mirror/openldap
2
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2024-12-21 03:10:25 +08:00
Code Issues Packages Projects Releases Wiki Activity

use "expand" instead of "regex" for group ACLs that allow substring expansion, preserving backwards compatibility; add sanity checks

Browse Source
This commit is contained in:
Pierangelo Masarati 2004-03-09 16:33:05 +00:00
parent 490e1e4aa9
commit 042869366d
4 changed files with 61 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
doc/man/man5/slapd.access.5
View File

@ -184,7 +184,7 @@ It can have the forms
dn[.<dnstyle>[,<modifier>]]=<DN> dn[.<dnstyle>[,<modifier>]]=<DN>
dnattr=<attrname> dnattr=<attrname>
group[/<objectclass>[/<attrname>]] group[/<objectclass>[/<attrname>]]
[.<style>]=<group> [.<groupstyle>]=<group>
peername[.<peernamestyle>]=<peername> peername[.<peernamestyle>]=<peername>
sockname[.<style>]=<sockname> sockname[.<style>]=<sockname>
domain[.<domainstyle>[,<modifier>]]=<domain> domain[.<domainstyle>[,<modifier>]]=<domain>
@ -203,6 +203,7 @@ with
.LP .LP
.nf .nf
<dnstyle>={{exact|base}|regex|sub(tree)|one(level)|children} <dnstyle>={{exact|base}|regex|sub(tree)|one(level)|children}
<groupstyle>={exact|expand}
<style>={exact|regex} <style>={exact|regex}
<peernamestyle>={exact|regex|ip|path} <peernamestyle>={exact|regex|ip|path}
<domainstyle>={exact|regex|sub(tree)} <domainstyle>={exact|regex|sub(tree)}
@ -286,16 +287,12 @@ define the objectClass and the member attributeType of the group entry.
The optional style qualifier The optional style qualifier
.B <style> .B <style>
can be can be
.BR regex , .BR expand ,
which means that which means that
.B <group> .B <group>
will be expanded as a replacement string (but not as a regular expression) will be expanded as a replacement string (but not as a regular expression)
according to regex (7), and according to regex (7), and
.B base .BR exact ,
or
.B exact
(an alias of
.BR base ),
which means that exact match will be used. which means that exact match will be used.
.LP .LP
For static groups, the specified attributeType must have For static groups, the specified attributeType must have
@ -307,7 +304,7 @@ be a subtype of the
.B labeledURI .B labeledURI
attributeType. Only LDAP URIs of the form attributeType. Only LDAP URIs of the form
.B ldap:///<base>??<scope>?<filter> .B ldap:///<base>??<scope>?<filter>
will be evaluated in a dynamic group. will be evaluated in a dynamic group, by searching the local server only.
.LP .LP
The statements The statements
.BR peername=<peername> , .BR peername=<peername> ,

2
servers/slapd/acl.c
View File

@ -1193,7 +1193,7 @@ dn_match_cleanup:;
* the values in the attribute group * the values in the attribute group
*/ */
/* see if asker is listed in dnattr */ /* see if asker is listed in dnattr */
if ( b->a_group_style == ACL_STYLE_REGEX ) { if ( b->a_group_style == ACL_STYLE_EXPAND ) {
char buf[ACL_BUF_SIZE]; char buf[ACL_BUF_SIZE];
bv.bv_len = sizeof(buf) - 1; bv.bv_len = sizeof(buf) - 1;
bv.bv_val = buf; bv.bv_val = buf;

58
servers/slapd/aclparse.c
View File

@ -40,6 +40,7 @@
static char *style_strings[] = { static char *style_strings[] = {
"regex", "regex",
"expand",
"base", "base",
"one", "one",
"subtree", "subtree",
@ -427,6 +428,9 @@ parse_acl(
} else if ( strcasecmp( style, "regex" ) == 0 ) { } else if ( strcasecmp( style, "regex" ) == 0 ) {
sty = ACL_STYLE_REGEX; sty = ACL_STYLE_REGEX;
} else if ( strcasecmp( style, "expand" ) == 0 ) {
sty = ACL_STYLE_EXPAND;
} else if ( strcasecmp( style, "ip" ) == 0 ) { } else if ( strcasecmp( style, "ip" ) == 0 ) {
sty = ACL_STYLE_IP; sty = ACL_STYLE_IP;
@ -448,9 +452,39 @@ parse_acl(
if ( style_modifier && if ( style_modifier &&
strcasecmp( style_modifier, "expand" ) == 0 ) strcasecmp( style_modifier, "expand" ) == 0 )
{ {
expand = 1; switch ( sty ) {
case ACL_STYLE_REGEX:
fprintf( stderr, "%s: line %d: "
"\"regex\" style implies "
"\"expand\" modifier (ignored)\n",
fname, lineno );
break;
case ACL_STYLE_EXPAND:
fprintf( stderr, "%s: line %d: "
"\"expand\" style used "
"in conjunction with "
"\"expand\" modifier (ignored)\n",
fname, lineno );
break;
default:
expand = 1;
break;
}
} }
if ( ( sty == ACL_STYLE_EXPAND || expand )
&& ( a->acl_dn_pat.bv_len && a->acl_dn_style != ACL_STYLE_REGEX) )
{
fprintf( stderr, "%s: line %d: "
"\"expand\" style or modifier used "
"in conjunction with "
"a non-regex <what> clause\n",
fname, lineno );
}
if ( strcasecmp( argv[i], "*" ) == 0 ) { if ( strcasecmp( argv[i], "*" ) == 0 ) {
bv.bv_val = ch_strdup( "*" ); bv.bv_val = ch_strdup( "*" );
bv.bv_len = 1; bv.bv_len = 1;
@ -608,10 +642,26 @@ parse_acl(
char *name = NULL; char *name = NULL;
char *value = NULL; char *value = NULL;
if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) { switch ( sty ) {
case ACL_STYLE_REGEX:
/* legacy */
fprintf( stderr, "%s: line %d: "
"deprecated group style \"regex\"; "
"use \"expand\" instead\n",
fname, lineno, style );
sty = ACL_STYLE_EXPAND;
break;
case ACL_STYLE_EXPAND:
case ACL_STYLE_BASE:
/* legal */
break;
default:
/* unhandled */
fprintf( stderr, "%s: line %d: " fprintf( stderr, "%s: line %d: "
"inappropriate style \"%s\" in by clause\n", "inappropriate style \"%s\" in by clause\n",
fname, lineno, style ); fname, lineno, style );
acl_usage(); acl_usage();
} }
@ -640,7 +690,7 @@ parse_acl(
} }
b->a_group_style = sty; b->a_group_style = sty;
if (sty == ACL_STYLE_REGEX) { if (sty == ACL_STYLE_EXPAND) {
acl_regex_normalized_dn( right, &bv ); acl_regex_normalized_dn( right, &bv );
if ( !ber_bvccmp( &bv, '*' ) ) { if ( !ber_bvccmp( &bv, '*' ) ) {
regtest(fname, lineno, bv.bv_val); regtest(fname, lineno, bv.bv_val);

1
servers/slapd/slap.h
View File

@ -1078,6 +1078,7 @@ typedef enum slap_control_e {
typedef enum slap_style_e { typedef enum slap_style_e {
ACL_STYLE_REGEX = 0, ACL_STYLE_REGEX = 0,
ACL_STYLE_EXPAND,
ACL_STYLE_BASE, ACL_STYLE_BASE,
ACL_STYLE_ONE, ACL_STYLE_ONE,
ACL_STYLE_SUBTREE, ACL_STYLE_SUBTREE,