mirror of
https://git.openldap.org/openldap/openldap.git
synced 2025-02-17 14:00:30 +08:00
1. extend aclgroup's to be able to specify objectClassValue and groupAttrName
2. update print_acl() a bit and call it during aclparse if LDAP_DEBUG_ACL
This commit is contained in:
Stuart Lynne
parent
033cf4ebe7
commit
7c52060c67
@ -368,15 +368,10 @@ acl_access_allowed(
|
|||||||
* entry with objectclass group* and we test to see if odn is one of
|
* entry with objectclass group* and we test to see if odn is one of
|
||||||
* the values in the attribute group
|
* the values in the attribute group
|
||||||
*/
|
*/
|
||||||
Debug( LDAP_DEBUG_ARGS, "<= check a_group: %s\n",
|
|
||||||
b->a_group, 0, 0);
|
|
||||||
Debug( LDAP_DEBUG_ARGS, "<= check a_group: odn: %s\n",
|
|
||||||
odn, 0, 0);
|
|
||||||
|
|
||||||
/* see if asker is listed in dnattr */
|
/* see if asker is listed in dnattr */
|
||||||
string_expand(buf, sizeof(buf), b->a_group, edn, matches);
|
string_expand(buf, sizeof(buf), b->a_group, edn, matches);
|
||||||
|
|
||||||
if (be_group(be, buf, odn) == 0) {
|
if (be_group(be, buf, odn, b->a_objectclassvalue, b->a_groupattrname) == 0) {
|
||||||
Debug( LDAP_DEBUG_ACL,
|
Debug( LDAP_DEBUG_ACL,
|
||||||
"<= acl_access_allowed: matched by clause #%d (group) access granted\n",
|
"<= acl_access_allowed: matched by clause #%d (group) access granted\n",
|
||||||
i, 0, 0 );
|
i, 0, 0 );
|
||||||
|
|||||||
@ -210,8 +210,36 @@ parse_acl(
|
|||||||
|
|
||||||
#ifdef SLAPD_ACLGROUPS
|
#ifdef SLAPD_ACLGROUPS
|
||||||
} else if ( strcasecmp( left, "group" ) == 0 ) {
|
} else if ( strcasecmp( left, "group" ) == 0 ) {
|
||||||
|
char *name = NULL;
|
||||||
|
char *value = NULL;
|
||||||
regtest(fname, lineno, right);
|
regtest(fname, lineno, right);
|
||||||
|
|
||||||
|
/* format of string is "group/objectClassValue/groupAttrName"
|
||||||
|
*/
|
||||||
|
if ((value = strchr(right, '/')) != NULL) {
|
||||||
|
*value++ = '\0';
|
||||||
|
if (value && *value && (name = strchr(value, '/')) != NULL)
|
||||||
|
*name++ = '\0';
|
||||||
|
}
|
||||||
|
|
||||||
b->a_group = dn_upcase(strdup( right ));
|
b->a_group = dn_upcase(strdup( right ));
|
||||||
|
|
||||||
|
if (value && *value) {
|
||||||
|
b->a_objectclassvalue = strdup(value);
|
||||||
|
*--value = '/';
|
||||||
|
}
|
||||||
|
else
|
||||||
|
b->a_objectclassvalue = strdup("groupOfNames");
|
||||||
|
|
||||||
|
if (name && *name) {
|
||||||
|
b->a_groupattrname = strdup(name);
|
||||||
|
*--name = '/';
|
||||||
|
}
|
||||||
|
else
|
||||||
|
b->a_groupattrname = strdup("member");
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
#endif /* SLAPD_ACLGROUPS */
|
#endif /* SLAPD_ACLGROUPS */
|
||||||
} else if ( strcasecmp( left, "domain" ) == 0 ) {
|
} else if ( strcasecmp( left, "domain" ) == 0 ) {
|
||||||
char *s;
|
char *s;
|
||||||
@ -264,6 +292,10 @@ parse_acl(
|
|||||||
fname, lineno );
|
fname, lineno );
|
||||||
|
|
||||||
} else {
|
} else {
|
||||||
|
|
||||||
|
if (ldap_debug&LDAP_DEBUG_ACL)
|
||||||
|
print_acl(a);
|
||||||
|
|
||||||
|
|
||||||
if ( a->acl_access == NULL ) {
|
if ( a->acl_access == NULL ) {
|
||||||
fprintf( stderr,
|
fprintf( stderr,
|
||||||
@ -386,15 +418,22 @@ print_access( struct access *b )
|
|||||||
{
|
{
|
||||||
printf( "\tby" );
|
printf( "\tby" );
|
||||||
if ( b->a_dnpat != NULL ) {
|
if ( b->a_dnpat != NULL ) {
|
||||||
printf( " dn=%s", b->a_dnpat );
|
fprintf( stderr, " dn=%s", b->a_dnpat );
|
||||||
} else if ( b->a_addrpat != NULL ) {
|
} else if ( b->a_addrpat != NULL ) {
|
||||||
printf( " addr=%s", b->a_addrpat );
|
fprintf( stderr, " addr=%s", b->a_addrpat );
|
||||||
} else if ( b->a_domainpat != NULL ) {
|
} else if ( b->a_domainpat != NULL ) {
|
||||||
printf( " domain=%s", b->a_domainpat );
|
fprintf( stderr, " domain=%s", b->a_domainpat );
|
||||||
} else if ( b->a_dnattr != NULL ) {
|
} else if ( b->a_dnattr != NULL ) {
|
||||||
printf( " dnattr=%s", b->a_dnattr );
|
fprintf( stderr, " dnattr=%s", b->a_dnattr );
|
||||||
}
|
}
|
||||||
printf( " %s\n", access2str( b->a_access ) );
|
else if ( b->a_group != NULL ) {
|
||||||
|
fprintf( stderr, " group: %s", b->a_group );
|
||||||
|
if ( b->a_objectclassvalue )
|
||||||
|
fprintf( stderr, " objectClassValue: %s", b->a_objectclassvalue );
|
||||||
|
if ( b->a_groupattrname )
|
||||||
|
fprintf( stderr, " groupAttrName: %s", b->a_groupattrname );
|
||||||
|
}
|
||||||
|
fprintf( stderr, "\n" );
|
||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
@ -404,33 +443,34 @@ print_acl( struct acl *a )
|
|||||||
struct access *b;
|
struct access *b;
|
||||||
|
|
||||||
if ( a == NULL ) {
|
if ( a == NULL ) {
|
||||||
printf( "NULL\n" );
|
fprintf( stderr, "NULL\n" );
|
||||||
}
|
}
|
||||||
printf( "access to" );
|
fprintf( stderr, "ACL: access to" );
|
||||||
if ( a->acl_filter != NULL ) {
|
if ( a->acl_filter != NULL ) {
|
||||||
printf( " filter=" );
|
fprintf( stderr," filter=" );
|
||||||
filter_print( a->acl_filter );
|
filter_print( a->acl_filter );
|
||||||
}
|
}
|
||||||
if ( a->acl_dnpat != NULL ) {
|
if ( a->acl_dnpat != NULL ) {
|
||||||
printf( " dn=" );
|
fprintf( stderr, " dn=" );
|
||||||
printf( a->acl_dnpat );
|
fprintf( stderr, a->acl_dnpat );
|
||||||
}
|
}
|
||||||
if ( a->acl_attrs != NULL ) {
|
if ( a->acl_attrs != NULL ) {
|
||||||
int first = 1;
|
int first = 1;
|
||||||
|
|
||||||
printf( " attrs=" );
|
fprintf( stderr, "\n attrs=" );
|
||||||
for ( i = 0; a->acl_attrs[i] != NULL; i++ ) {
|
for ( i = 0; a->acl_attrs[i] != NULL; i++ ) {
|
||||||
if ( ! first ) {
|
if ( ! first ) {
|
||||||
printf( "," );
|
fprintf( stderr, "," );
|
||||||
}
|
}
|
||||||
printf( a->acl_attrs[i] );
|
fprintf( stderr, a->acl_attrs[i] );
|
||||||
first = 0;
|
first = 0;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
printf( "\n" );
|
fprintf( stderr, "\n" );
|
||||||
for ( b = a->acl_access; b != NULL; b = b->a_next ) {
|
for ( b = a->acl_access; b != NULL; b = b->a_next ) {
|
||||||
print_access( b );
|
print_access( b );
|
||||||
}
|
}
|
||||||
|
fprintf( stderr, "\n" );
|
||||||
}
|
}
|
||||||
|
|
||||||
#endif /* LDAP_DEBUG */
|
#endif /* LDAP_DEBUG */
|
||||||
|
|||||||
@ -15,7 +15,7 @@ extern Attribute *attr_find();
|
|||||||
|
|
||||||
|
|
||||||
#ifdef SLAPD_ACLGROUPS
|
#ifdef SLAPD_ACLGROUPS
|
||||||
/* return 0 IFF edn is a value in uniqueMember attribute
|
/* return 0 IFF edn is a value in member attribute
|
||||||
* of entry with bdn AND that entry has an objectClass
|
* of entry with bdn AND that entry has an objectClass
|
||||||
* value of groupOfNames
|
* value of groupOfNames
|
||||||
*/
|
*/
|
||||||
@ -23,7 +23,9 @@ int
|
|||||||
ldbm_back_group(
|
ldbm_back_group(
|
||||||
Backend *be,
|
Backend *be,
|
||||||
char *bdn,
|
char *bdn,
|
||||||
char *edn
|
char *edn,
|
||||||
|
char *objectclassValue,
|
||||||
|
char *groupattrName
|
||||||
)
|
)
|
||||||
{
|
{
|
||||||
struct ldbminfo *li = (struct ldbminfo *) be->be_private;
|
struct ldbminfo *li = (struct ldbminfo *) be->be_private;
|
||||||
@ -35,6 +37,8 @@ ldbm_back_group(
|
|||||||
|
|
||||||
Debug( LDAP_DEBUG_TRACE, "=> ldbm_back_group: bdn: %s\n", bdn, 0, 0 );
|
Debug( LDAP_DEBUG_TRACE, "=> ldbm_back_group: bdn: %s\n", bdn, 0, 0 );
|
||||||
Debug( LDAP_DEBUG_TRACE, "=> ldbm_back_group: edn: %s\n", edn, 0, 0 );
|
Debug( LDAP_DEBUG_TRACE, "=> ldbm_back_group: edn: %s\n", edn, 0, 0 );
|
||||||
|
Debug( LDAP_DEBUG_TRACE, "=> ldbm_back_group: objectClass: %s attrName: %s\n",
|
||||||
|
objectclassValue, groupattrName, 0 );
|
||||||
|
|
||||||
/* can we find bdn entry with reader lock */
|
/* can we find bdn entry with reader lock */
|
||||||
if ((e = dn2entry_r(be, bdn, &matched )) == NULL) {
|
if ((e = dn2entry_r(be, bdn, &matched )) == NULL) {
|
||||||
@ -56,32 +60,33 @@ ldbm_back_group(
|
|||||||
if ((objectClass = attr_find(e->e_attrs, "objectclass")) == NULL) {
|
if ((objectClass = attr_find(e->e_attrs, "objectclass")) == NULL) {
|
||||||
Debug( LDAP_DEBUG_TRACE, "<= ldbm_back_group: failed to find objectClass\n", 0, 0, 0 );
|
Debug( LDAP_DEBUG_TRACE, "<= ldbm_back_group: failed to find objectClass\n", 0, 0, 0 );
|
||||||
}
|
}
|
||||||
else if ((member = attr_find(e->e_attrs, "member")) == NULL) {
|
else if ((member = attr_find(e->e_attrs, groupattrName)) == NULL) {
|
||||||
Debug( LDAP_DEBUG_TRACE, "<= ldbm_back_group: failed to find member\n", 0, 0, 0 );
|
Debug( LDAP_DEBUG_TRACE, "<= ldbm_back_group: failed to find %s\n", groupattrName, 0, 0 );
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
struct berval bvObjectClass;
|
struct berval bvObjectClass;
|
||||||
struct berval bvMembers;
|
struct berval bvMembers;
|
||||||
|
|
||||||
Debug( LDAP_DEBUG_ARGS, "<= ldbm_back_group: found objectClass and members\n", 0, 0, 0 );
|
Debug( LDAP_DEBUG_ARGS, "<= ldbm_back_group: found objectClass and %s\n", groupattrName, 0, 0 );
|
||||||
|
|
||||||
bvObjectClass.bv_val = "groupofnames";
|
bvObjectClass.bv_val = objectclassValue;
|
||||||
bvObjectClass.bv_len = strlen( bvObjectClass.bv_val );
|
bvObjectClass.bv_len = strlen( bvObjectClass.bv_val );
|
||||||
|
|
||||||
bvMembers.bv_val = edn;
|
bvMembers.bv_val = edn;
|
||||||
bvMembers.bv_len = strlen( edn );
|
bvMembers.bv_len = strlen( edn );
|
||||||
|
|
||||||
if (value_find(objectClass->a_vals, &bvObjectClass, SYNTAX_CIS, 1) != 0) {
|
if (value_find(objectClass->a_vals, &bvObjectClass, SYNTAX_CIS, 1) != 0) {
|
||||||
Debug( LDAP_DEBUG_TRACE,
|
Debug( LDAP_DEBUG_TRACE,
|
||||||
"<= ldbm_back_group: failed to find objectClass in groupOfNames\n",
|
"<= ldbm_back_group: failed to find %s in objectClass\n",
|
||||||
0, 0, 0 );
|
objectclassValue, 0, 0 );
|
||||||
}
|
}
|
||||||
else if (value_find(member->a_vals, &bvMembers, SYNTAX_CIS, 1) != 0) {
|
else if (value_find(member->a_vals, &bvMembers, SYNTAX_CIS, 1) != 0) {
|
||||||
Debug( LDAP_DEBUG_ACL, "<= ldbm_back_group: %s not in %s: groupOfNames\n",
|
Debug( LDAP_DEBUG_ACL, "<= ldbm_back_group: %s not in %s: %s\n",
|
||||||
edn, bdn, 0 );
|
edn, bdn, groupattrName );
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
Debug( LDAP_DEBUG_ACL, "<= ldbm_back_group: %s is in %s: groupOfNames\n",
|
Debug( LDAP_DEBUG_ACL, "<= ldbm_back_group: %s is in %s: %s\n",
|
||||||
edn, bdn, 0 );
|
edn, bdn, groupattrName );
|
||||||
rc = 0;
|
rc = 0;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -91,5 +96,5 @@ ldbm_back_group(
|
|||||||
Debug( LDAP_DEBUG_ARGS, "ldbm_back_group: rc: %d\n", rc, 0, 0 );
|
Debug( LDAP_DEBUG_ARGS, "ldbm_back_group: rc: %d\n", rc, 0, 0 );
|
||||||
return(rc);
|
return(rc);
|
||||||
}
|
}
|
||||||
#endif
|
#endif /* SLAPD_ACLGROUPS */
|
||||||
|
|
||||||
|
|||||||
@ -282,10 +282,10 @@ be_unbind(
|
|||||||
|
|
||||||
#ifdef SLAPD_ACLGROUPS
|
#ifdef SLAPD_ACLGROUPS
|
||||||
int
|
int
|
||||||
be_group(Backend *be, char *bdn, char *edn)
|
be_group(Backend *be, char *bdn, char *edn, char *objectclassValue, char *groupattrName)
|
||||||
{
|
{
|
||||||
if (be->be_group)
|
if (be->be_group)
|
||||||
return(be->be_group(be, bdn, edn));
|
return(be->be_group(be, bdn, edn, objectclassValue, groupattrName));
|
||||||
else
|
else
|
||||||
return(1);
|
return(1);
|
||||||
}
|
}
|
||||||
|
|||||||
@ -391,63 +391,63 @@ filter_print( Filter *f )
|
|||||||
Filter *p;
|
Filter *p;
|
||||||
|
|
||||||
if ( f == NULL ) {
|
if ( f == NULL ) {
|
||||||
printf( "NULL" );
|
fprintf( stderr, "NULL" );
|
||||||
}
|
}
|
||||||
|
|
||||||
switch ( f->f_choice ) {
|
switch ( f->f_choice ) {
|
||||||
case LDAP_FILTER_EQUALITY:
|
case LDAP_FILTER_EQUALITY:
|
||||||
printf( "(%s=%s)", f->f_ava.ava_type,
|
fprintf( stderr, "(%s=%s)", f->f_ava.ava_type,
|
||||||
f->f_ava.ava_value.bv_val );
|
f->f_ava.ava_value.bv_val );
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case LDAP_FILTER_GE:
|
case LDAP_FILTER_GE:
|
||||||
printf( "(%s>=%s)", f->f_ava.ava_type,
|
fprintf( stderr, "(%s>=%s)", f->f_ava.ava_type,
|
||||||
f->f_ava.ava_value.bv_val );
|
f->f_ava.ava_value.bv_val );
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case LDAP_FILTER_LE:
|
case LDAP_FILTER_LE:
|
||||||
printf( "(%s<=%s)", f->f_ava.ava_type,
|
fprintf( stderr, "(%s<=%s)", f->f_ava.ava_type,
|
||||||
f->f_ava.ava_value.bv_val );
|
f->f_ava.ava_value.bv_val );
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case LDAP_FILTER_APPROX:
|
case LDAP_FILTER_APPROX:
|
||||||
printf( "(%s~=%s)", f->f_ava.ava_type,
|
fprintf( stderr, "(%s~=%s)", f->f_ava.ava_type,
|
||||||
f->f_ava.ava_value.bv_val );
|
f->f_ava.ava_value.bv_val );
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case LDAP_FILTER_SUBSTRINGS:
|
case LDAP_FILTER_SUBSTRINGS:
|
||||||
printf( "(%s=", f->f_sub_type );
|
fprintf( stderr, "(%s=", f->f_sub_type );
|
||||||
if ( f->f_sub_initial != NULL ) {
|
if ( f->f_sub_initial != NULL ) {
|
||||||
printf( "%s", f->f_sub_initial );
|
fprintf( stderr, "%s", f->f_sub_initial );
|
||||||
}
|
}
|
||||||
if ( f->f_sub_any != NULL ) {
|
if ( f->f_sub_any != NULL ) {
|
||||||
for ( i = 0; f->f_sub_any[i] != NULL; i++ ) {
|
for ( i = 0; f->f_sub_any[i] != NULL; i++ ) {
|
||||||
printf( "*%s", f->f_sub_any[i] );
|
fprintf( stderr, "*%s", f->f_sub_any[i] );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
charray_free( f->f_sub_any );
|
charray_free( f->f_sub_any );
|
||||||
if ( f->f_sub_final != NULL ) {
|
if ( f->f_sub_final != NULL ) {
|
||||||
printf( "*%s", f->f_sub_final );
|
fprintf( stderr, "*%s", f->f_sub_final );
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case LDAP_FILTER_PRESENT:
|
case LDAP_FILTER_PRESENT:
|
||||||
printf( "%s=*", f->f_type );
|
fprintf( stderr, "%s=*", f->f_type );
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case LDAP_FILTER_AND:
|
case LDAP_FILTER_AND:
|
||||||
case LDAP_FILTER_OR:
|
case LDAP_FILTER_OR:
|
||||||
case LDAP_FILTER_NOT:
|
case LDAP_FILTER_NOT:
|
||||||
printf( "(%c", f->f_choice == LDAP_FILTER_AND ? '&' :
|
fprintf( stderr, "(%c", f->f_choice == LDAP_FILTER_AND ? '&' :
|
||||||
f->f_choice == LDAP_FILTER_OR ? '|' : '!' );
|
f->f_choice == LDAP_FILTER_OR ? '|' : '!' );
|
||||||
for ( p = f->f_list; p != NULL; p = p->f_next ) {
|
for ( p = f->f_list; p != NULL; p = p->f_next ) {
|
||||||
filter_print( p );
|
filter_print( p );
|
||||||
}
|
}
|
||||||
printf( ")" );
|
fprintf( stderr, ")" );
|
||||||
break;
|
break;
|
||||||
|
|
||||||
default:
|
default:
|
||||||
printf( "unknown type %d", f->f_choice );
|
fprintf( stderr, "unknown type %d", f->f_choice );
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -144,7 +144,9 @@ struct access {
|
|||||||
long a_access;
|
long a_access;
|
||||||
|
|
||||||
#ifdef SLAPD_ACLGROUPS
|
#ifdef SLAPD_ACLGROUPS
|
||||||
char *a_group;
|
char *a_group;
|
||||||
|
char *a_objectclassvalue;
|
||||||
|
char *a_groupattrname;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#define ACL_NONE 0x01
|
#define ACL_NONE 0x01
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user