more on strict config parsing (ITS#3705)

servers/slapd/aclparse.c

@@ -696,8 +696,12 @@ parse_acl(
 					case ACL_STYLE_REGEX:
 						fprintf( stderr, "%s: line %d: "
 							"\"regex\" style implies "
-							"\"expand\" modifier (ignored)\n",
+							"\"expand\" modifier" 
+							SLAPD_CONF_UNKNOWN_IGNORED ".\n",
 							fname, lineno );
+#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
+						acl_usage();
+#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
 						break;
 
 					case ACL_STYLE_EXPAND:
@@ -706,8 +710,12 @@ parse_acl(
 						fprintf( stderr, "%s: line %d: "
 							"\"expand\" style used "
 							"in conjunction with "
-							"\"expand\" modifier (ignored)\n",
+							"\"expand\" modifier"
+							SLAPD_CONF_UNKNOWN_IGNORED ".\n",
 							fname, lineno );
+#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
+						acl_usage();
+#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
 #endif
 						break;
 
@@ -853,7 +861,34 @@ parse_acl(
 						bdn->a_pat = bv;
 					}
 					bdn->a_style = sty;
+					if ( expand ) {
+						char	*exp;
+						int	gotit = 0;
+
+						for ( exp = strchr( bdn->a_pat.bv_val, '$' );
+								exp && exp - bdn->a_pat.bv_val < bdn->a_pat.bv_len;
+								exp = strchr( exp, '$' ) )
+						{
+							if ( isdigit( exp[ 1 ] ) ) {
+								gotit = 1;
+								break;
+							}
+						}
+
+						if ( gotit == 1 ) {
 							bdn->a_expand = expand;
+
+						} else {
+							fprintf( stderr,
+								"%s: line %d: \"expand\" used "
+								"with no expansions in \"pattern\""
+								SLAPD_CONF_UNKNOWN_IGNORED ".\n",
+								fname, lineno );
+#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
+							acl_usage();
+#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
+						} 
+					}
 					if ( sty == ACL_STYLE_SELF ) {
 						bdn->a_self_level = level;
 

servers/slapd/back-bdb/attr.c

@@ -258,7 +258,7 @@ bdb_attr_index_config(
 				continue;
 			}
 			fprintf( stderr, "%s: line %d: duplicate index definition "
-				"for attr \"%s\" (ignored)\n",
+				"for attr \"%s\"" SLAPD_CONF_UNKNOWN_IGNORED ".\n",
 				fname, lineno, attrs[i] );
 
 			return LDAP_PARAM_ERROR;

servers/slapd/back-ldbm/attr.c

@@ -201,7 +201,7 @@ attr_index_config(
 
 		if( rc ) {
 			fprintf( stderr, "%s: line %d: duplicate index definition "
-				"for attr \"%s\" (ignored)\n",
+				"for attr \"%s\"" SLAPD_CONF_UNKNOWN_IGNORED ".\n",
 			    fname, lineno, attrs[i] );
 
 			return LDAP_PARAM_ERROR;

servers/slapd/back-ldbm/config.c

@@ -73,8 +73,11 @@ ldbm_back_db_config(
 			return( 1 );
 		} else if ( argc > 3 ) {
 			fprintf( stderr,
-"%s: line %d: extra junk after \"index <attr> [pres,eq,approx,sub]\" line (ignored)\n",
+"%s: line %d: extra junk after \"index <attr> [pres,eq,approx,sub]\" line" SLAPD_CONF_UNKNOWN_IGNORED ".\n",
 			    fname, lineno );
+#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
+			return( 1 );
+#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
 		}
 		rc = attr_index_config( li, fname, lineno, argc - 1, &argv[1] );
 

servers/slapd/back-meta/config.c

@@ -791,7 +791,7 @@ ldap_back_map_config(
 			|| avl_find( map->remap, (caddr_t)&mapping[ 1 ], mapping_cmp ) != NULL)
 	{
 		fprintf( stderr,
-			"%s: line %d: duplicate mapping found (ignored)\n",
+			"%s: line %d: duplicate mapping found" SLAPD_CONF_UNKNOWN_IGNORED ".\n",
 			fname, lineno );
 		goto error_return;
 	}

servers/slapd/bconfig.c

@@ -1242,7 +1242,11 @@ config_generic(ConfigArgs *c) {
 
 		default:
 			Debug(LDAP_DEBUG_ANY, "%s: unknown CFG_TYPE %d"
-				"(ignored)\n", c->log, c->type, 0);
+				SLAPD_CONF_UNKNOWN_IGNORED ".\n",
+				c->log, c->type, 0);
+#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
+			return 1;
+#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
 
 	}
 	return(0);
@@ -1428,8 +1432,12 @@ config_sizelimit(ConfigArgs *c) {
 					return(1);
 				} else if(next[0] != '\0') {
 					Debug(LDAP_DEBUG_ANY, "%s: "
-						"trailing chars \"%s\" in \"sizelimit <limit>\" line (ignored)\n",
+						"trailing chars \"%s\" in \"sizelimit <limit>\" line"
+						SLAPD_CONF_UNKNOWN_IGNORED ".\n",
 						c->log, next, 0);
+#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
+					return 1;
+#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
 				}
 			}
 			lim->lms_s_hard = 0;
@@ -1481,8 +1489,12 @@ config_timelimit(ConfigArgs *c) {
 					return(1);
 				} else if(next[0] != '\0') {
 					Debug(LDAP_DEBUG_ANY, "%s: "
-						"trailing chars \"%s\" in \"timelimit <limit>\" line (ignored)\n",
+						"trailing chars \"%s\" in \"timelimit <limit>\" line"
+						SLAPD_CONF_UNKNOWN_IGNORED ".\n",
 						c->log, next, 0);
+#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
+					return 1;
+#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
 				}
 			}
 			lim->lms_t_hard = 0;
@@ -1500,8 +1512,12 @@ config_overlay(ConfigArgs *c) {
 	}
 	if(c->argv[1][0] == '-' && overlay_config(c->be, &c->argv[1][1])) {
 		/* log error */
-		Debug(LDAP_DEBUG_ANY, "%s: (optional) %s overlay \"%s\" configuration failed (ignored)\n",
+		Debug(LDAP_DEBUG_ANY, "%s: (optional) %s overlay \"%s\" configuration failed"
+			SLAPD_CONF_UNKNOWN_IGNORED ".\n",
 			c->log, c->be == frontendDB ? "global " : "", c->argv[1][1]);
+#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
+		return 1;
+#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
 	} else if(overlay_config(c->be, c->argv[1])) {
 		return(1);
 	}
@@ -1558,8 +1574,12 @@ config_suffix(ConfigArgs *c) {
 	ndn = c->value_ndn;
 	tbe = select_backend(&ndn, 0, 0);
 	if(tbe == c->be) {
-		Debug(LDAP_DEBUG_ANY, "%s: suffix already served by this backend! (ignored)\n",
+		Debug(LDAP_DEBUG_ANY, "%s: suffix already served by this backend!"
+			SLAPD_CONF_UNKNOWN_IGNORED ".\n",
 			c->log, 0, 0);
+#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
+		return 1;
+#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
 		free(pdn.bv_val);
 		free(ndn.bv_val);
 	} else if(tbe) {
@@ -2095,13 +2115,21 @@ config_replica(ConfigArgs *c) {
 				switch(add_replica_suffix(c->be, nr, c->argv[i] + STRLENOF("suffix="))) {
 					case 1:
 						Debug(LDAP_DEBUG_ANY, "%s: "
-						"suffix \"%s\" in \"replica\" line is not valid for backend (ignored)\n",
+						"suffix \"%s\" in \"replica\" line is not valid for backend"
+						SLAPD_CONF_UNKNOWN_IGNORED ".\n",
 						c->log, c->argv[i] + STRLENOF("suffix="), 0);
+#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
+						return 1;
+#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
 						break;
 					case 2:
 						Debug(LDAP_DEBUG_ANY, "%s: "
-						"unable to normalize suffix in \"replica\" line (ignored)\n",
+						"unable to normalize suffix in \"replica\" line"
+						SLAPD_CONF_UNKNOWN_IGNORED ".\n",
 						c->log, 0, 0);
+#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
+						return 1;
+#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
 						break;
 				}
 

servers/slapd/config.c

@@ -43,13 +43,6 @@
 
 #define ARGS_STEP	512
 
-/*
- * ITS#3705: bail out if unknown config directives appear in slapd.conf
- */
-#ifdef LDAP_DEVEL
-#define SLAPD_CONF_UNKNOWN_BAILOUT
-#endif /* LDAP_DEVEL */
-
 /*
  * defaults for various global variables
  */
@@ -576,8 +569,15 @@ read_config_file(const char *fname, int depth, ConfigArgs *cf)
 		}
 
 		if ( c->argc < 1 ) {
-			Debug(LDAP_DEBUG_CONFIG, "%s: bad config line (ignored)\n", c->log, 0, 0);
+			Debug(LDAP_DEBUG_CONFIG, "%s: bad config line" 
+				SLAPD_CONF_UNKNOWN_IGNORED ".\n",
+				c->log, 0, 0);
+#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
+			rc = 1;
+			goto leave;
+#else /* ! SLAPD_CONF_UNKNOWN_BAILOUT */
 			continue;
+#endif /* ! SLAPD_CONF_UNKNOWN_BAILOUT */
 		}
 
 		c->op = SLAP_CONFIG_ADD;
@@ -614,16 +614,13 @@ read_config_file(const char *fname, int depth, ConfigArgs *cf)
 			if ( rc ) {
 				switch(rc) {
 				case SLAP_CONF_UNKNOWN:
-#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
 					Debug(LDAP_DEBUG_CONFIG, "%s: "
-						"unknown directive <%s> inside backend info definition\n",
-						c->log, *c->argv, 0);
-#else /* !SLAPD_CONF_UNKNOWN_BAILOUT */
-					Debug(LDAP_DEBUG_CONFIG, "%s: "
-						"unknown directive <%s> inside backend info definition (ignored)\n",
+						"unknown directive <%s> inside backend info definition"
+						SLAPD_CONF_UNKNOWN_IGNORED ".\n",
 						c->log, *c->argv, 0);
+#ifndef SLAPD_CONF_UNKNOWN_BAILOUT
 					continue;
-#endif /* !SLAPD_CONF_UNKNOWN_BAILOUT */
+#endif /* ! SLAPD_CONF_UNKNOWN_BAILOUT */
 				default:
 					rc = 1;
 					goto leave;
@@ -645,18 +642,13 @@ read_config_file(const char *fname, int depth, ConfigArgs *cf)
 			if ( rc ) {
 				switch(rc) {
 				case SLAP_CONF_UNKNOWN:
-#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
 					Debug( LDAP_DEBUG_CONFIG, "%s: "
 						"unknown directive <%s> inside backend database "
-						"definition\n",
-						c->log, *c->argv, 0);
-#else /* !SLAPD_CONF_UNKNOWN_BAILOUT */
-					Debug( LDAP_DEBUG_CONFIG, "%s: "
-						"unknown directive <%s> inside backend database "
-						"definition (ignored)\n",
+						"definition" SLAPD_CONF_UNKNOWN_IGNORED ".\n",
 						c->log, *c->argv, 0);
+#ifndef SLAPD_CONF_UNKNOWN_BAILOUT
 					continue;
-#endif /* !SLAPD_CONF_UNKNOWN_BAILOUT */
+#endif /* ! SLAPD_CONF_UNKNOWN_BAILOUT */
 				default:
 					rc = 1;
 					goto leave;
@@ -668,16 +660,13 @@ read_config_file(const char *fname, int depth, ConfigArgs *cf)
 			if ( rc ) {
 				switch(rc) {
 				case SLAP_CONF_UNKNOWN:
-#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
 					Debug( LDAP_DEBUG_CONFIG, "%s: "
-						"unknown directive <%s> inside global database definition\n",
-						c->log, *c->argv, 0);
-#else /* !SLAPD_CONF_UNKNOWN_BAILOUT */
-					Debug( LDAP_DEBUG_CONFIG, "%s: "
-						"unknown directive <%s> inside global database definition (ignored)\n",
+						"unknown directive <%s> inside global database definition"
+						SLAPD_CONF_UNKNOWN_IGNORED ".\n",
 						c->log, *c->argv, 0);
+#ifndef SLAPD_CONF_UNKNOWN_BAILOUT
 					continue;
-#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
+#endif /* ! SLAPD_CONF_UNKNOWN_BAILOUT */
 				default:
 					rc = 1;
 					goto leave;
@@ -685,18 +674,16 @@ read_config_file(const char *fname, int depth, ConfigArgs *cf)
 			}
 			
 		} else {
-#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
 			Debug(LDAP_DEBUG_CONFIG, "%s: "
-				"unknown directive <%s> outside backend info and database definitions\n",
+				"unknown directive <%s> outside backend info and database definitions"
+				SLAPD_CONF_UNKNOWN_IGNORED ".\n",
 				c->log, *c->argv, 0);
+#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
 			rc = 1;
 			goto leave;
-#else /* !SLAPD_CONF_UNKNOWN_BAILOUT */
-			Debug(LDAP_DEBUG_CONFIG, "%s: "
-				"unknown directive <%s> outside backend info and database definitions (ignored)\n",
-				c->log, *c->argv, 0);
+#else /* ! SLAPD_CONF_UNKNOWN_BAILOUT */
 			continue;
-#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
+#endif /* ! SLAPD_CONF_UNKNOWN_BAILOUT */
 		}
 	}
 

servers/slapd/overlays/rwmconf.c

@@ -217,7 +217,7 @@ rwm_map_config(
 			|| avl_find( map->remap, (caddr_t)&mapping[1], rwm_mapping_cmp ) != NULL)
 	{
 		fprintf( stderr,
-			"%s: line %d: duplicate mapping found (ignored)\n",
+			"%s: line %d: duplicate mapping found" SLAPD_CONF_UNKNOWN_IGNORED ".\n",
 			fname, lineno );
 		/* FIXME: free stuff */
 		goto error_return;

servers/slapd/slap.h

@@ -69,12 +69,21 @@ LDAP_BEGIN_DECL
 #define LDAP_SYNC_TIMESTAMP
 #define LDAP_COLLECTIVE_ATTRIBUTES
 #define SLAP_CONTROL_X_TREE_DELETE LDAP_CONTROL_X_TREE_DELETE
+#define SLAPD_CONF_UNKNOWN_BAILOUT
 
 #ifdef ENABLE_REWRITE
 #define SLAP_AUTH_REWRITE	1 /* use librewrite for sasl-regexp */
 #endif
 #endif
 
+/*
+ * ITS#3705: bail out if unknown config directives appear in slapd.conf
+ */
+#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
+#define	SLAPD_CONF_UNKNOWN_IGNORED	""
+#else /* ! SLAPD_CONF_UNKNOWN_BAILOUT */
+#define	SLAPD_CONF_UNKNOWN_IGNORED	" (ignored)"
+#endif /* ! SLAPD_CONF_UNKNOWN_BAILOUT */
 
 /*
  * SLAPD Memory allocation macros