mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
Change ACL default style to exact (from regex)
This commit is contained in:
parent
193c7ca228
commit
0954351565
@ -70,7 +70,7 @@ It can have the forms
|
||||
.LP
|
||||
.nf
|
||||
*
|
||||
[dn[.<dnstyle>]=<pattern>]
|
||||
[dn[.<dnstyle>]=<DN>]
|
||||
[filter=<ldapfilter>]
|
||||
[attrs=<attrlist>]
|
||||
.fi
|
||||
@ -80,22 +80,11 @@ The wildcard
|
||||
stands for all the entries.
|
||||
.LP
|
||||
The statement
|
||||
.B dn=<pattern>
|
||||
.B dn=<DN>
|
||||
selects the entries based on their naming context.
|
||||
The optional style qualifier
|
||||
.B <dnstyle>
|
||||
can be
|
||||
.B regex
|
||||
(the default) implies that
|
||||
.B pattern
|
||||
is a regular expression, as detailed in
|
||||
.BR regex (7),
|
||||
matching a normalized string representation of the entry's DN.
|
||||
The regex form of the pattern does not support UTF-8 yet.
|
||||
.LP
|
||||
For all other qualifiers, the pattern is a string representation of
|
||||
the entry's DN.
|
||||
.B base
|
||||
The pattern is a string representation of the entry's DN.
|
||||
.BR base ,
|
||||
the default,
|
||||
or
|
||||
.B exact
|
||||
(an alias of
|
||||
@ -108,10 +97,16 @@ indicates all the entries immediately below the
|
||||
indicates all entries in the subtree at the pattern,
|
||||
.B children
|
||||
indicates all the entries below (subordinate to) the pattern.
|
||||
Note that
|
||||
.B dn=".*"
|
||||
is equivalent to
|
||||
.BR * .
|
||||
.LP
|
||||
If the
|
||||
.B <dnstyle>
|
||||
qualifier is
|
||||
.BR regex ,
|
||||
then the value is a regular expression pattern,
|
||||
as detailed in
|
||||
.BR regex (7),
|
||||
matching a normalized string representation of the entry's DN.
|
||||
The regex form of the pattern does not (yet) support UTF-8.
|
||||
.LP
|
||||
The statement
|
||||
.B filter=<ldapfilter>
|
||||
@ -148,14 +143,14 @@ It can have the forms
|
||||
users
|
||||
self
|
||||
|
||||
dn[.<dnstyle>[,<modifier>]]=<pattern>
|
||||
dn[.<dnstyle>[,<modifier>]]=<DN>
|
||||
dnattr=<attrname>
|
||||
group[/<objectclass>[/<attrname>]]
|
||||
[.<style>]=<pattern>
|
||||
peername[.<style>]=<pattern>
|
||||
sockname[.<style>]=<pattern>
|
||||
domain[.<domainstyle>[,<modifier>]]=<pattern>
|
||||
sockurl[.<style>]=<pattern>
|
||||
[.<style>]=<group>
|
||||
peername[.<style>]=<peername>
|
||||
sockname[.<style>]=<sockname>
|
||||
domain[.<domainstyle>[,<modifier>]]=<domain>
|
||||
sockurl[.<style>]=<sockurl>
|
||||
set[.<style>]=<pattern>
|
||||
|
||||
ssf=<n>
|
||||
@ -192,7 +187,7 @@ means access to an entry is allowed to the entry itself (e.g. the entry
|
||||
being accessed and the requesting entry must be the same).
|
||||
.LP
|
||||
The statement
|
||||
.B dn=<pattern>
|
||||
.B dn=<DN>
|
||||
means that access is granted to the matching DN.
|
||||
The optional style qualifier
|
||||
.B dnstyle
|
||||
@ -200,9 +195,7 @@ allows the same choices of the dn form of the
|
||||
.B <what>
|
||||
field. In addition, the
|
||||
.B regex
|
||||
form of
|
||||
.B pattern
|
||||
can exploit substring substitution of submatches in the
|
||||
style can exploit substring substitution of submatches in the
|
||||
.B <what>
|
||||
dn.regex clause by using the form
|
||||
.BR $<digit> ,
|
||||
@ -218,10 +211,10 @@ entry being accessed under the
|
||||
attribute.
|
||||
.LP
|
||||
The statement
|
||||
.B group=<pattern>
|
||||
.B group=<group>
|
||||
means that access is granted to requests whose DN is listed
|
||||
in the group entry whose DN is given by
|
||||
.BR pattern .
|
||||
.BR group .
|
||||
The optional parameters
|
||||
.B objectclass
|
||||
and
|
||||
@ -242,11 +235,11 @@ or
|
||||
which means that exact match will be used.
|
||||
.LP
|
||||
The statements
|
||||
.BR peername=<pattern> ,
|
||||
.BR sockname=<pattern> ,
|
||||
.BR domain=<pattern> ,
|
||||
.BR peername=<peername> ,
|
||||
.BR sockname=<sockname> ,
|
||||
.BR domain=<domain> ,
|
||||
and
|
||||
.BR sockurl=<pattern>
|
||||
.BR sockurl=<sockurl>
|
||||
mean that the contacting host IP for
|
||||
.BR peername ,
|
||||
the named pipe file name for
|
||||
@ -429,15 +422,14 @@ privileges to authenticated clients.
|
||||
It is strongly recommended to explicitly use the most appropriate
|
||||
DN
|
||||
.BR style ,
|
||||
to avoid possible
|
||||
incorrect specifications of the access rules as well
|
||||
as for performance (avoid unrequired regex matching when
|
||||
an exact match suffices) reasons.
|
||||
to avoid possible incorrect specifications of the access rules as well
|
||||
as for performance (avoid unrequired regex matching when an exact
|
||||
match suffices) reasons.
|
||||
.LP
|
||||
An adminisistrator might create a rule of the form:
|
||||
.LP
|
||||
.nf
|
||||
access to dn="dc=example,dc=com"
|
||||
access to dn.regex="dc=example,dc=com"
|
||||
by ...
|
||||
.fi
|
||||
.LP
|
||||
@ -457,8 +449,8 @@ written:
|
||||
For performance reasons, it would be better to use the subtree style.
|
||||
.LP
|
||||
.nf
|
||||
access to dn.subtree="dc=example,dc=com"
|
||||
by ...
|
||||
access to dn.subtree="dc=example,dc=com"
|
||||
by ...
|
||||
.fi
|
||||
.LP
|
||||
.SH FILES
|
||||
|
@ -106,8 +106,8 @@ parse_acl(
|
||||
/* to clause - select which entries are protected */
|
||||
if ( strcasecmp( argv[i], "to" ) == 0 ) {
|
||||
if ( a != NULL ) {
|
||||
fprintf( stderr,
|
||||
"%s: line %d: only one to clause allowed in access line\n",
|
||||
fprintf( stderr, "%s: line %d: "
|
||||
"only one to clause allowed in access line\n",
|
||||
fname, lineno );
|
||||
acl_usage();
|
||||
}
|
||||
@ -138,8 +138,8 @@ parse_acl(
|
||||
split( left, '.', &left, &style );
|
||||
|
||||
if ( right == NULL ) {
|
||||
fprintf( stderr,
|
||||
"%s: line %d: missing \"=\" in \"%s\" in to clause\n",
|
||||
fprintf( stderr, "%s: line %d: "
|
||||
"missing \"=\" in \"%s\" in to clause\n",
|
||||
fname, lineno, left );
|
||||
acl_usage();
|
||||
}
|
||||
@ -155,9 +155,28 @@ parse_acl(
|
||||
acl_usage();
|
||||
}
|
||||
|
||||
if ( style == NULL || *style == '\0'
|
||||
|| strcasecmp( style, "regex" ) == 0 )
|
||||
if ( style == NULL || *style == '\0' ||
|
||||
( strcasecmp( style, "base" ) == 0 ) ||
|
||||
( strcasecmp( style, "exact" ) == 0 ))
|
||||
{
|
||||
a->acl_dn_style = ACL_STYLE_BASE;
|
||||
ber_str2bv( right, 0, 1, &a->acl_dn_pat );
|
||||
|
||||
} else if ( strcasecmp( style, "one" ) == 0 ) {
|
||||
a->acl_dn_style = ACL_STYLE_ONE;
|
||||
ber_str2bv( right, 0, 1, &a->acl_dn_pat );
|
||||
|
||||
} else if ( strcasecmp( style, "subtree" ) == 0
|
||||
|| strcasecmp( style, "sub" ) == 0 )
|
||||
{
|
||||
a->acl_dn_style = ACL_STYLE_SUBTREE;
|
||||
ber_str2bv( right, 0, 1, &a->acl_dn_pat );
|
||||
|
||||
} else if ( strcasecmp( style, "children" ) == 0 ) {
|
||||
a->acl_dn_style = ACL_STYLE_CHILDREN;
|
||||
ber_str2bv( right, 0, 1, &a->acl_dn_pat );
|
||||
|
||||
} else if ( strcasecmp( style, "regex" ) == 0 ) {
|
||||
a->acl_dn_style = ACL_STYLE_REGEX;
|
||||
|
||||
if ( *right == '\0' ) {
|
||||
@ -179,21 +198,10 @@ parse_acl(
|
||||
} else {
|
||||
acl_regex_normalized_dn( right, &a->acl_dn_pat );
|
||||
}
|
||||
} else if ( strcasecmp( style, "base" ) == 0 ) {
|
||||
a->acl_dn_style = ACL_STYLE_BASE;
|
||||
ber_str2bv( right, 0, 1, &a->acl_dn_pat );
|
||||
} else if ( strcasecmp( style, "one" ) == 0 ) {
|
||||
a->acl_dn_style = ACL_STYLE_ONE;
|
||||
ber_str2bv( right, 0, 1, &a->acl_dn_pat );
|
||||
} else if ( strcasecmp( style, "subtree" ) == 0 || strcasecmp( style, "sub" ) == 0 ) {
|
||||
a->acl_dn_style = ACL_STYLE_SUBTREE;
|
||||
ber_str2bv( right, 0, 1, &a->acl_dn_pat );
|
||||
} else if ( strcasecmp( style, "children" ) == 0 ) {
|
||||
a->acl_dn_style = ACL_STYLE_CHILDREN;
|
||||
ber_str2bv( right, 0, 1, &a->acl_dn_pat );
|
||||
|
||||
} else {
|
||||
fprintf( stderr,
|
||||
"%s: line %d: unknown dn style \"%s\" in to clause\n",
|
||||
fprintf( stderr, "%s: line %d: "
|
||||
"unknown dn style \"%s\" in to clause\n",
|
||||
fname, lineno, style );
|
||||
acl_usage();
|
||||
}
|
||||
@ -218,6 +226,7 @@ parse_acl(
|
||||
fname, lineno, right );
|
||||
acl_usage();
|
||||
}
|
||||
|
||||
} else {
|
||||
fprintf( stderr,
|
||||
"%s: line %d: expecting <what> got \"%s\"\n",
|
||||
@ -242,7 +251,7 @@ parse_acl(
|
||||
rc = dnNormalize( 0, NULL, NULL, &a->acl_dn_pat, &bv, NULL);
|
||||
if ( rc != LDAP_SUCCESS ) {
|
||||
fprintf( stderr,
|
||||
"%s: line %d: bad DN \"%s\"\n",
|
||||
"%s: line %d: bad DN \"%s\" in to DN clause\n",
|
||||
fname, lineno, a->acl_dn_pat.bv_val );
|
||||
acl_usage();
|
||||
}
|
||||
@ -265,8 +274,8 @@ parse_acl(
|
||||
/* by clause - select who has what access to entries */
|
||||
} else if ( strcasecmp( argv[i], "by" ) == 0 ) {
|
||||
if ( a == NULL ) {
|
||||
fprintf( stderr,
|
||||
"%s: line %d: to clause required before by clause in access line\n",
|
||||
fprintf( stderr, "%s: line %d: "
|
||||
"to clause required before by clause in access line\n",
|
||||
fname, lineno );
|
||||
acl_usage();
|
||||
}
|
||||
@ -297,20 +306,27 @@ parse_acl(
|
||||
if ( style ) {
|
||||
split( style, ',', &style, &style_modifier);
|
||||
}
|
||||
if ( style == NULL || *style == '\0'
|
||||
|| strcasecmp( style, "regex" ) == 0 )
|
||||
|
||||
if ( style == NULL || *style == '\0' ||
|
||||
strcasecmp( style, "exact" ) == 0 ||
|
||||
strcasecmp( style, "base" ) == 0 )
|
||||
{
|
||||
sty = ACL_STYLE_REGEX;
|
||||
} else if ( strcasecmp( style, "exact" ) == 0 ) {
|
||||
sty = ACL_STYLE_EXACT;
|
||||
} else if ( strcasecmp( style, "base" ) == 0 ) {
|
||||
sty = ACL_STYLE_BASE;
|
||||
|
||||
} else if ( strcasecmp( style, "one" ) == 0 ) {
|
||||
sty = ACL_STYLE_ONE;
|
||||
} else if ( strcasecmp( style, "subtree" ) == 0 || strcasecmp( style, "sub" ) == 0 ) {
|
||||
|
||||
} else if ( strcasecmp( style, "subtree" ) == 0 ||
|
||||
strcasecmp( style, "sub" ) == 0 )
|
||||
{
|
||||
sty = ACL_STYLE_SUBTREE;
|
||||
|
||||
} else if ( strcasecmp( style, "children" ) == 0 ) {
|
||||
sty = ACL_STYLE_CHILDREN;
|
||||
|
||||
} else if ( strcasecmp( style, "regex" ) == 0 ) {
|
||||
sty = ACL_STYLE_REGEX;
|
||||
|
||||
} else {
|
||||
fprintf( stderr,
|
||||
"%s: line %d: unknown style \"%s\" in by clause\n",
|
||||
@ -318,28 +334,28 @@ parse_acl(
|
||||
acl_usage();
|
||||
}
|
||||
|
||||
if ( style_modifier && strcasecmp( style_modifier, "expand" ) == 0 ) {
|
||||
if ( style_modifier &&
|
||||
strcasecmp( style_modifier, "expand" ) == 0 )
|
||||
{
|
||||
expand = 1;
|
||||
}
|
||||
|
||||
if ( strcasecmp( argv[i], "*" ) == 0 ) {
|
||||
bv.bv_val = ch_strdup( "*" );
|
||||
bv.bv_len = 1;
|
||||
sty = ACL_STYLE_REGEX;
|
||||
|
||||
} else if ( strcasecmp( argv[i], "anonymous" ) == 0 ) {
|
||||
ber_str2bv("anonymous",
|
||||
sizeof("anonymous")-1,
|
||||
1, &bv);
|
||||
ber_str2bv("anonymous", sizeof("anonymous")-1, 1, &bv);
|
||||
sty = ACL_STYLE_REGEX;
|
||||
|
||||
} else if ( strcasecmp( argv[i], "self" ) == 0 ) {
|
||||
ber_str2bv("self",
|
||||
sizeof("self")-1,
|
||||
1, &bv);
|
||||
ber_str2bv("self", sizeof("self")-1, 1, &bv);
|
||||
sty = ACL_STYLE_REGEX;
|
||||
|
||||
} else if ( strcasecmp( argv[i], "users" ) == 0 ) {
|
||||
ber_str2bv("users",
|
||||
sizeof("users")-1,
|
||||
1, &bv);
|
||||
ber_str2bv("users", sizeof("users")-1, 1, &bv);
|
||||
sty = ACL_STYLE_REGEX;
|
||||
|
||||
} else if ( strcasecmp( left, "dn" ) == 0 ) {
|
||||
if ( sty == ACL_STYLE_REGEX ) {
|
||||
@ -388,8 +404,9 @@ parse_acl(
|
||||
}
|
||||
}
|
||||
} else if ( right == NULL || *right == '\0' ) {
|
||||
fprintf( stderr,
|
||||
"%s: line %d: missing \"=\" in (or value after) \"%s\" in by clause\n",
|
||||
fprintf( stderr, "%s: line %d: "
|
||||
"missing \"=\" in (or value after) \"%s\" "
|
||||
"in by clause\n",
|
||||
fname, lineno, left );
|
||||
acl_usage();
|
||||
|
||||
@ -410,10 +427,11 @@ parse_acl(
|
||||
}
|
||||
|
||||
if ( sty != ACL_STYLE_REGEX && expand == 0 ) {
|
||||
rc = dnNormalize(0, NULL, NULL, &bv, &b->a_dn_pat, NULL);
|
||||
rc = dnNormalize(0, NULL, NULL,
|
||||
&bv, &b->a_dn_pat, NULL);
|
||||
if ( rc != LDAP_SUCCESS ) {
|
||||
fprintf( stderr,
|
||||
"%s: line %d: bad DN \"%s\"\n",
|
||||
"%s: line %d: bad DN \"%s\" in by DN clause\n",
|
||||
fname, lineno, bv.bv_val );
|
||||
acl_usage();
|
||||
}
|
||||
@ -464,8 +482,7 @@ parse_acl(
|
||||
acl_usage();
|
||||
}
|
||||
|
||||
if( b->a_dn_at->ad_type->sat_equality == NULL )
|
||||
{
|
||||
if( b->a_dn_at->ad_type->sat_equality == NULL ) {
|
||||
fprintf( stderr,
|
||||
"%s: line %d: dnattr \"%s\": "
|
||||
"inappropriate matching (no EQUALITY)\n",
|
||||
@ -481,15 +498,16 @@ parse_acl(
|
||||
char *value = NULL;
|
||||
|
||||
if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
|
||||
fprintf( stderr,
|
||||
"%s: line %d: inappropriate style \"%s\" in by clause\n",
|
||||
fprintf( stderr, "%s: line %d: "
|
||||
"inappropriate style \"%s\" in by clause\n",
|
||||
fname, lineno, style );
|
||||
acl_usage();
|
||||
}
|
||||
|
||||
if ( right == NULL || right[ 0 ] == '\0' ) {
|
||||
fprintf( stderr,
|
||||
"%s: line %d: missing \"=\" in (or value after) \"%s\" in by clause\n",
|
||||
fprintf( stderr, "%s: line %d: "
|
||||
"missing \"=\" in (or value after) \"%s\" "
|
||||
"in by clause\n",
|
||||
fname, lineno, left );
|
||||
acl_usage();
|
||||
}
|
||||
@ -501,12 +519,11 @@ parse_acl(
|
||||
acl_usage();
|
||||
}
|
||||
|
||||
/* format of string is "group/objectClassValue/groupAttrName" */
|
||||
/* format of string is
|
||||
"group/objectClassValue/groupAttrName" */
|
||||
if ((value = strchr(left, '/')) != NULL) {
|
||||
*value++ = '\0';
|
||||
if (*value
|
||||
&& (name = strchr(value, '/')) != NULL)
|
||||
{
|
||||
if (*value && (name = strchr(value, '/')) != NULL) {
|
||||
*name++ = '\0';
|
||||
}
|
||||
}
|
||||
@ -520,7 +537,8 @@ parse_acl(
|
||||
b->a_group_pat = bv;
|
||||
} else {
|
||||
ber_str2bv( right, 0, 0, &bv );
|
||||
rc = dnNormalize( 0, NULL, NULL, &bv, &b->a_group_pat, NULL );
|
||||
rc = dnNormalize( 0, NULL, NULL, &bv,
|
||||
&b->a_group_pat, NULL );
|
||||
if ( rc != LDAP_SUCCESS ) {
|
||||
fprintf( stderr,
|
||||
"%s: line %d: bad DN \"%s\"\n",
|
||||
@ -615,11 +633,12 @@ parse_acl(
|
||||
vals[1].bv_val = NULL;
|
||||
|
||||
|
||||
rc = oc_check_allowed( b->a_group_at->ad_type, vals, NULL );
|
||||
rc = oc_check_allowed( b->a_group_at->ad_type,
|
||||
vals, NULL );
|
||||
|
||||
if( rc != 0 ) {
|
||||
fprintf( stderr,
|
||||
"%s: line %d: group: \"%s\" not allowed by \"%s\"\n",
|
||||
fprintf( stderr, "%s: line %d: "
|
||||
"group: \"%s\" not allowed by \"%s\"\n",
|
||||
fname, lineno,
|
||||
b->a_group_at->ad_cname.bv_val,
|
||||
b->a_group_oc->soc_oid );
|
||||
@ -631,22 +650,23 @@ parse_acl(
|
||||
|
||||
if ( strcasecmp( left, "peername" ) == 0 ) {
|
||||
if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
|
||||
fprintf( stderr,
|
||||
"%s: line %d: inappropriate style \"%s\" in by clause\n",
|
||||
fprintf( stderr, "%s: line %d: "
|
||||
"inappropriate style \"%s\" in by clause\n",
|
||||
fname, lineno, style );
|
||||
acl_usage();
|
||||
}
|
||||
|
||||
if ( right == NULL || right[ 0 ] == '\0' ) {
|
||||
fprintf( stderr,
|
||||
"%s: line %d: missing \"=\" in (or value after) \"%s\" in by clause\n",
|
||||
fprintf( stderr, "%s: line %d: "
|
||||
"missing \"=\" in (or value after) \"%s\" "
|
||||
"in by clause\n",
|
||||
fname, lineno, left );
|
||||
acl_usage();
|
||||
}
|
||||
|
||||
if( b->a_peername_pat.bv_len ) {
|
||||
fprintf( stderr,
|
||||
"%s: line %d: peername pattern already specified.\n",
|
||||
fprintf( stderr, "%s: line %d: "
|
||||
"peername pattern already specified.\n",
|
||||
fname, lineno );
|
||||
acl_usage();
|
||||
}
|
||||
@ -666,22 +686,23 @@ parse_acl(
|
||||
|
||||
if ( strcasecmp( left, "sockname" ) == 0 ) {
|
||||
if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
|
||||
fprintf( stderr,
|
||||
"%s: line %d: inappropriate style \"%s\" in by clause\n",
|
||||
fprintf( stderr, "%s: line %d: "
|
||||
"inappropriate style \"%s\" in by clause\n",
|
||||
fname, lineno, style );
|
||||
acl_usage();
|
||||
}
|
||||
|
||||
if ( right == NULL || right[ 0 ] == '\0' ) {
|
||||
fprintf( stderr,
|
||||
"%s: line %d: missing \"=\" in (or value after) \"%s\" in by clause\n",
|
||||
fprintf( stderr, "%s: line %d: "
|
||||
"missing \"=\" in (or value after) \"%s\" "
|
||||
"in by clause\n",
|
||||
fname, lineno, left );
|
||||
acl_usage();
|
||||
}
|
||||
|
||||
if( b->a_sockname_pat.bv_len ) {
|
||||
fprintf( stderr,
|
||||
"%s: line %d: sockname pattern already specified.\n",
|
||||
fprintf( stderr, "%s: line %d: "
|
||||
"sockname pattern already specified.\n",
|
||||
fname, lineno );
|
||||
acl_usage();
|
||||
}
|
||||
@ -1270,26 +1291,25 @@ acl_usage( void )
|
||||
fprintf( stderr, "\n"
|
||||
"<access clause> ::= access to <what> "
|
||||
"[ by <who> <access> [ <control> ] ]+ \n"
|
||||
"<what> ::= * | [dn[.<dnstyle>]=<regex>] [filter=<ldapfilter>] [attrs=<attrlist>]\n"
|
||||
"<what> ::= * | [dn[.<dnstyle>]=<DN>] [filter=<filter>] [attrs=<attrlist>]\n"
|
||||
"<attrlist> ::= <attr> | <attr> , <attrlist>\n"
|
||||
"<attr> ::= <attrname> | entry | children\n"
|
||||
"<who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<regex> ]\n"
|
||||
"<who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ]\n"
|
||||
"\t[dnattr=<attrname>]\n"
|
||||
"\t[group[/<objectclass>[/<attrname>]][.<style>]=<regex>]\n"
|
||||
"\t[peername[.<style>]=<regex>] [sockname[.<style>]=<regex>]\n"
|
||||
"\t[domain[.<style>]=<regex>] [sockurl[.<style>]=<regex>]\n"
|
||||
"\t[group[/<objectclass>[/<attrname>]][.<style>]=<group>]\n"
|
||||
"\t[peername[.<style>]=<peer>] [sockname[.<style>]=<name>]\n"
|
||||
"\t[domain[.<style>]=<domain>] [sockurl[.<style>]=<url>]\n"
|
||||
#ifdef SLAPD_ACI_ENABLED
|
||||
"\t[aci=<attrname>]\n"
|
||||
#endif
|
||||
"\t[ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]\n"
|
||||
"<dnstyle> ::= regex | base | exact (alias of base) | one | subtree | children\n"
|
||||
"<style> ::= regex | base | exact (alias of base)\n"
|
||||
"<groupflags> ::= R\n"
|
||||
"<dnstyle> ::= base | exact | one | subtree | children | regex\n"
|
||||
"<style> ::= regex | base | exact\n"
|
||||
"<access> ::= [self]{<level>|<priv>}\n"
|
||||
"<level> ::= none | auth | compare | search | read | write\n"
|
||||
"<priv> ::= {=|+|-}{w|r|s|c|x}+\n"
|
||||
"<control> ::= [ stop | continue | break ]\n"
|
||||
);
|
||||
);
|
||||
exit( EXIT_FAILURE );
|
||||
}
|
||||
|
||||
@ -1489,14 +1509,8 @@ str2access( const char *str )
|
||||
|
||||
#ifdef LDAP_DEBUG
|
||||
|
||||
static char *style_strings[5] = {
|
||||
"regex",
|
||||
"base",
|
||||
"one",
|
||||
"subtree",
|
||||
"children"
|
||||
};
|
||||
|
||||
static char *style_strings[5] = { "regex",
|
||||
"base", "one", "subtree", "children" };
|
||||
|
||||
static void
|
||||
print_access( Access *b )
|
||||
@ -1531,7 +1545,8 @@ print_access( Access *b )
|
||||
b->a_group_oc->soc_oclass.oc_oid );
|
||||
|
||||
if ( b->a_group_at ) {
|
||||
fprintf( stderr, " attributeType: %s", b->a_group_at->ad_cname.bv_val );
|
||||
fprintf( stderr, " attributeType: %s",
|
||||
b->a_group_at->ad_cname.bv_val );
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -1045,9 +1045,6 @@ typedef enum slap_style_e {
|
||||
ACL_STYLE_SUBTREE,
|
||||
ACL_STYLE_CHILDREN,
|
||||
ACL_STYLE_ATTROF,
|
||||
|
||||
/* alternate names */
|
||||
ACL_STYLE_EXACT = ACL_STYLE_BASE
|
||||
} slap_style_t;
|
||||
|
||||
typedef struct slap_authz_info {
|
||||
|
@ -60,7 +60,7 @@ access to attr=member filter=(mail=*edu)
|
||||
|
||||
access to filter="(objectclass=groupofnames)"
|
||||
by dn.base="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,o=University of Michigan,c=US" =sc continue
|
||||
by dn="^cn=Bjorn Jensen,ou=Information Technology Division,ou=People,o=University of Michigan,c=US$" +rw stop
|
||||
by dn.regex="^cn=Bjorn Jensen,ou=Information Technology Division,ou=People,o=University of Michigan,c=US$" +rw stop
|
||||
by * break
|
||||
|
||||
access to dn.children="ou=Information Technology Division,ou=People,o=University of Michigan,c=US"
|
||||
|
Loading…
Reference in New Issue
Block a user