL; b = b->a_next, i++ ) { if ( b->a_dnpat != NULL ) { + Debug( LDAP_DEBUG_TRACE, "<= check a_dnpat: %s\n", + b->a_dnpat, 0, 0); /* * if access applies to the entry itself, and the * user is bound as somebody in the same namespace as * the entry, OR the given dn matches the dn pattern */ - if ( strcasecmp( b->a_dnpat, "self" ) == 0 && op->o_dn - != NULL && *(op->o_dn) && e->e_dn != NULL ) { - edn = dn_normalize_case( strdup( e->e_dn ) ); + if ( strcasecmp( b->a_dnpat, "self" ) == 0 && + op->o_dn != NULL && *(op->o_dn) && e->e_dn != NULL ) + { if ( strcasecmp( edn, op->o_dn ) == 0 ) { - free( edn ); - if ( odn ) free( odn ); Debug( LDAP_DEBUG_ACL, - "<= acl: matched by clause #%d access %s\n", + "<= acl_access_allowed: matched by clause #%d access %s\n", i, (b->a_access & ~ACL_SELF) >= access ? "granted" : "denied", 0 ); - return( (b->a_access & ~ACL_SELF) - >= access ); + if ( odn ) free( odn ); + return( (b->a_access & ~ACL_SELF) >= access ); } - free( edn ); } else { - if ( regex_matches( b->a_dnpat, odn ) ) { - if ( odn ) free( odn ); + if ( regex_matches( b->a_dnpat, odn, edn, matches ) ) { Debug( LDAP_DEBUG_ACL, - "<= acl: matched by clause #%d access %s\n", + "<= acl_access_allowed: matched by clause #%d access %s\n", i, (b->a_access & ~ACL_SELF) >= access ? "granted" : "denied", 0 ); - return( (b->a_access & ~ACL_SELF) - >= access ); + if ( odn ) free( odn ); + return( (b->a_access & ~ACL_SELF) >= access ); } } } if ( b->a_addrpat != NULL ) { - if ( regex_matches( b->a_addrpat, conn->c_addr ) ) { - if ( odn ) free( odn ); + if ( regex_matches( b->a_addrpat, conn->c_addr, edn, matches ) ) { Debug( LDAP_DEBUG_ACL, - "<= acl: matched by clause #%d access %s\n", + "<= acl_access_allowed: matched by clause #%d access %s\n", i, (b->a_access & ~ACL_SELF) >= access ? "granted" : "denied", 0 ); + if ( odn ) free( odn ); return( (b->a_access & ~ACL_SELF) >= access ); } } if ( b->a_domainpat != NULL ) { - if ( regex_matches( b->a_domainpat, conn->c_domain ) ) { - if ( odn ) free( odn ); + Debug( LDAP_DEBUG_ARGS, "<= check a_domainpath: %s\n", + b->a_domainpat, 0, 0 ); + if ( regex_matches( b->a_domainpat, conn->c_domain, edn, matches ) ) + { Debug( LDAP_DEBUG_ACL, - "<= acl: matched by clause #%d access %s\n", + "<= acl_access_allowed: matched by clause #%d access %s\n", i, (b->a_access & ~ACL_SELF) >= access ? "granted" : "denied", 0 ); + if ( odn ) free( odn ); return( (b->a_access & ~ACL_SELF) >= access ); } } if ( b->a_dnattr != NULL && op->o_dn != NULL ) { + Debug( LDAP_DEBUG_ARGS, "<= check a_dnattr: %s\n", + b->a_dnattr, 0, 0); /* see if asker is listed in dnattr */ - if ( (at = attr_find( e->e_attrs, b->a_dnattr )) - != NULL && value_find( at->a_vals, &bv, - at->a_syntax, 3 ) == 0 ) + if ( (at = attr_find( e->e_attrs, b->a_dnattr )) != NULL && + value_find( at->a_vals, &bv, at->a_syntax, 3 ) == 0 ) { - if ( (b->a_access & ACL_SELF) && (val == NULL - || value_cmp( &bv, val, at->a_syntax, - 2 )) ) { + if ( (b->a_access & ACL_SELF) && + (val == NULL || value_cmp( &bv, val, at->a_syntax, 2 )) ) + { continue; } if ( odn ) free( odn ); Debug( LDAP_DEBUG_ACL, - "<= acl: matched by clause #%d access %s\n", + "<= acl_acces_allowed: matched by clause #%d access %s\n", i, (b->a_access & ~ACL_SELF) >= access ? "granted" : "denied", 0 ); @@ -276,22 +347,44 @@ acl_access_allowed( /* asker not listed in dnattr - check for self access */ if ( ! (b->a_access & ACL_SELF) || val == NULL || - value_cmp( &bv, val, at->a_syntax, 2 ) != 0 ) { + value_cmp( &bv, val, at->a_syntax, 2 ) != 0 ) + { continue; } if ( odn ) free( odn ); Debug( LDAP_DEBUG_ACL, - "<= acl: matched by clause #%d (self) access %s\n", + "<= acl_access_allowed: matched by clause #%d (self) access %s\n", i, (b->a_access & ~ACL_SELF) >= access ? "granted" : "denied", 0 ); return( (b->a_access & ~ACL_SELF) >= access ); } +#ifdef SLAPD_ACLGROUPS + if ( b->a_group != NULL && op->o_dn != NULL ) { + char buf[512]; + + /* b->a_group is an unexpanded entry name, expanded it should be an + * entry with objectclass group* and we test to see if odn is one of + * the values in the attribute group + */ + /* see if asker is listed in dnattr */ + string_expand(buf, sizeof(buf), b->a_group, edn, matches); + + if (be_group(be, buf, odn, b->a_objectclassvalue, b->a_groupattrname) == 0) { + Debug( LDAP_DEBUG_ACL, + "<= acl_access_allowed: matched by clause #%d (group) access granted\n", + i, 0, 0 ); + if ( odn ) free( odn ); + return( (b->a_access & ~ACL_SELF) >= access ); + } + } +#endif /* SLAPD_ACLGROUPS */ } if ( odn ) free( odn ); - Debug( LDAP_DEBUG_ACL, "<= acl: %s by default (no matching by)\n", + Debug( LDAP_DEBUG_ACL, + "<= acl_access_allowed: %s by default (no matching by)\n", default_access >= access ? "granted" : "denied", 0, 0 ); return( default_access >= access ); @@ -316,14 +409,26 @@ acl_check_mods( { int i; struct acl *a; + char *edn; + + edn = dn_normalize_case( strdup( e->e_dn ) ); for ( ; mods != NULL; mods = mods->mod_next ) { + regmatch_t matches[MAXREMATCHES]; + + /* the lastmod attributes are ignored by ACL checking */ if ( strcasecmp( mods->mod_type, "modifiersname" ) == 0 || - strcasecmp( mods->mod_type, "modifytimestamp" ) == 0 ) { + strcasecmp( mods->mod_type, "modifytimestamp" ) == 0 || + strcasecmp( mods->mod_type, "creatorsname" ) == 0 || + strcasecmp( mods->mod_type, "createtimestamp" ) == 0 ) + { + Debug( LDAP_DEBUG_ACL, "LASTMOD attribute: %s access allowed\n", + mods->mod_type, 0, 0 ); continue; } - a = acl_get_applicable( be, op, e, mods->mod_type ); + a = acl_get_applicable( be, op, e, mods->mod_type, edn, + MAXREMATCHES, matches ); switch ( mods->mod_op & ~LDAP_MOD_BVALUES ) { case LDAP_MOD_REPLACE: @@ -332,8 +437,10 @@ acl_check_mods( break; } for ( i = 0; mods->mod_bvalues[i] != NULL; i++ ) { - if ( ! acl_access_allowed( a, be, conn, e, - mods->mod_bvalues[i], op, ACL_WRITE ) ) { + if ( ! acl_access_allowed( a, be, conn, e, mods->mod_bvalues[i], + op, ACL_WRITE, edn, matches) ) + { + free(edn); return( LDAP_INSUFFICIENT_ACCESS ); } } @@ -342,14 +449,18 @@ acl_check_mods( case LDAP_MOD_DELETE: if ( mods->mod_bvalues == NULL ) { if ( ! acl_access_allowed( a, be, conn, e, - NULL, op, ACL_WRITE ) ) { + NULL, op, ACL_WRITE, edn, matches) ) + { + free(edn); return( LDAP_INSUFFICIENT_ACCESS ); } break; } for ( i = 0; mods->mod_bvalues[i] != NULL; i++ ) { - if ( ! acl_access_allowed( a, be, conn, e, - mods->mod_bvalues[i], op, ACL_WRITE ) ) { + if ( ! acl_access_allowed( a, be, conn, e, mods->mod_bvalues[i], + op, ACL_WRITE, edn, matches) ) + { + free(edn); return( LDAP_INSUFFICIENT_ACCESS ); } } @@ -357,48 +468,95 @@ acl_check_mods( } } + free(edn); return( LDAP_SUCCESS ); } -#ifdef sunos5 - -static int -regex_matches( char *pat, char *str ) +static string_expand( + char *newbuf, + int bufsiz, + char *pat, + char *match, + regmatch_t *matches) { - char *e; - int rc; - - if ( (e = compile( pat, NULL, NULL )) == NULL ) { - Debug( LDAP_DEBUG_ANY, - "compile( \"%s\", \"%s\") failed\n", pat, str, 0 ); - return( 0 ); + int size; + char *sp; + char *dp; + int flag; + + size = 0; + newbuf[0] = '\0'; + + flag = 0; + for ( dp = newbuf, sp = pat; size < 512 && *sp ; sp++) { + /* did we previously see a $ */ + if (flag) { + if (*sp == '$') { + *dp++ = '$'; + size++; + } else if (*sp >= '0' && *sp <= '9' ) { + int n; + int i; + char *ep; + int l; + + n = *sp - '0'; + *dp = '\0'; + i = matches[n].rm_so; + l = matches[n].rm_eo; + for ( ; size < 512 && i < l; size++, i++ ) { + *dp++ = match[i]; + size++; + } + *dp = '\0'; + } + flag = 0; + } else { + if (*sp == '$') { + flag = 1; + } else { + *dp++ = *sp; + size++; + } + } } - rc = step( str ? str : "", e ); - free( e ); + *dp = '\0'; - return( rc ); + Debug( LDAP_DEBUG_TRACE, "=> string_expand: pattern: %s\n", pat, 0, 0 ); + Debug( LDAP_DEBUG_TRACE, "=> string_expand: expanded: %s\n", newbuf, 0, 0 ); } -#else /* sunos5 */ - static int -regex_matches( char *pat, char *str ) +regex_matches( + char *pat, /* pattern to expand and match against */ + char *str, /* string to match against pattern */ + char *buf, /* buffer with $N expansion variables */ + regmatch_t *matches /* offsets in buffer for $N expansion variables */ +) { - char *e; + regex_t re; + char newbuf[512]; int rc; - pthread_mutex_lock( ®ex_mutex ); - if ( (e = re_comp( pat )) != NULL ) { - Debug( LDAP_DEBUG_ANY, - "re_comp( \"%s\", \"%s\") failed because (%s)\n", pat, str, - e ); - pthread_mutex_unlock( ®ex_mutex ); + string_expand(newbuf, sizeof(newbuf), pat, buf, matches); + if (( rc = regcomp(&re, newbuf, REG_EXTENDED|REG_ICASE))) { + char error[512]; + regerror(rc, &re, error, sizeof(error)); + + Debug( LDAP_DEBUG_TRACE, + "compile( \"%s\", \"%s\") failed %s\n", + pat, str, error ); return( 0 ); } - rc = re_exec( str ? str : "" ); - pthread_mutex_unlock( ®ex_mutex ); - return( rc == 1 ); + rc = regexec(&re, str, 0, NULL, 0); + regfree( &re ); + + Debug( LDAP_DEBUG_TRACE, + "=> regex_matches: string: %s\n", str, 0, 0 ); + Debug( LDAP_DEBUG_TRACE, + "=> regex_matches: rc: %d %s\n", + rc, !rc ? "matches" : "no matches", 0 ); + return( !rc ); } -#endif /* sunos5 */ diff --git a/servers/slapd/aclparse.c b/servers/slapd/aclparse.c index 10fa6a0721..cc208217bb 100644 --- a/servers/slapd/aclparse.c +++ b/servers/slapd/aclparse.c @@ -1,18 +1,18 @@ /* acl.c - routines to parse and check acl's */ +#include "portable.h" #include -#include -#include -#include -#include -#include -#include "regex.h" + +#include +#include +#include +#include +#include + #include "slap.h" -#include "portable.h" extern Filter *str2filter(); -extern char *re_comp(); extern struct acl *global_acl; extern char **str2charray(); extern char *dn_upcase(); @@ -26,6 +26,62 @@ static void print_acl(); static void print_access(); #endif +int +regtest(char *fname, int lineno, char *pat) { + int e; + regex_t re; + + char buf[512]; + int size; + + char *sp; + char *dp; + int flag; + + sp = pat; + dp = buf; + size = 0; + buf[0] = '\0'; + + for (size = 0, flag = 0; (size < sizeof(buf)) && *sp; sp++) { + if (flag) { + if (*sp == '$'|| (*sp >= '0' && *sp <= '9')) { + *dp++ = *sp; + size++; + } + flag = 0; + + } else { + if (*sp == '$') { + flag = 1; + } else { + *dp++ = *sp; + size++; + } + } + } + + *dp = '\0'; + if ( size >= (sizeof(buf)-1) ) { + fprintf( stderr, + "%s: line %d: regular expression \"%s\" too large\n", + fname, lineno, pat, 0 ); + acl_usage(); + } + + if ((e = regcomp(&re, buf, REG_EXTENDED|REG_ICASE))) { + char error[512]; + regerror(e, &re, error, sizeof(error)); + fprintf( stderr, + "%s: line %d: regular expression \"%s\" bad because of %s\n", + fname, lineno, pat, error ); + acl_usage(); + return(0); + } + regfree(&re); + return(1); +} + void parse_acl( Backend *be, @@ -58,6 +114,17 @@ parse_acl( } if ( strcasecmp( argv[i], "*" ) == 0 ) { + int e; + if ((e = regcomp( &a->acl_dnre, ".*", + REG_EXTENDED|REG_ICASE))) + { + char buf[512]; + regerror(e, &a->acl_dnre, buf, sizeof(buf)); + fprintf( stderr, + "%s: line %d: regular expression \"%s\" bad because of %s\n", + fname, lineno, right, buf ); + acl_usage(); + } a->acl_dnpat = strdup( ".*" ); continue; } @@ -79,14 +146,19 @@ parse_acl( acl_usage(); } } else if ( strcasecmp( left, "dn" ) == 0 ) { - if ( (e = re_comp( right )) != NULL ) { + int e; + if ((e = regcomp(&a->acl_dnre, right, + REG_EXTENDED|REG_ICASE))) { + char buf[512]; + regerror(e, &a->acl_dnre, buf, sizeof(buf)); fprintf( stderr, - "%s: line %d: regular expression \"%s\" bad because of %s\n", - fname, lineno, right, e ); + "%s: line %d: regular expression \"%s\" bad because of %s\n", + fname, lineno, right, buf ); acl_usage(); + + } else { + a->acl_dnpat = dn_upcase(strdup( right )); } - a->acl_dnpat = dn_upcase( strdup( - right ) ); } else if ( strncasecmp( left, "attr", 4 ) == 0 ) { char **alist; @@ -96,7 +168,7 @@ parse_acl( free( alist ); } else { fprintf( stderr, - "%s: line %d: expecting got \"%s\"\n", + "%s: line %d: expecting got \"%s\"\n", fname, lineno, left ); acl_usage(); } @@ -106,7 +178,7 @@ parse_acl( } else if ( strcasecmp( argv[i], "by" ) == 0 ) { if ( a == NULL ) { fprintf( stderr, - "%s: line %d: to clause required before by clause in access line\n", + "%s: line %d: to clause required before by clause in access line\n", fname, lineno ); acl_usage(); } @@ -131,38 +203,55 @@ parse_acl( } else if ( strcasecmp( argv[i], "self" ) == 0 ) { b->a_dnpat = strdup( "self" ); } else if ( strcasecmp( left, "dn" ) == 0 ) { - if ( (e = re_comp( right )) != NULL ) { - fprintf( stderr, - "%s: line %d: regular expression \"%s\" bad: %s\n", - fname, lineno, right, e ); - acl_usage(); - } + regtest(fname, lineno, right); b->a_dnpat = dn_upcase( strdup( right ) ); - } else if ( strcasecmp( left, "dnattr" ) - == 0 ) { + } else if ( strcasecmp( left, "dnattr" ) == 0 ) { b->a_dnattr = strdup( right ); - } else if ( strcasecmp( left, "domain" ) - == 0 ) { - char *s; - if ( (e = re_comp( right )) != NULL ) { - fprintf( stderr, - "%s: line %d: regular expression \"%s\" bad: %s\n", - fname, lineno, right, e ); - acl_usage(); - } +#ifdef SLAPD_ACLGROUPS + } else if ( strcasecmp( left, "group" ) == 0 ) { + char *name = NULL; + char *value = NULL; + regtest(fname, lineno, right); + + /* format of string is "group/objectClassValue/groupAttrName" + */ + if ((value = strchr(right, '/')) != NULL) { + *value++ = '\0'; + if (value && *value && (name = strchr(value, '/')) != NULL) + *name++ = '\0'; + } + + b->a_group = dn_upcase(strdup( right )); + + if (value && *value) { + b->a_objectclassvalue = strdup(value); + *--value = '/'; + } + else + b->a_objectclassvalue = strdup("groupOfNames"); + + if (name && *name) { + b->a_groupattrname = strdup(name); + *--name = '/'; + } + else + b->a_groupattrname = strdup("member"); + + + +#endif /* SLAPD_ACLGROUPS */ + } else if ( strcasecmp( left, "domain" ) == 0 ) { + char *s; + regtest(fname, lineno, right); b->a_domainpat = strdup( right ); + /* normalize the domain */ for ( s = b->a_domainpat; *s; s++ ) { *s = TOLOWER( *s ); } } else if ( strcasecmp( left, "addr" ) == 0 ) { - if ( (e = re_comp( right )) != NULL ) { - fprintf( stderr, - "%s: line %d: regular expression \"%s\" bad: %s\n", - fname, lineno, right, e ); - acl_usage(); - } + regtest(fname, lineno, right); b->a_addrpat = strdup( right ); } else { fprintf( stderr, @@ -198,16 +287,19 @@ parse_acl( /* if we have no real access clause, complain and do nothing */ if ( a == NULL ) { - fprintf( stderr, - "%s: line %d: warning: no access clause(s) specified in access line\n", + "%s: line %d: warning: no access clause(s) specified in access line\n", fname, lineno ); } else { + + if (ldap_debug&LDAP_DEBUG_ACL) + print_acl(a); + if ( a->acl_access == NULL ) { fprintf( stderr, - "%s: line %d: warning: no by clause(s) specified in access line\n", + "%s: line %d: warning: no by clause(s) specified in access line\n", fname, lineno ); } @@ -326,15 +418,24 @@ print_access( struct access *b ) { printf( "\tby" ); if ( b->a_dnpat != NULL ) { - printf( " dn=%s", b->a_dnpat ); + fprintf( stderr, " dn=%s", b->a_dnpat ); } else if ( b->a_addrpat != NULL ) { - printf( " addr=%s", b->a_addrpat ); + fprintf( stderr, " addr=%s", b->a_addrpat ); } else if ( b->a_domainpat != NULL ) { - printf( " domain=%s", b->a_domainpat ); + fprintf( stderr, " domain=%s", b->a_domainpat ); } else if ( b->a_dnattr != NULL ) { - printf( " dnattr=%s", b->a_dnattr ); + fprintf( stderr, " dnattr=%s", b->a_dnattr ); } - printf( " %s\n", access2str( b->a_access ) ); +#ifdef SLAPD_ACLGROUPS + else if ( b->a_group != NULL ) { + fprintf( stderr, " group: %s", b->a_group ); + if ( b->a_objectclassvalue ) + fprintf( stderr, " objectClassValue: %s", b->a_objectclassvalue ); + if ( b->a_groupattrname ) + fprintf( stderr, " groupAttrName: %s", b->a_groupattrname ); + } +#endif + fprintf( stderr, "\n" ); } static void @@ -344,33 +445,34 @@ print_acl( struct acl *a ) struct access *b; if ( a == NULL ) { - printf( "NULL\n" ); + fprintf( stderr, "NULL\n" ); } - printf( "access to" ); + fprintf( stderr, "ACL: access to" ); if ( a->acl_filter != NULL ) { - printf( " filter=" ); + fprintf( stderr," filter=" ); filter_print( a->acl_filter ); } if ( a->acl_dnpat != NULL ) { - printf( " dn=" ); - printf( a->acl_dnpat ); + fprintf( stderr, " dn=" ); + fprintf( stderr, a->acl_dnpat ); } if ( a->acl_attrs != NULL ) { int first = 1; - printf( " attrs=" ); + fprintf( stderr, "\n attrs=" ); for ( i = 0; a->acl_attrs[i] != NULL; i++ ) { if ( ! first ) { - printf( "," ); + fprintf( stderr, "," ); } - printf( a->acl_attrs[i] ); + fprintf( stderr, a->acl_attrs[i] ); first = 0; } } - printf( "\n" ); + fprintf( stderr, "\n" ); for ( b = a->acl_access; b != NULL; b = b->a_next ) { print_access( b ); } + fprintf( stderr, "\n" ); } -#endif +#endif /* LDAP_DEBUG */ diff --git a/servers/slapd/back-ldbm/group.c b/servers/slapd/back-ldbm/group.c index 5cbebd1b0e..42a16e4e42 100644 --- a/servers/slapd/back-ldbm/group.c +++ b/servers/slapd/back-ldbm/group.c @@ -15,7 +15,7 @@ extern Attribute *attr_find(); #ifdef SLAPD_ACLGROUPS -/* return 0 IFF edn is a value in uniqueMember attribute +/* return 0 IFF edn is a value in member attribute * of entry with bdn AND that entry has an objectClass * value of groupOfNames */ @@ -23,7 +23,9 @@ int ldbm_back_group( Backend *be, char *bdn, - char *edn + char *edn, + char *objectclassValue, + char *groupattrName ) { struct ldbminfo *li = (struct ldbminfo *) be->be_private; @@ -35,6 +37,8 @@ ldbm_back_group( Debug( LDAP_DEBUG_TRACE, "=> ldbm_back_group: bdn: %s\n", bdn, 0, 0 ); Debug( LDAP_DEBUG_TRACE, "=> ldbm_back_group: edn: %s\n", edn, 0, 0 ); + Debug( LDAP_DEBUG_TRACE, "=> ldbm_back_group: objectClass: %s attrName: %s\n", + objectclassValue, groupattrName, 0 ); /* can we find bdn entry with reader lock */ if ((e = dn2entry_r(be, bdn, &matched )) == NULL) { @@ -56,32 +60,33 @@ ldbm_back_group( if ((objectClass = attr_find(e->e_attrs, "objectclass")) == NULL) { Debug( LDAP_DEBUG_TRACE, "<= ldbm_back_group: failed to find objectClass\n", 0, 0, 0 ); } - else if ((member = attr_find(e->e_attrs, "member")) == NULL) { - Debug( LDAP_DEBUG_TRACE, "<= ldbm_back_group: failed to find member\n", 0, 0, 0 ); + else if ((member = attr_find(e->e_attrs, groupattrName)) == NULL) { + Debug( LDAP_DEBUG_TRACE, "<= ldbm_back_group: failed to find %s\n", groupattrName, 0, 0 ); } else { struct berval bvObjectClass; struct berval bvMembers; - Debug( LDAP_DEBUG_ARGS, "<= ldbm_back_group: found objectClass and members\n", 0, 0, 0 ); + Debug( LDAP_DEBUG_ARGS, "<= ldbm_back_group: found objectClass and %s\n", groupattrName, 0, 0 ); - bvObjectClass.bv_val = "groupofnames"; + bvObjectClass.bv_val = objectclassValue; bvObjectClass.bv_len = strlen( bvObjectClass.bv_val ); + bvMembers.bv_val = edn; bvMembers.bv_len = strlen( edn ); if (value_find(objectClass->a_vals, &bvObjectClass, SYNTAX_CIS, 1) != 0) { Debug( LDAP_DEBUG_TRACE, - "<= ldbm_back_group: failed to find objectClass in groupOfNames\n", - 0, 0, 0 ); + "<= ldbm_back_group: failed to find %s in objectClass\n", + objectclassValue, 0, 0 ); } else if (value_find(member->a_vals, &bvMembers, SYNTAX_CIS, 1) != 0) { - Debug( LDAP_DEBUG_ACL, "<= ldbm_back_group: %s not in %s: groupOfNames\n", - edn, bdn, 0 ); + Debug( LDAP_DEBUG_ACL, "<= ldbm_back_group: %s not in %s: %s\n", + edn, bdn, groupattrName ); } else { - Debug( LDAP_DEBUG_ACL, "<= ldbm_back_group: %s is in %s: groupOfNames\n", - edn, bdn, 0 ); + Debug( LDAP_DEBUG_ACL, "<= ldbm_back_group: %s is in %s: %s\n", + edn, bdn, groupattrName ); rc = 0; } } @@ -91,5 +96,5 @@ ldbm_back_group( Debug( LDAP_DEBUG_ARGS, "ldbm_back_group: rc: %d\n", rc, 0, 0 ); return(rc); } -#endif +#endif /* SLAPD_ACLGROUPS */ diff --git a/servers/slapd/back-ldbm/search.c b/servers/slapd/back-ldbm/search.c index 6a53be4f11..2ec7b0902b 100644 --- a/servers/slapd/back-ldbm/search.c +++ b/servers/slapd/back-ldbm/search.c @@ -1,19 +1,20 @@ /* search.c - ldbm backend search function */ +#include "portable.h" + #include -#include -#include -#include + +#include +#include + #include "slap.h" #include "back-ldbm.h" +#include "proto-back-ldbm.h" extern time_t currenttime; extern pthread_mutex_t currenttime_mutex; -extern ID dn2id(); extern IDList *idl_alloc(); -extern Entry *id2entry(); -extern Entry *dn2entry(); extern Attribute *attr_find(); extern IDList *filter_candidates(); extern char *ch_realloc(); @@ -61,6 +62,9 @@ ldbm_back_search( int rmaxsize, nrefs; char *rbuf, *rcur, *r; int nentries = 0; + char *realBase; + + Debug(LDAP_DEBUG_ARGS, "=> ldbm_back_search\n", 0, 0, 0); if ( tlimit == 0 && be_isroot( be, op->o_dn ) ) { tlimit = -1; /* allow root to set no limit */ @@ -76,19 +80,37 @@ ldbm_back_search( be->be_sizelimit : slimit; } + /* + * check and apply aliasing where the dereferencing applies to + * the subordinates of the base + */ + realBase = strdup (base); + switch ( deref ) { + case LDAP_DEREF_FINDING: + case LDAP_DEREF_ALWAYS: + free (realBase); + realBase = derefDN ( be, conn, op, base ); + break; + } + + (void) dn_normalize (realBase); + + Debug( LDAP_DEBUG_TRACE, "using base %s\n", + realBase, 0, 0 ); + switch ( scope ) { case LDAP_SCOPE_BASE: - candidates = base_candidates( be, conn, op, base, filter, + candidates = base_candidates( be, conn, op, realBase, filter, attrs, attrsonly, &matched, &err ); break; case LDAP_SCOPE_ONELEVEL: - candidates = onelevel_candidates( be, conn, op, base, filter, + candidates = onelevel_candidates( be, conn, op, realBase, filter, attrs, attrsonly, &matched, &err ); break; case LDAP_SCOPE_SUBTREE: - candidates = subtree_candidates( be, conn, op, base, filter, + candidates = subtree_candidates( be, conn, op, realBase, filter, attrs, attrsonly, &matched, NULL, &err, 1 ); break; @@ -139,10 +161,9 @@ ldbm_back_search( } pthread_mutex_unlock( ¤ttime_mutex ); - /* get the entry */ - if ( (e = id2entry( be, id )) == NULL ) { - Debug( LDAP_DEBUG_ARGS, "candidate %d not found\n", id, - 0, 0 ); + /* get the entry with reader lock */ + if ( (e = id2entry_r( be, id )) == NULL ) { + Debug( LDAP_DEBUG_ARGS, "candidate %d not found\n", id, 0, 0 ); continue; } @@ -151,22 +172,23 @@ ldbm_back_search( * this for subtree searches, and don't check the filter explicitly * here since it's only a candidate anyway. */ - if ( e->e_dn != NULL && strncasecmp( e->e_dn, "ref=", 4 ) - == 0 && (ref = attr_find( e->e_attrs, "ref" )) != NULL && - scope == LDAP_SCOPE_SUBTREE ) + if ( e->e_dn != NULL && + strncasecmp( e->e_dn, "ref=", 4 ) == 0 && + (ref = attr_find( e->e_attrs, "ref" )) != NULL && + scope == LDAP_SCOPE_SUBTREE ) { int i, len; if ( ref->a_vals == NULL ) { - Debug( LDAP_DEBUG_ANY, "null ref in (%s)\n", 0, - 0, 0 ); + Debug( LDAP_DEBUG_ANY, "null ref in (%s)\n", + e->e_dn, 0, 0 ); } else { for ( i = 0; ref->a_vals[i] != NULL; i++ ) { /* referral + newline + null */ MAKE_SPACE( ref->a_vals[i]->bv_len + 2 ); *rcur++ = '\n'; strncpy( rcur, ref->a_vals[i]->bv_val, - ref->a_vals[i]->bv_len ); + ref->a_vals[i]->bv_len ); rcur = rcur + ref->a_vals[i]->bv_len; *rcur = '\0'; nrefs++; @@ -185,22 +207,22 @@ ldbm_back_search( if ( scope == LDAP_SCOPE_ONELEVEL ) { if ( (dn = dn_parent( be, e->e_dn )) != NULL ) { (void) dn_normalize( dn ); - scopeok = (dn == base) ? 1 : (! strcasecmp( dn, base )); + scopeok = (dn == realBase) ? 1 : (! strcasecmp( dn, realBase )); } else { - scopeok = (base == NULL || *base == '\0'); + scopeok = (realBase == NULL || *realBase == '\0'); } free( dn ); } else if ( scope == LDAP_SCOPE_SUBTREE ) { dn = strdup( e->e_dn ); (void) dn_normalize( dn ); - scopeok = dn_issuffix( dn, base ); + scopeok = dn_issuffix( dn, realBase ); free( dn ); } if ( scopeok ) { /* check size limit */ if ( --slimit == -1 ) { - cache_return_entry( &li->li_cache, e ); + cache_return_entry_r( &li->li_cache, e ); send_ldap_search_result( conn, op, LDAP_SIZELIMIT_EXCEEDED, NULL, nrefs > 0 ? rbuf : NULL, nentries ); @@ -209,6 +231,21 @@ ldbm_back_search( return( 0 ); } + /* + * check and apply aliasing where the dereferencing applies to + * the subordinates of the base + */ + switch ( deref ) { + case LDAP_DEREF_SEARCHING: + case LDAP_DEREF_ALWAYS: + { + Entry *newe = derefAlias_r( be, conn, op, e ); + cache_return_entry_r( &li->li_cache, e ); + e = newe; + } + break; + } + switch ( send_search_entry( be, conn, op, e, attrs, attrsonly ) ) { case 0: /* entry sent ok */ @@ -217,7 +254,7 @@ ldbm_back_search( case 1: /* entry not sent */ break; case -1: /* connection closed */ - cache_return_entry( &li->li_cache, e ); + cache_return_entry_r( &li->li_cache, e ); idl_free( candidates ); free( rbuf ); return( 0 ); @@ -226,7 +263,10 @@ ldbm_back_search( } } - cache_return_entry( &li->li_cache, e ); + if( e != NULL ) { + /* free reader lock */ + cache_return_entry_r( &li->li_cache, e ); + } pthread_yield(); } @@ -262,16 +302,24 @@ base_candidates( IDList *idl; Entry *e; + Debug(LDAP_DEBUG_TRACE, "base_candidates: base: %s\n", base, 0, 0); + *err = LDAP_SUCCESS; - if ( (e = dn2entry( be, base, matched )) == NULL ) { + + /* get entry with reader lock */ + if ( (e = dn2entry_r( be, base, matched )) == NULL ) { *err = LDAP_NO_SUCH_OBJECT; return( NULL ); } + /* check for deleted */ + idl = idl_alloc( 1 ); idl_insert( &idl, e->e_id, 1 ); - cache_return_entry( &li->li_cache, e ); + + /* free reader lock */ + cache_return_entry_r( &li->li_cache, e ); return( idl ); } @@ -295,11 +343,14 @@ onelevel_candidates( char buf[20]; IDList *candidates; + Debug(LDAP_DEBUG_TRACE, "onelevel_candidates: base: %s\n", base, 0, 0); + *err = LDAP_SUCCESS; e = NULL; - /* get the base object */ - if ( base != NULL && *base != '\0' && (e = dn2entry( be, base, - matched )) == NULL ) { + /* get the base object with reader lock */ + if ( base != NULL && *base != '\0' && + (e = dn2entry_r( be, base, matched )) == NULL ) + { *err = LDAP_NO_SUCH_OBJECT; return( NULL ); } @@ -329,6 +380,8 @@ onelevel_candidates( f->f_and->f_next = NULL; filter_free( f ); + /* free entry and reader lock */ + cache_return_entry_r( &li->li_cache, e ); return( candidates ); } @@ -351,6 +404,9 @@ subtree_candidates( Filter *f; IDList *candidates; + Debug(LDAP_DEBUG_TRACE, "subtree_candidates: base: %s\n", + base ? base : "NULL", 0, 0); + /* * get the base object - unless we already have it (from one-level). * also, unless this is a one-level search or a subtree search @@ -365,20 +421,26 @@ subtree_candidates( *err = LDAP_SUCCESS; f = NULL; if ( lookupbase ) { - if ( base != NULL && *base != '\0' && (e = dn2entry( be, base, - matched )) == NULL ) { + if ( base != NULL && *base != '\0' && + (e = dn2entry_r( be, base, matched )) == NULL ) + { *err = LDAP_NO_SUCH_OBJECT; return( NULL ); } + if (e) { + cache_return_entry_r( &li->li_cache, e ); + } + f = (Filter *) ch_malloc( sizeof(Filter) ); f->f_next = NULL; f->f_choice = LDAP_FILTER_OR; f->f_or = (Filter *) ch_malloc( sizeof(Filter) ); f->f_or->f_choice = LDAP_FILTER_EQUALITY; f->f_or->f_avtype = strdup( "objectclass" ); - f->f_or->f_avvalue.bv_val = strdup( "referral" ); - f->f_or->f_avvalue.bv_len = strlen( "referral" ); + /* Patch to use normalized uppercase */ + f->f_or->f_avvalue.bv_val = strdup( "REFERRAL" ); + f->f_or->f_avvalue.bv_len = strlen( "REFERRAL" ); f->f_or->f_next = filter; filter = f; @@ -406,9 +468,5 @@ subtree_candidates( filter_free( f ); } - if ( e != NULL ) { - cache_return_entry( &li->li_cache, e ); - } - return( candidates ); } diff --git a/servers/slapd/back-passwd/search.c b/servers/slapd/back-passwd/search.c index 11c1d8e719..942b804a6c 100644 --- a/servers/slapd/back-passwd/search.c +++ b/servers/slapd/back-passwd/search.c @@ -1,12 +1,15 @@ /* search.c - /etc/passwd backend search function */ +#include "portable.h" + #include -#include -#include -#include -#include + +#include +#include +#include + #include -#include "portable.h" + #include "slap.h" extern time_t currenttime; @@ -80,14 +83,6 @@ passwd_back_search( } pthread_mutex_unlock( &op->o_abandonmutex ); - /* check size limit */ - if ( --slimit == -1 ) { - send_ldap_result( conn, op, LDAP_SIZELIMIT_EXCEEDED, - NULL, NULL ); - endpwent(); - return( 0 ); - } - /* check time limit */ pthread_mutex_lock( ¤ttime_mutex ); time( ¤ttime ); @@ -103,6 +98,14 @@ passwd_back_search( e = pw2entry( be, pw ); if ( test_filter( be, conn, op, e, filter ) == 0 ) { + /* check size limit */ + if ( --slimit == -1 ) { + send_ldap_result( conn, op, LDAP_SIZELIMIT_EXCEEDED, + NULL, NULL ); + endpwent(); + return( 0 ); + } + send_search_entry( be, conn, op, e, attrs, attrsonly ); } diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c index 998bfa8c6a..39fdd279d4 100644 --- a/servers/slapd/backend.c +++ b/servers/slapd/backend.c @@ -1,14 +1,18 @@ /* backend.c - routines for dealing with back-end databases */ +#include "portable.h" + #include -#include -#include -#include + +#include +#include + #include + #include "slap.h" -#ifdef LDAP_LDBM +#ifdef SLAPD_LDBM extern int ldbm_back_bind(); extern int ldbm_back_unbind(); extern int ldbm_back_search(); @@ -21,14 +25,15 @@ extern int ldbm_back_abandon(); extern int ldbm_back_config(); extern int ldbm_back_init(); extern int ldbm_back_close(); +extern int ldbm_back_group(); #endif -#ifdef LDAP_PASSWD +#ifdef SLAPD_PASSWD extern int passwd_back_search(); extern int passwd_back_config(); #endif -#ifdef LDAP_SHELL +#ifdef SLAPD_SHELL extern int shell_back_bind(); extern int shell_back_unbind(); extern int shell_back_search(); @@ -72,7 +77,7 @@ new_backend( be->be_timelimit = deftime; foundit = 0; -#ifdef LDAP_LDBM +#ifdef SLAPD_LDBM if ( strcasecmp( type, "ldbm" ) == 0 ) { be->be_bind = ldbm_back_bind; be->be_unbind = ldbm_back_unbind; @@ -86,12 +91,15 @@ new_backend( be->be_config = ldbm_back_config; be->be_init = ldbm_back_init; be->be_close = ldbm_back_close; +#ifdef SLAPD_ACLGROUPS + be->be_group = ldbm_back_group; +#endif be->be_type = "ldbm"; foundit = 1; } #endif -#ifdef LDAP_PASSWD +#ifdef SLAPD_PASSWD if ( strcasecmp( type, "passwd" ) == 0 ) { be->be_bind = NULL; be->be_unbind = NULL; @@ -105,12 +113,15 @@ new_backend( be->be_config = passwd_back_config; be->be_init = NULL; be->be_close = NULL; +#ifdef SLAPD_ACLGROUPS + be->be_group = NULL; +#endif be->be_type = "passwd"; foundit = 1; } #endif -#ifdef LDAP_SHELL +#ifdef SLAPD_SHELL if ( strcasecmp( type, "shell" ) == 0 ) { be->be_bind = shell_back_bind; be->be_unbind = shell_back_unbind; @@ -124,6 +135,9 @@ new_backend( be->be_config = shell_back_config; be->be_init = shell_back_init; be->be_close = NULL; +#ifdef SLAPD_ACLGROUPS + be->be_group = NULL; +#endif be->be_type = "shell"; foundit = 1; } @@ -149,7 +163,20 @@ select_backend( char * dn ) dnlen = strlen( dn ); for ( i = 0; i < nbackends; i++ ) { for ( j = 0; backends[i].be_suffix != NULL && - backends[i].be_suffix[j] != NULL; j++ ) { + backends[i].be_suffix[j] != NULL; j++ ) + { +#ifdef LDAP_ALLOW_NULL_SEARCH_BASE + /* Add greg@greg.rim.or.jp + * It's quick hack for cheap client + * Some browser offer a NULL base at ldap_search + */ + if(dnlen == 0) { + Debug( LDAP_DEBUG_TRACE, + "select_backend: use default backend\n", 0, 0, 0 ); + return (&backends[i]); + } +#endif /* LDAP_ALLOW_NULL_SEARCH_BASE */ + len = strlen( backends[i].be_suffix[j] ); if ( len > dnlen ) { @@ -163,6 +190,27 @@ select_backend( char * dn ) } } + /* if no proper suffix could be found then check for aliases */ + for ( i = 0; i < nbackends; i++ ) { + for ( j = 0; + backends[i].be_suffixAlias != NULL && + backends[i].be_suffixAlias[j] != NULL; + j += 2 ) + { + len = strlen( backends[i].be_suffixAlias[j] ); + + if ( len > dnlen ) { + continue; + } + + if ( strcasecmp( backends[i].be_suffixAlias[j], + dn + (dnlen - len) ) == 0 ) { + return( &backends[i] ); + } + } + } + + return( NULL ); } @@ -231,3 +279,14 @@ be_unbind( } } } + +#ifdef SLAPD_ACLGROUPS +int +be_group(Backend *be, char *bdn, char *edn, char *objectclassValue, char *groupattrName) +{ + if (be->be_group) + return(be->be_group(be, bdn, edn, objectclassValue, groupattrName)); + else + return(1); +} +#endif diff --git a/servers/slapd/filter.c b/servers/slapd/filter.c index 8d990b361d..f408e68383 100644 --- a/servers/slapd/filter.c +++ b/servers/slapd/filter.c @@ -1,9 +1,12 @@ /* filter.c - routines for parsing and dealing with filters */ +#include "portable.h" + #include -#include -#include -#include + +#include +#include + #include "slap.h" static int get_filter_list(); @@ -54,7 +57,7 @@ get_filter( Connection *conn, BerElement *ber, Filter **filt, char **fstr ) err = 0; *fstr = NULL; f->f_choice = ber_peek_tag( ber, &len ); -#ifdef COMPAT30 +#ifdef LDAP_COMPAT30 if ( conn->c_version == 30 ) { switch ( f->f_choice ) { case LDAP_FILTER_EQUALITY: @@ -135,6 +138,7 @@ get_filter( Connection *conn, BerElement *ber, Filter **filt, char **fstr ) Debug( LDAP_DEBUG_FILTER, "AND\n", 0, 0, 0 ); if ( (err = get_filter_list( conn, ber, &f->f_and, &ftmp )) == 0 ) { + if (ftmp == NULL) ftmp = strdup(""); *fstr = ch_malloc( 4 + strlen( ftmp ) ); sprintf( *fstr, "(&%s)", ftmp ); free( ftmp ); @@ -145,6 +149,7 @@ get_filter( Connection *conn, BerElement *ber, Filter **filt, char **fstr ) Debug( LDAP_DEBUG_FILTER, "OR\n", 0, 0, 0 ); if ( (err = get_filter_list( conn, ber, &f->f_or, &ftmp )) == 0 ) { + if (ftmp == NULL) ftmp = strdup(""); *fstr = ch_malloc( 4 + strlen( ftmp ) ); sprintf( *fstr, "(|%s)", ftmp ); free( ftmp ); @@ -155,6 +160,7 @@ get_filter( Connection *conn, BerElement *ber, Filter **filt, char **fstr ) Debug( LDAP_DEBUG_FILTER, "NOT\n", 0, 0, 0 ); (void) ber_skip_tag( ber, &len ); if ( (err = get_filter( conn, ber, &f->f_not, &ftmp )) == 0 ) { + if (ftmp == NULL) ftmp = strdup(""); *fstr = ch_malloc( 4 + strlen( ftmp ) ); sprintf( *fstr, "(!%s)", ftmp ); free( ftmp ); @@ -189,7 +195,7 @@ get_filter_list( Connection *conn, BerElement *ber, Filter **f, char **fstr ) Debug( LDAP_DEBUG_FILTER, "begin get_filter_list\n", 0, 0, 0 ); -#ifdef COMPAT30 +#ifdef LDAP_COMPAT30 if ( conn->c_version == 30 ) { (void) ber_skip_tag( ber, &len ); } @@ -230,7 +236,7 @@ get_substring_filter( Debug( LDAP_DEBUG_FILTER, "begin get_substring_filter\n", 0, 0, 0 ); -#ifdef COMPAT30 +#ifdef LDAP_COMPAT30 if ( conn->c_version == 30 ) { (void) ber_skip_tag( ber, &len ); } @@ -248,7 +254,7 @@ get_substring_filter( sprintf( *fstr, "(%s=", f->f_sub_type ); for ( tag = ber_first_element( ber, &len, &last ); tag != LBER_DEFAULT; tag = ber_next_element( ber, &len, last ) ) { -#ifdef COMPAT30 +#ifdef LDAP_COMPAT30 if ( conn->c_version == 30 ) { rc = ber_scanf( ber, "{a}", &val ); } else @@ -266,7 +272,7 @@ get_substring_filter( value_normalize( val, syntax ); switch ( tag ) { -#ifdef COMPAT30 +#ifdef LDAP_COMPAT30 case LDAP_SUBSTRING_INITIAL_30: #endif case LDAP_SUBSTRING_INITIAL: @@ -280,7 +286,7 @@ get_substring_filter( strcat( *fstr, val ); break; -#ifdef COMPAT30 +#ifdef LDAP_COMPAT30 case LDAP_SUBSTRING_ANY_30: #endif case LDAP_SUBSTRING_ANY: @@ -292,7 +298,7 @@ get_substring_filter( strcat( *fstr, val ); break; -#ifdef COMPAT30 +#ifdef LDAP_COMPAT30 case LDAP_SUBSTRING_FINAL_30: #endif case LDAP_SUBSTRING_FINAL: @@ -385,63 +391,63 @@ filter_print( Filter *f ) Filter *p; if ( f == NULL ) { - printf( "NULL" ); + fprintf( stderr, "NULL" ); } switch ( f->f_choice ) { case LDAP_FILTER_EQUALITY: - printf( "(%s=%s)", f->f_ava.ava_type, + fprintf( stderr, "(%s=%s)", f->f_ava.ava_type, f->f_ava.ava_value.bv_val ); break; case LDAP_FILTER_GE: - printf( "(%s>=%s)", f->f_ava.ava_type, + fprintf( stderr, "(%s>=%s)", f->f_ava.ava_type, f->f_ava.ava_value.bv_val ); break; case LDAP_FILTER_LE: - printf( "(%s<=%s)", f->f_ava.ava_type, + fprintf( stderr, "(%s<=%s)", f->f_ava.ava_type, f->f_ava.ava_value.bv_val ); break; case LDAP_FILTER_APPROX: - printf( "(%s~=%s)", f->f_ava.ava_type, + fprintf( stderr, "(%s~=%s)", f->f_ava.ava_type, f->f_ava.ava_value.bv_val ); break; case LDAP_FILTER_SUBSTRINGS: - printf( "(%s=", f->f_sub_type ); + fprintf( stderr, "(%s=", f->f_sub_type ); if ( f->f_sub_initial != NULL ) { - printf( "%s", f->f_sub_initial ); + fprintf( stderr, "%s", f->f_sub_initial ); } if ( f->f_sub_any != NULL ) { for ( i = 0; f->f_sub_any[i] != NULL; i++ ) { - printf( "*%s", f->f_sub_any[i] ); + fprintf( stderr, "*%s", f->f_sub_any[i] ); } } charray_free( f->f_sub_any ); if ( f->f_sub_final != NULL ) { - printf( "*%s", f->f_sub_final ); + fprintf( stderr, "*%s", f->f_sub_final ); } break; case LDAP_FILTER_PRESENT: - printf( "%s=*", f->f_type ); + fprintf( stderr, "%s=*", f->f_type ); break; case LDAP_FILTER_AND: case LDAP_FILTER_OR: case LDAP_FILTER_NOT: - printf( "(%c", f->f_choice == LDAP_FILTER_AND ? '&' : + fprintf( stderr, "(%c", f->f_choice == LDAP_FILTER_AND ? '&' : f->f_choice == LDAP_FILTER_OR ? '|' : '!' ); for ( p = f->f_list; p != NULL; p = p->f_next ) { filter_print( p ); } - printf( ")" ); + fprintf( stderr, ")" ); break; default: - printf( "unknown type %d", f->f_choice ); + fprintf( stderr, "unknown type %d", f->f_choice ); break; } } diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h index bf0c9c8297..46e7e90260 100644 --- a/servers/slapd/slap.h +++ b/servers/slapd/slap.h @@ -3,13 +3,22 @@ #ifndef _SLDAPD_H_ #define _SLDAPD_H_ -#define LDAP_SYSLOG +#include "portable.h" + +#include + +#include +#include +#include + +#undef NDEBUG +#include -#include #include "avl.h" #include "lber.h" #include "ldap.h" #include "lthread.h" +#include "lthread_rdwr.h" #include "ldif.h" #define DN_DNS 0 @@ -17,6 +26,11 @@ #define ON 1 #define OFF (-1) +#define UNDEFINED 0 + +#define MAXREMATCHES 10 + +LDAP_BEGIN_DECL /* * represents an attribute value assertion (i.e., attr=value) @@ -103,6 +117,9 @@ typedef struct entry { ID e_id; /* id of this entry - this should */ /* really be private to back-ldbm */ char e_state; /* for the cache */ + + pthread_rdwr_t e_rdwr; /* reader/writer lock */ + #define ENTRY_STATE_DELETED 1 #define ENTRY_STATE_CREATING 2 int e_refcnt; /* # threads ref'ing this entry */ @@ -121,6 +138,13 @@ struct access { char *a_domainpat; char *a_dnattr; long a_access; + +#ifdef SLAPD_ACLGROUPS + char *a_group; + char *a_objectclassvalue; + char *a_groupattrname; +#endif + #define ACL_NONE 0x01 #define ACL_COMPARE 0x02 #define ACL_SEARCH 0x04 @@ -134,6 +158,7 @@ struct access { struct acl { /* "to" part: the entries this acl applies to */ Filter *acl_filter; + regex_t acl_dnre; char *acl_dnpat; char **acl_attrs; @@ -160,9 +185,11 @@ struct objclass { typedef struct backend { char **be_suffix; /* the DN suffixes of data in this backend */ + char **be_suffixAlias; /* the DN suffix aliases of data in this backend */ char *be_rootdn; /* the magic "root" dn for this db */ char *be_rootpw; /* the magic "root" password for this db */ int be_readonly; /* 1 => db is in "read only" mode */ + int be_maxDerefDepth; /* limit for depth of an alias deref */ int be_sizelimit; /* size limit for this backend */ int be_timelimit; /* time limit for this backend */ struct acl *be_acl; /* access control list for this backend */ @@ -187,6 +214,10 @@ typedef struct backend { IFP be_config; /* backend config routine */ IFP be_init; /* backend init routine */ IFP be_close; /* backend close routine */ + +#ifdef SLAPD_ACLGROUPS + IFP be_group; /* backend group member test */ +#endif } Backend; /* @@ -199,12 +230,14 @@ typedef struct op { unsigned long o_tag; /* tag of the request */ time_t o_time; /* time op was initiated */ char *o_dn; /* dn bound when op was initiated */ + char *o_suffix; /* suffix if aliased */ + char *o_suffixAliased; /* pending suffix translation */ int o_authtype; /* auth method used to bind dn */ /* values taken from ldap.h */ /* LDAP_AUTH_* */ int o_opid; /* id of this operation */ int o_connid; /* id of conn initiating this op */ -#ifdef CLDAP +#ifdef LDAP_CONNECTIONLESS int o_cldap; /* != 0 if this came in via CLDAP */ struct sockaddr o_clientaddr; /* client address if via CLDAP */ char o_searchbase; /* search base if via CLDAP */ @@ -226,7 +259,7 @@ typedef struct conn { char *c_dn; /* current DN bound to this conn */ pthread_mutex_t c_dnmutex; /* mutex for c_dn field */ int c_authtype; /* auth method used to bind c_dn */ -#ifdef COMPAT +#ifdef LDAP_COMPAT int c_version; /* for compatibility w/2.0, 3.0 */ #endif char *c_addr; /* address of client on this conn */ @@ -258,8 +291,8 @@ typedef struct conn { #define Statslog( level, fmt, connid, opid, arg1, arg2, arg3 ) #endif -#ifdef NEEDPROTOS #include "proto-slap.h" -#endif + +LDAP_END_DECL #endif /* _slap_h_ */