SLAPD_SCHEMA_NOT_COMPAT: prelim ACL work

2024-12-15 03:01:09 +08:00 · 2000-05-27 19:33:08 +00:00 · 2000-05-27 19:33:08 +00:00 · b813a5ba30
commit b813a5ba30
parent dab0793d0c
8 changed files with 118 additions and 48 deletions
--- a/servers/slapd/aclparse.c
+++ b/servers/slapd/aclparse.c
@ -98,8 +98,14 @@ parse_acl(
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
 	int rc;
 	const char *text;
-	static AttributeDescription *member = NULL;
-	static AttributeDescription *aci = NULL;
+	AttributeDescription *ad_distinguishedName = slap_schema.si_ad_distinguishedName;
+	AttributeDescription *ad_member = slap_schema.si_ad_member;
+#ifdef SLAPD_ACI_ENABLED
+	AttributeDescription *ad_aci = slap_schema.si_ad_aci;
+#endif
+#else
+	static char *ad_aci = "aci";
+	static char *ad_member = "member";
 #endif

 	a = NULL;
@ -336,16 +342,17 @@ parse_acl(
 						acl_usage();
 					}

-#ifdef SLAPD_OID_DN_SYNTAX
-					if( strcmp( b->a_dn_at->ad_type->sat_syntax_oid,
-						SLAPD_OID_DN_SYNTAX ) != 0 )
+
+					if( b->a_dn_at->ad_type->sat_syntax
+						!= ad_distinguishedName->ad_type->sat_syntax )
 					{
 						fprintf( stderr,
-							"%s: line %d: dnattr attribute type not of DN syntax.\n",
-							fname, lineno );
+							"%s: line %d: dnattr \"%s\": inappropriate syntax: %s\n",
+							fname, lineno, right,
+							b->a_dn_at->ad_type->sat_syntax_oid );
 						acl_usage();
 					}
-#endif
+
 #else
 					b->a_dn_at = ch_strdup( right );
 #endif
@ -393,6 +400,16 @@ parse_acl(
 								fname, lineno, right, text );
 							acl_usage();
 						}
+
+						if( b->a_group_at->ad_type->sat_syntax
+							!= ad_member->ad_type->sat_syntax )
+						{
+							fprintf( stderr,
+								"%s: line %d: group \"%s\": inappropriate syntax: %s\n",
+								fname, lineno, right,
+								b->a_group_at->ad_type->sat_syntax_oid );
+							acl_usage();
+						}
 #else
 						b->a_group_at = ch_strdup(name);
 #endif
@ -400,9 +417,9 @@ parse_acl(

 					} else {
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
-						b->a_group_at = member;
+						b->a_group_at = ad_dup( ad_member );
 #else
-						b->a_group_at = ch_strdup("member");
+						b->a_group_at = ch_strdup( ad_member );
 #endif
 					}

@ -413,17 +430,6 @@ parse_acl(
 							fname, lineno );
 						acl_usage();
 					}
-
-#ifdef SLAPD_OID_DN_SYNTAX
-					if( strcmp( b->a_group_at->ad_type->sat_syntax_oid,
-						SLAPD_OID_DN_SYNTAX ) != 0 )
-					{
-						fprintf( stderr,
-							"%s: line %d: group attribute type not of DN syntax.\n",
-							fname, lineno );
-						acl_usage();
-					}
-#endif /* SLAPD_OID_DN_SYNTAX */
 #endif /* SLAPD_SCHEMA_NOT_COMPAT */
 					continue;
 				}
@ -499,8 +505,18 @@ parse_acl(
 								fname, lineno, right, text );
 							acl_usage();
 						}
+
+						if( b->a_aci_at->ad_type->sat_syntax
+							!= ad_aci->ad_type->sat_syntax )
+						{
+							fprintf( stderr,
+								"%s: line %d: aci \"%s\": inappropriate syntax: %s\n",
+								fname, lineno, right,
+								b->a_aci_at->ad_type->sat_syntax_oid );
+							acl_usage();
+						}
 					} else {
-						b->a_aci_at = aci;
+						b->a_aci_at = ad_dup( ad_aci );
 					}

 					if( b->a_aci_at == NULL ) {
@ -510,14 +526,6 @@ parse_acl(
 						acl_usage();
 					}

-					if( strcmp( b->a_aci_at->ad_type->sat_syntax_oid,
-						SLAPD_OID_ACI_SYNTAX ) != 0 )
-					{
-						fprintf( stderr,
-							"%s: line %d: aci attribute type not of ACI syntax.\n",
-							fname, lineno );
-						acl_usage();
-					}
 #else
 					if ( right != NULL && *right != '\0' ) {
 						b->a_aci_at = ch_strdup( right );
@ -939,7 +947,11 @@ print_access( Access *b )
 	}

 	if ( b->a_dn_at != NULL ) {
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+		fprintf( stderr, " dnattr=%s", b->a_dn_at->ad_cname->bv_val );
+#else
 		fprintf( stderr, " dnattr=%s", b->a_dn_at );
+#endif
 	}

 	if ( b->a_group_pat != NULL ) {
@ -949,7 +961,11 @@ print_access( Access *b )
 			fprintf( stderr, " objectClass: %s", b->a_group_oc );

 			if ( b->a_group_at ) {
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+				fprintf( stderr, " attributeType: %s", b->a_group_at->ad_cname->bv_val );
+#else
 				fprintf( stderr, " attributeType: %s", b->a_group_at );
+#endif
 			}
 		}
    }
@ -972,7 +988,11 @@ print_access( Access *b )

 #ifdef SLAPD_ACI_ENABLED
 	if ( b->a_aci_at != NULL ) {
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+		fprintf( stderr, " aci=%s", b->a_aci_at->ad_cname->bv_val );
+#else
 		fprintf( stderr, " aci=%s", b->a_aci_at );
+#endif
 	}
 #endif

--- a/servers/slapd/at.c
+++ b/servers/slapd/at.c
@ -92,7 +92,7 @@ at_config(
 #define SYNTAX_DSCE_OID	"2.5.13.5"
 #define SYNTAX_IA5_OID	"1.3.6.1.4.1.1466.115.121.1.26"
 #define SYNTAX_IA5CE_OID	"1.3.6.1.4.1.1466.109.114.1"
-#define SYNTAX_DN_OID	SLAPD_OID_DN_SYNTAX
+#define SYNTAX_DN_OID	"1.3.6.1.4.1.1466.115.121.1.12"
 #define SYNTAX_TEL_OID	"1.3.6.1.4.1.1466.115.121.1.50"
 #define SYNTAX_BIN_OID	"1.3.6.1.4.1.1466.115.121.1.40" /* octetString */

--- a/servers/slapd/back-ldbm/alias.c
+++ b/servers/slapd/back-ldbm/alias.c
@ -218,9 +218,9 @@ static char* get_alias_dn(
 {	
 	Attribute *a;
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
-	static AttributeDescription *aliasedObjectName = NULL;
+	AttributeDescription *aliasedObjectName = slap_schema.si_ad_aliasedObjectName;
 #else
-	static const char *aliasedObjectName = NULL;
+	static const char *aliasedObjectName = "aliasedObjectName";
 #endif

 	a = attr_find( e->e_attrs, aliasedObjectName );
--- a/servers/slapd/back-ldbm/group.c
+++ b/servers/slapd/back-ldbm/group.c
@ -41,7 +41,7 @@ ldbm_back_group(
 	Attribute   *attr;

 #ifdef SLAPD_SCHEMA_NOT_COMPAT
-	static AttributeDescription *objectClass = NULL;
+	AttributeDescription *objectClass = slap_schema.si_ad_objectClass;
 	const char *groupattrName = group_at->ad_cname->bv_val;
 #else
 	struct berval bv;
--- a/servers/slapd/proto-slap.h
+++ b/servers/slapd/proto-slap.h
@ -92,7 +92,6 @@ LIBSLAPD_F (AttributeType *) at_find LDAP_P(( const char *name ));
 LIBSLAPD_F (int) at_find_in_list LDAP_P(( AttributeType *sat, AttributeType **list ));
 LIBSLAPD_F (int) at_append_to_list LDAP_P(( AttributeType *sat, AttributeType ***listp ));
 LIBSLAPD_F (int) at_delete_from_list LDAP_P(( int pos, AttributeType ***listp ));
-LIBSLAPD_F (int) at_fake_if_needed LDAP_P(( const char *name ));
 LIBSLAPD_F (int) at_schema_info LDAP_P(( Entry *e ));
 LIBSLAPD_F (int) at_add LDAP_P(( LDAP_ATTRIBUTE_TYPE *at, const char **err ));

@ -103,6 +102,7 @@ LIBSLAPD_F (int) is_at_subtype LDAP_P((

 #	define at_canonical_name(at) ((at)->sat_cname)	
 #else
+LIBSLAPD_F (int) at_fake_if_needed LDAP_P(( const char *name ));
 LIBSLAPD_F (char *) at_canonical_name LDAP_P(( const char * a_type ));
 #endif

--- a/servers/slapd/schema_init.c
+++ b/servers/slapd/schema_init.c
@ -16,7 +16,15 @@
 #include "slap.h"
 #include "ldap_pvt.h"

-#define berValidate blobValidate
+static int
+inValidate(
+	Syntax *syntax,
+	struct berval *in )
+{
+	/* any value allowed */
+	return LDAP_OTHER;
+}
+
 static int
 blobValidate(
 	Syntax *syntax,
@ -26,6 +34,8 @@ blobValidate(
 	return LDAP_SUCCESS;
 }

+#define berValidate blobValidate
+
 static int
 UTF8StringValidate(
 	Syntax *syntax,
@ -341,6 +351,7 @@ struct syntax_defs_rec {
 #endif
 };

+#define X_HIDE "X-HIDE 'TRUE' "
 #define X_BINARY "X-BINARY-TRANSFER-REQUIRED 'TRUE' "
 #define X_NOT_H_R "X-NOT-HUMAN-READABLE 'TRUE' "

@ -457,8 +468,12 @@ struct syntax_defs_rec syntax_defs[] = {
 		0, NULL, NULL, NULL},

 	/* OpenLDAP Experimental Syntaxes */
-	{"( " SLAPD_OID_ACI_SYNTAX " DESC 'OpenLDAP Experimental ACI' )",
+	{"( 1.3.6.1.4.1.4203.666.2.1 DESC 'OpenLDAP Experimental ACI' )",
 		0, NULL, NULL, NULL},
+	{"( 1.3.6.1.4.1.4203.666.2.2 DESC 'OpenLDAP void' " X_HIDE ")" ,
+		SLAP_SYNTAX_HIDE, NULL, NULL, NULL},
+	{"( 1.3.6.1.4.1.4203.666.2.3 DESC 'OpenLDAP DN' " X_HIDE ")" ,
+		SLAP_SYNTAX_HIDE, NULL, NULL, NULL},

 	{NULL, 0, NULL, NULL, NULL}
 };
--- a/servers/slapd/schema_prep.c
+++ b/servers/slapd/schema_prep.c
@ -41,8 +41,15 @@ struct slap_schema_oc_map {
 	char *ssom_name;
 	size_t ssom_offset;
 } oc_map[] = {
+	{ "top", offsetof(struct slap_internal_schema, si_oc_top) },
 	{ "alias", offsetof(struct slap_internal_schema, si_oc_alias) },
 	{ "referral", offsetof(struct slap_internal_schema, si_oc_referral) },
+	{ "LDAProotDSE", offsetof(struct slap_internal_schema, si_oc_rootdse) },
+	{ "LDAPsubentry", offsetof(struct slap_internal_schema, si_oc_subentry) },
+	{ "subschema", offsetof(struct slap_internal_schema, si_oc_subschema) },
+#ifdef SLAPD_ACI_ENABLED
+	{ "groupOfNames", offsetof(struct slap_internal_schema, si_oc_groupOfNames) },
+#endif
 	{ NULL, 0 }
 };

@ -54,6 +61,7 @@ struct slap_schema_ad_map {
 	{ "objectClass", objectClassMatch,
 		offsetof(struct slap_internal_schema, si_ad_objectClass) },

+	/* user entry operational attributes */
 	{ "creatorsName", NULL,
 		offsetof(struct slap_internal_schema, si_ad_creatorsName) },
 	{ "createTimestamp", NULL,
@ -62,10 +70,10 @@ struct slap_schema_ad_map {
 		offsetof(struct slap_internal_schema, si_ad_modifiersName) },
 	{ "modifyTimestamp", NULL,
 		offsetof(struct slap_internal_schema, si_ad_modifyTimestamp) },
-
 	{ "subschemaSubentry", NULL,
 		offsetof(struct slap_internal_schema, si_ad_subschemaSubentry) },

+	/* root DSE attributes */
 	{ "namingContexts", NULL,
 		offsetof(struct slap_internal_schema, si_ad_namingContexts) },
 	{ "supportedControl", NULL,
@ -74,14 +82,14 @@ struct slap_schema_ad_map {
 		offsetof(struct slap_internal_schema, si_ad_supportedExtension) },
 	{ "supportedLDAPVersion", NULL,
 		offsetof(struct slap_internal_schema, si_ad_supportedLDAPVersion) },
-#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
+#ifdef SLAPD_ACI_ENABLED
 	{ "supportedACIMechanisms", NULL,
 		offsetof(struct slap_internal_schema, si_ad_supportedACIMechanisms) },
-
 #endif
 	{ "supportedSASLMechanisms", NULL,
 		offsetof(struct slap_internal_schema, si_ad_supportedSASLMechanisms) },

+	/* subschema subentry attributes */
 	{ "attributeTypes", NULL,
 		offsetof(struct slap_internal_schema, si_ad_attributeTypes) },
 	{ "ldapSyntaxes", NULL,
@ -91,13 +99,25 @@ struct slap_schema_ad_map {
 	{ "objectClasses", NULL,
 		offsetof(struct slap_internal_schema, si_ad_objectClasses) },

+	/* knowledge information */
+	{ "aliasedObjectName", NULL,
+		offsetof(struct slap_internal_schema, si_ad_aliasedObjectName) },
 	{ "ref", NULL,
 		offsetof(struct slap_internal_schema, si_ad_ref) },

+	/* access control information */
 	{ "entry", NULL,
 		offsetof(struct slap_internal_schema, si_ad_entry) },
 	{ "children", NULL,
 		offsetof(struct slap_internal_schema, si_ad_children) },
+	{ "distinguishedName", NULL,
+		offsetof(struct slap_internal_schema, si_ad_distinguishedName) },
+	{ "member", NULL,
+		offsetof(struct slap_internal_schema, si_ad_member) },
+#ifdef SLAPD_ACI_ENABLED
+	{ "aci", NULL,
+		offsetof(struct slap_internal_schema, si_ad_aci) },
+#endif

 	{ "userPassword", NULL,
 		offsetof(struct slap_internal_schema, si_ad_userPassword) },
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@ -93,11 +93,12 @@ LDAP_BEGIN_DECL
 #define AD_LEADCHAR(c)	( ATTR_CHAR(c) )
 #define AD_CHAR(c)		( ATTR_CHAR(c) || (c) == ';' )

-#define SLAPD_ACI_DEFAULT_ATTR		"aci"
-
+#ifndef SLAPD_SCHEMA_NOT_COMPAT
 /* schema needed by slapd */
-#define SLAPD_OID_DN_SYNTAX "1.3.6.1.4.1.1466.115.121.1.12"
 #define SLAPD_OID_ACI_SYNTAX "1.3.6.1.4.1.4203.666.2.1" /* experimental */
+#define SLAPD_ACI_DEFAULT_ATTR		"aci"
+#endif
+

 LIBSLAPD_F (int) slap_debug;

@ -155,10 +156,11 @@ typedef struct slap_syntax {

 	unsigned	ssyn_flags;

-#define SLAP_SYNTAX_NONE	0x0U
-#define SLAP_SYNTAX_BLOB	0x1U /* syntax treated as blob (audio) */
-#define SLAP_SYNTAX_BINARY	0x2U /* binary transfer required (certificate) */
-#define SLAP_SYNTAX_BER		0x4U /* stored using BER encoding (binary,certificate) */
+#define SLAP_SYNTAX_NONE	0x00U
+#define SLAP_SYNTAX_BLOB	0x01U /* syntax treated as blob (audio) */
+#define SLAP_SYNTAX_BINARY	0x02U /* binary transfer required (certificate) */
+#define SLAP_SYNTAX_BER		0x04U /* stored using BER encoding (binary,certificate) */
+#define SLAP_SYNTAX_HIDE	0x80U /* hide (do not publish) */

 	slap_syntax_validate_func	*ssyn_validate;
 	slap_syntax_transform_func	*ssyn_normalize;
@ -177,6 +179,7 @@ typedef struct slap_syntax {
 #define slap_syntax_is_blob(s)		slap_syntax_is_flag((s),SLAP_SYNTAX_BLOB)
 #define slap_syntax_is_binary(s)	slap_syntax_is_flag((s),SLAP_SYNTAX_BINARY)
 #define slap_syntax_is_ber(s)		slap_syntax_is_flag((s),SLAP_SYNTAX_BER)
+#define slap_syntax_is_hidden(s)	slap_syntax_is_flag((s),SLAP_SYNTAX_HIDE)

 /* XXX -> UCS-2 Converter */
 typedef int slap_mr_convert_func LDAP_P((
@ -327,8 +330,15 @@ typedef struct slap_attr_desc {
 */
 struct slap_internal_schema {
 	/* objectClass */
+	ObjectClass *si_oc_top;
 	ObjectClass *si_oc_alias;
 	ObjectClass *si_oc_referral;
+	ObjectClass *si_oc_subentry;
+	ObjectClass *si_oc_subschema;
+	ObjectClass *si_oc_rootdse;
+#ifdef SLAPD_ACI_ENABLED
+	ObjectClass *si_oc_groupOfNames;
+#endif

 	/* objectClass attribute */
 	AttributeDescription *si_ad_objectClass;
@ -361,9 +371,14 @@ struct slap_internal_schema {
 	AttributeDescription *si_ad_aliasedObjectName;
 	AttributeDescription *si_ad_ref;

-	/* ACL Internals */
+	/* Access Control Internals */
 	AttributeDescription *si_ad_entry;
 	AttributeDescription *si_ad_children;
+	AttributeDescription *si_ad_member;
+	AttributeDescription *si_ad_distinguishedName;
+#ifdef SLAPD_ACI_ENABLED
+	AttributeDescription *si_ad_aci;
+#endif

 	/* Other */
 	AttributeDescription *si_ad_userPassword;