mirror/openldap
2
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2025-02-11 13:50:39 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge in fixes/minor enhancements from from -devel.

Browse Source
This commit is contained in:
Kurt Zeilenga 1998-10-28 00:04:01 +00:00
parent 8f644a6992
commit ea9c01404e
9 changed files with 712 additions and 283 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
doc/man/man1/ldapsearch.1
View File

@ -1,4 +1,4 @@
.TH LDAPSEARCH 1 "29 March 1996" "U-M LDAP LDVERSION"
.TH LDAPSEARCH 1 "22 September 1998" "OpenLDAP LDVERSION"
.SH NAME
ldapsearch \- ldap search tool
.SH SYNOPSIS
@ -164,7 +164,7 @@ base object for the search. The default is to never dereference aliases.
wait at most \fItimelimit\fP seconds for a search to complete.
.TP
.B \-z sizelimit
retrieve at most \fIsizelimit\fP seconds for a search to complete.
retrieve at most \fIsizelimit\fP entries for a search.
.SH OUTPUT FORMAT
If one or more entries are found, each entry is written to standard output
in the form:
@ -289,3 +289,8 @@ Howes, T.,
.SM RFC
1558,
University of Michigan, December 1993.
.SH ACKNOWLEDGEMENTS
.B OpenLDAP
is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
.B OpenLDAP
is derived from University of Michigan LDAP 3.3 Release.

396
servers/slapd/acl.c
View File

@ -1,20 +1,16 @@
/* acl.c - routines to parse and check acl's */
#include "portable.h"
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#ifdef sunos5
#include "regexpr.h"
#else
#include "regex.h"
#endif
#include <ac/regex.h>
#include <ac/socket.h>
#include <ac/string.h>
#include "slap.h"
extern Attribute *attr_find();
extern char *re_comp();
extern struct acl *global_acl;
extern int global_default_access;
extern char *access2str();
@ -26,7 +22,9 @@ struct acl *acl_get_applicable();
static int regex_matches();
extern pthread_mutex_t regex_mutex;
static string_expand(char *newbuf, int bufsiz, char *pattern,
char *match, regmatch_t *matches);
/*
* access_allowed - check whether dn is allowed the requested access
@ -51,15 +49,57 @@ access_allowed(
int access
)
{
int rc;
struct acl *a;
int rc;
struct acl *a;
char *edn;
regmatch_t matches[MAXREMATCHES];
int i;
int n;
if ( be == NULL ) {
return( 0 );
}
a = acl_get_applicable( be, op, e, attr );
rc = acl_access_allowed( a, be, conn, e, val, op, access );
edn = dn_normalize_case( strdup( e->e_dn ) );
Debug( LDAP_DEBUG_ACL, "\n=> access_allowed: entry (%s) attr (%s)\n",
e->e_dn, attr, 0 );
/* the lastmod attributes are ignored by ACL checking */
if ( strcasecmp( attr, "modifiersname" ) == 0 ||
strcasecmp( attr, "modifytimestamp" ) == 0 ||
strcasecmp( attr, "creatorsname" ) == 0 ||
strcasecmp( attr, "createtimestamp" ) == 0 )
{
Debug( LDAP_DEBUG_ACL, "LASTMOD attribute: %s access allowed\n",
attr, 0, 0 );
free( edn );
return(1);
}
memset(matches, 0, sizeof(matches));
a = acl_get_applicable( be, op, e, attr, edn, MAXREMATCHES, matches );
if (a) {
for (i = 0; i < MAXREMATCHES && matches[i].rm_so > 0; i++) {
Debug( LDAP_DEBUG_ARGS, "=> match[%d]: %d %d ",
i, matches[i].rm_so, matches[i].rm_eo );
if( matches[i].rm_so <= matches[0].rm_eo ) {
for ( n = matches[i].rm_so; n < matches[i].rm_eo; n++) {
Debug( LDAP_DEBUG_ARGS, "%c", edn[n], 0, 0 );
}
}
Debug( LDAP_DEBUG_ARGS, "\n", 0, 0, 0 );
}
}
rc = acl_access_allowed( a, be, conn, e, val, op, access, edn, matches );
free( edn );
Debug( LDAP_DEBUG_ACL, "\n=> access_allowed: exit (%s) attr (%s)\n",
e->e_dn, attr, 0);
return( rc );
}
@ -75,15 +115,17 @@ acl_get_applicable(
Backend *be,
Operation *op,
Entry *e,
char *attr
char *attr,
char *edn,
int nmatch,
regmatch_t *matches
)
{
int i;
int i, j;
struct acl *a;
char *edn;
Debug( LDAP_DEBUG_ACL, "=> acl_get: entry (%s) attr (%s)\n", e->e_dn,
attr, 0 );
Debug( LDAP_DEBUG_ACL, "\n=> acl_get: entry (%s) attr (%s)\n",
e->e_dn, attr, 0 );
if ( be_isroot( be, op->o_dn ) ) {
Debug( LDAP_DEBUG_ACL,
@ -92,55 +134,73 @@ acl_get_applicable(
return( NULL );
}
Debug( LDAP_DEBUG_ARGS, "=> acl_get: edn %s\n", edn, 0, 0 );
/* check for a backend-specific acl that matches the entry */
for ( i = 1, a = be->be_acl; a != NULL; a = a->acl_next, i++ ) {
if ( a->acl_dnpat != NULL ) {
edn = dn_normalize_case( strdup( e->e_dn ) );
if ( ! regex_matches( a->acl_dnpat, edn ) ) {
free( edn );
if (a->acl_dnpat != NULL) {
Debug( LDAP_DEBUG_TRACE, "=> dnpat: [%d] %s nsub: %d\n",
i, a->acl_dnpat, a->acl_dnre.re_nsub);
if (regexec(&a->acl_dnre, edn, nmatch, matches, 0))
continue;
}
free( edn );
else
Debug( LDAP_DEBUG_TRACE, "=> acl_get:[%d] backend ACL match\n",
i, 0, 0);
}
if ( a->acl_filter != NULL ) {
if ( test_filter( NULL, NULL, NULL, e, a->acl_filter )
!= 0 ) {
if ( test_filter( NULL, NULL, NULL, e, a->acl_filter ) != 0 ) {
continue;
}
}
Debug( LDAP_DEBUG_ARGS, "=> acl_get: [%d] check attr %s\n", i, attr, 0);
if ( attr == NULL || a->acl_attrs == NULL ||
charray_inlist( a->acl_attrs, attr ) ) {
Debug( LDAP_DEBUG_ACL, "<= acl_get: backend acl #%d\n",
i, e->e_dn, attr );
charray_inlist( a->acl_attrs, attr ) )
{
Debug( LDAP_DEBUG_ACL, "<= acl_get: [%d] backend acl %s attr: %s\n",
i, e->e_dn, attr );
return( a );
}
matches[0].rm_so = matches[0].rm_eo = -1;
}
/* check for a global acl that matches the entry */
for ( i = 1, a = global_acl; a != NULL; a = a->acl_next, i++ ) {
if ( a->acl_dnpat != NULL ) {
edn = dn_normalize_case( strdup( e->e_dn ) );
if ( ! regex_matches( a->acl_dnpat, edn ) ) {
free( edn );
if (a->acl_dnpat != NULL) {
Debug( LDAP_DEBUG_TRACE, "=> dnpat: [%d] %s nsub: %d\n",
i, a->acl_dnpat, a->acl_dnre.re_nsub);
if (regexec(&a->acl_dnre, edn, nmatch, matches, 0)) {
continue;
} else {
Debug( LDAP_DEBUG_TRACE, "=> acl_get: [%d] global ACL match\n",
i, 0, 0);
}
free( edn );
}
if ( a->acl_filter != NULL ) {
if ( test_filter( NULL, NULL, NULL, e, a->acl_filter )
!= 0 ) {
if ( test_filter( NULL, NULL, NULL, e, a->acl_filter ) != 0 ) {
continue;
}
}
if ( attr == NULL || a->acl_attrs == NULL || charray_inlist(
a->acl_attrs, attr ) ) {
Debug( LDAP_DEBUG_ACL, "<= acl_get: global acl #%d\n",
i, e->e_dn, attr );
Debug( LDAP_DEBUG_ARGS, "=> acl_get: [%d] check attr\n", i, 0, 0);
if ( attr == NULL || a->acl_attrs == NULL ||
charray_inlist( a->acl_attrs, attr ) )
{
Debug( LDAP_DEBUG_ACL, "<= acl_get: [%d] global acl %s attr: %s\n",
i, e->e_dn, attr );
return( a );
}
}
Debug( LDAP_DEBUG_ACL, "<= acl_get: no match\n", 0, 0, 0 );
matches[0].rm_so = matches[0].rm_eo = -1;
}
Debug( LDAP_DEBUG_ACL, "<= acl_get: no match\n", 0, 0, 0 );
return( NULL );
}
@ -161,31 +221,40 @@ acl_access_allowed(
Entry *e,
struct berval *val,
Operation *op,
int access
int access,
char *edn,
regmatch_t *matches
)
{
int i;
char *edn, *odn;
char *odn;
struct access *b;
Attribute *at;
struct berval bv;
int default_access;
Debug( LDAP_DEBUG_ACL, "=> acl: %s access to value \"%s\" by \"%s\"\n",
access2str( access ), val ? val->bv_val : "any", op->o_dn ?
op->o_dn : "" );
Debug( LDAP_DEBUG_ACL,
"\n=> acl_access_allowed: %s access to entry \"%s\"\n",
access2str( access ), e->e_dn, 0 );
Debug( LDAP_DEBUG_ACL,
"\n=> acl_access_allowed: %s access to value \"%s\" by \"%s\"\n",
access2str( access ),
val ? val->bv_val : "any",
op->o_dn ? op->o_dn : "" );
if ( be_isroot( be, op->o_dn ) ) {
Debug( LDAP_DEBUG_ACL, "<= acl: granted to database root\n",
Debug( LDAP_DEBUG_ACL,
"<= acl_access_allowed: granted to database root\n",
0, 0, 0 );
return( 1 );
}
default_access = be->be_dfltaccess ? be->be_dfltaccess :
global_default_access;
default_access = be->be_dfltaccess ? be->be_dfltaccess : global_default_access;
if ( a == NULL ) {
Debug( LDAP_DEBUG_ACL,
"<= acl: %s by default (no matching to)\n",
"<= acl_access_allowed: %s by default (no matching to)\n",
default_access >= access ? "granted" : "denied", 0, 0 );
return( default_access >= access );
}
@ -198,76 +267,78 @@ acl_access_allowed(
}
for ( i = 1, b = a->acl_access; b != NULL; b = b->a_next, i++ ) {
if ( b->a_dnpat != NULL ) {
Debug( LDAP_DEBUG_TRACE, "<= check a_dnpat: %s\n",
b->a_dnpat, 0, 0);
/*
* if access applies to the entry itself, and the
* user is bound as somebody in the same namespace as
* the entry, OR the given dn matches the dn pattern
*/
if ( strcasecmp( b->a_dnpat, "self" ) == 0 && op->o_dn
!= NULL && *(op->o_dn) && e->e_dn != NULL ) {
edn = dn_normalize_case( strdup( e->e_dn ) );
if ( strcasecmp( b->a_dnpat, "self" ) == 0 &&
op->o_dn != NULL && *(op->o_dn) && e->e_dn != NULL )
{
if ( strcasecmp( edn, op->o_dn ) == 0 ) {
free( edn );
if ( odn ) free( odn );
Debug( LDAP_DEBUG_ACL,
"<= acl: matched by clause #%d access %s\n",
"<= acl_access_allowed: matched by clause #%d access %s\n",
i, (b->a_access & ~ACL_SELF) >=
access ? "granted" : "denied", 0 );
return( (b->a_access & ~ACL_SELF)
>= access );
}
free( edn );
} else {
if ( regex_matches( b->a_dnpat, odn ) ) {
if ( odn ) free( odn );
return( (b->a_access & ~ACL_SELF) >= access );
}
} else {
if ( regex_matches( b->a_dnpat, odn, edn, matches ) ) {
Debug( LDAP_DEBUG_ACL,
"<= acl: matched by clause #%d access %s\n",
"<= acl_access_allowed: matched by clause #%d access %s\n",
i, (b->a_access & ~ACL_SELF) >= access ?
"granted" : "denied", 0 );
return( (b->a_access & ~ACL_SELF)
>= access );
if ( odn ) free( odn );
return( (b->a_access & ~ACL_SELF) >= access );
}
}
}
if ( b->a_addrpat != NULL ) {
if ( regex_matches( b->a_addrpat, conn->c_addr ) ) {
if ( odn ) free( odn );
if ( regex_matches( b->a_addrpat, conn->c_addr, edn, matches ) ) {
Debug( LDAP_DEBUG_ACL,
"<= acl: matched by clause #%d access %s\n",
"<= acl_access_allowed: matched by clause #%d access %s\n",
i, (b->a_access & ~ACL_SELF) >= access ?
"granted" : "denied", 0 );
if ( odn ) free( odn );
return( (b->a_access & ~ACL_SELF) >= access );
}
}
if ( b->a_domainpat != NULL ) {
if ( regex_matches( b->a_domainpat, conn->c_domain ) ) {
if ( odn ) free( odn );
Debug( LDAP_DEBUG_ARGS, "<= check a_domainpath: %s\n",
b->a_domainpat, 0, 0 );
if ( regex_matches( b->a_domainpat, conn->c_domain, edn, matches ) )
{
Debug( LDAP_DEBUG_ACL,
"<= acl: matched by clause #%d access %s\n",
"<= acl_access_allowed: matched by clause #%d access %s\n",
i, (b->a_access & ~ACL_SELF) >= access ?
"granted" : "denied", 0 );
if ( odn ) free( odn );
return( (b->a_access & ~ACL_SELF) >= access );
}
}
if ( b->a_dnattr != NULL && op->o_dn != NULL ) {
Debug( LDAP_DEBUG_ARGS, "<= check a_dnattr: %s\n",
b->a_dnattr, 0, 0);
/* see if asker is listed in dnattr */
if ( (at = attr_find( e->e_attrs, b->a_dnattr ))
!= NULL && value_find( at->a_vals, &bv,
at->a_syntax, 3 ) == 0 )
if ( (at = attr_find( e->e_attrs, b->a_dnattr )) != NULL &&
value_find( at->a_vals, &bv, at->a_syntax, 3 ) == 0 )
{
if ( (b->a_access & ACL_SELF) && (val == NULL
|| value_cmp( &bv, val, at->a_syntax,
2 )) ) {
if ( (b->a_access & ACL_SELF) &&
(val == NULL || value_cmp( &bv, val, at->a_syntax, 2 )) )
{
continue;
}
if ( odn ) free( odn );
Debug( LDAP_DEBUG_ACL,
"<= acl: matched by clause #%d access %s\n",
"<= acl_acces_allowed: matched by clause #%d access %s\n",
i, (b->a_access & ~ACL_SELF) >= access ?
"granted" : "denied", 0 );
@ -276,22 +347,44 @@ acl_access_allowed(
/* asker not listed in dnattr - check for self access */
if ( ! (b->a_access & ACL_SELF) || val == NULL ||
value_cmp( &bv, val, at->a_syntax, 2 ) != 0 ) {
value_cmp( &bv, val, at->a_syntax, 2 ) != 0 )
{
continue;
}
if ( odn ) free( odn );
Debug( LDAP_DEBUG_ACL,
"<= acl: matched by clause #%d (self) access %s\n",
"<= acl_access_allowed: matched by clause #%d (self) access %s\n",
i, (b->a_access & ~ACL_SELF) >= access ? "granted"
: "denied", 0 );
return( (b->a_access & ~ACL_SELF) >= access );
}
#ifdef SLAPD_ACLGROUPS
if ( b->a_group != NULL && op->o_dn != NULL ) {
char buf[512];
/* b->a_group is an unexpanded entry name, expanded it should be an
* entry with objectclass group* and we test to see if odn is one of
* the values in the attribute group
*/
/* see if asker is listed in dnattr */
string_expand(buf, sizeof(buf), b->a_group, edn, matches);
if (be_group(be, buf, odn, b->a_objectclassvalue, b->a_groupattrname) == 0) {
Debug( LDAP_DEBUG_ACL,
"<= acl_access_allowed: matched by clause #%d (group) access granted\n",
i, 0, 0 );
if ( odn ) free( odn );
return( (b->a_access & ~ACL_SELF) >= access );
}
}
#endif /* SLAPD_ACLGROUPS */
}
if ( odn ) free( odn );
Debug( LDAP_DEBUG_ACL, "<= acl: %s by default (no matching by)\n",
Debug( LDAP_DEBUG_ACL,
"<= acl_access_allowed: %s by default (no matching by)\n",
default_access >= access ? "granted" : "denied", 0, 0 );
return( default_access >= access );
@ -316,14 +409,26 @@ acl_check_mods(
{
int i;
struct acl *a;
char *edn;
edn = dn_normalize_case( strdup( e->e_dn ) );
for ( ; mods != NULL; mods = mods->mod_next ) {
regmatch_t matches[MAXREMATCHES];
/* the lastmod attributes are ignored by ACL checking */
if ( strcasecmp( mods->mod_type, "modifiersname" ) == 0 ||
strcasecmp( mods->mod_type, "modifytimestamp" ) == 0 ) {
strcasecmp( mods->mod_type, "modifytimestamp" ) == 0 ||
strcasecmp( mods->mod_type, "creatorsname" ) == 0 ||
strcasecmp( mods->mod_type, "createtimestamp" ) == 0 )
{
Debug( LDAP_DEBUG_ACL, "LASTMOD attribute: %s access allowed\n",
mods->mod_type, 0, 0 );
continue;
}
a = acl_get_applicable( be, op, e, mods->mod_type );
a = acl_get_applicable( be, op, e, mods->mod_type, edn,
MAXREMATCHES, matches );
switch ( mods->mod_op & ~LDAP_MOD_BVALUES ) {
case LDAP_MOD_REPLACE:
@ -332,8 +437,10 @@ acl_check_mods(
break;
}
for ( i = 0; mods->mod_bvalues[i] != NULL; i++ ) {
if ( ! acl_access_allowed( a, be, conn, e,
mods->mod_bvalues[i], op, ACL_WRITE ) ) {
if ( ! acl_access_allowed( a, be, conn, e, mods->mod_bvalues[i],
op, ACL_WRITE, edn, matches) )
{
free(edn);
return( LDAP_INSUFFICIENT_ACCESS );
}
}
@ -342,14 +449,18 @@ acl_check_mods(
case LDAP_MOD_DELETE:
if ( mods->mod_bvalues == NULL ) {
if ( ! acl_access_allowed( a, be, conn, e,
NULL, op, ACL_WRITE ) ) {
NULL, op, ACL_WRITE, edn, matches) )
{
free(edn);
return( LDAP_INSUFFICIENT_ACCESS );
}
break;
}
for ( i = 0; mods->mod_bvalues[i] != NULL; i++ ) {
if ( ! acl_access_allowed( a, be, conn, e,
mods->mod_bvalues[i], op, ACL_WRITE ) ) {
if ( ! acl_access_allowed( a, be, conn, e, mods->mod_bvalues[i],
op, ACL_WRITE, edn, matches) )
{
free(edn);
return( LDAP_INSUFFICIENT_ACCESS );
}
}
@ -357,48 +468,95 @@ acl_check_mods(
}
}
free(edn);
return( LDAP_SUCCESS );
}
#ifdef sunos5
static int
regex_matches( char *pat, char *str )
static string_expand(
char *newbuf,
int bufsiz,
char *pat,
char *match,
regmatch_t *matches)
{
char *e;
int rc;
int size;
char *sp;
char *dp;
int flag;
if ( (e = compile( pat, NULL, NULL )) == NULL ) {
Debug( LDAP_DEBUG_ANY,
"compile( \"%s\", \"%s\") failed\n", pat, str, 0 );
return( 0 );
size = 0;
newbuf[0] = '\0';
flag = 0;
for ( dp = newbuf, sp = pat; size < 512 && *sp ; sp++) {
/* did we previously see a $ */
if (flag) {
if (*sp == '$') {
*dp++ = '$';
size++;
} else if (*sp >= '0' && *sp <= '9' ) {
int n;
int i;
char *ep;
int l;
n = *sp - '0';
*dp = '\0';
i = matches[n].rm_so;
l = matches[n].rm_eo;
for ( ; size < 512 && i < l; size++, i++ ) {
*dp++ = match[i];
size++;
}
*dp = '\0';
}
flag = 0;
} else {
if (*sp == '$') {
flag = 1;
} else {
*dp++ = *sp;
size++;
}
}
}
rc = step( str ? str : "", e );
free( e );
*dp = '\0';
return( rc );
Debug( LDAP_DEBUG_TRACE, "=> string_expand: pattern: %s\n", pat, 0, 0 );
Debug( LDAP_DEBUG_TRACE, "=> string_expand: expanded: %s\n", newbuf, 0, 0 );
}
#else /* sunos5 */
static int
regex_matches( char *pat, char *str )
regex_matches(
char *pat, /* pattern to expand and match against */
char *str, /* string to match against pattern */
char *buf, /* buffer with $N expansion variables */
regmatch_t *matches /* offsets in buffer for $N expansion variables */
)
{
char *e;
regex_t re;
char newbuf[512];
int rc;
pthread_mutex_lock( &regex_mutex );
if ( (e = re_comp( pat )) != NULL ) {
Debug( LDAP_DEBUG_ANY,
"re_comp( \"%s\", \"%s\") failed because (%s)\n", pat, str,
e );
pthread_mutex_unlock( &regex_mutex );
string_expand(newbuf, sizeof(newbuf), pat, buf, matches);
if (( rc = regcomp(&re, newbuf, REG_EXTENDED|REG_ICASE))) {
char error[512];
regerror(rc, &re, error, sizeof(error));
Debug( LDAP_DEBUG_TRACE,
"compile( \"%s\", \"%s\") failed %s\n",
pat, str, error );
return( 0 );
}
rc = re_exec( str ? str : "" );
pthread_mutex_unlock( &regex_mutex );
return( rc == 1 );
rc = regexec(&re, str, 0, NULL, 0);
regfree( &re );
Debug( LDAP_DEBUG_TRACE,
"=> regex_matches: string: %s\n", str, 0, 0 );
Debug( LDAP_DEBUG_TRACE,
"=> regex_matches: rc: %d %s\n",
rc, !rc ? "matches" : "no matches", 0 );
return( !rc );
}
#endif /* sunos5 */

218
servers/slapd/aclparse.c
View File

@ -1,18 +1,18 @@
/* acl.c - routines to parse and check acl's */
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include "regex.h"
#include "slap.h"
#include "portable.h"
#include <stdio.h>
#include <ac/ctype.h>
#include <ac/regex.h>
#include <ac/socket.h>
#include <ac/string.h>
#include <ac/unistd.h>
#include "slap.h"
extern Filter *str2filter();
extern char *re_comp();
extern struct acl *global_acl;
extern char **str2charray();
extern char *dn_upcase();
@ -26,6 +26,62 @@ static void print_acl();
static void print_access();
#endif
int
regtest(char *fname, int lineno, char *pat) {
int e;
regex_t re;
char buf[512];
int size;
char *sp;
char *dp;
int flag;
sp = pat;
dp = buf;
size = 0;
buf[0] = '\0';
for (size = 0, flag = 0; (size < sizeof(buf)) && *sp; sp++) {
if (flag) {
if (*sp == '$'|| (*sp >= '0' && *sp <= '9')) {
*dp++ = *sp;
size++;
}
flag = 0;
} else {
if (*sp == '$') {
flag = 1;
} else {
*dp++ = *sp;
size++;
}
}
}
*dp = '\0';
if ( size >= (sizeof(buf)-1) ) {
fprintf( stderr,
"%s: line %d: regular expression \"%s\" too large\n",
fname, lineno, pat, 0 );
acl_usage();
}
if ((e = regcomp(&re, buf, REG_EXTENDED|REG_ICASE))) {
char error[512];
regerror(e, &re, error, sizeof(error));
fprintf( stderr,
"%s: line %d: regular expression \"%s\" bad because of %s\n",
fname, lineno, pat, error );
acl_usage();
return(0);
}
regfree(&re);
return(1);
}
void
parse_acl(
Backend *be,
@ -58,6 +114,17 @@ parse_acl(
}
if ( strcasecmp( argv[i], "*" ) == 0 ) {
int e;
if ((e = regcomp( &a->acl_dnre, ".*",
REG_EXTENDED|REG_ICASE)))
{
char buf[512];
regerror(e, &a->acl_dnre, buf, sizeof(buf));
fprintf( stderr,
"%s: line %d: regular expression \"%s\" bad because of %s\n",
fname, lineno, right, buf );
acl_usage();
}
a->acl_dnpat = strdup( ".*" );
continue;
}
@ -79,14 +146,19 @@ parse_acl(
acl_usage();
}
} else if ( strcasecmp( left, "dn" ) == 0 ) {
if ( (e = re_comp( right )) != NULL ) {
int e;
if ((e = regcomp(&a->acl_dnre, right,
REG_EXTENDED|REG_ICASE))) {
char buf[512];
regerror(e, &a->acl_dnre, buf, sizeof(buf));
fprintf( stderr,
"%s: line %d: regular expression \"%s\" bad because of %s\n",
fname, lineno, right, e );
"%s: line %d: regular expression \"%s\" bad because of %s\n",
fname, lineno, right, buf );
acl_usage();
} else {
a->acl_dnpat = dn_upcase(strdup( right ));
}
a->acl_dnpat = dn_upcase( strdup(
right ) );
} else if ( strncasecmp( left, "attr", 4 )
== 0 ) {
char **alist;
@ -96,7 +168,7 @@ parse_acl(
free( alist );
} else {
fprintf( stderr,
"%s: line %d: expecting <what> got \"%s\"\n",
"%s: line %d: expecting <what> got \"%s\"\n",
fname, lineno, left );
acl_usage();
}
@ -106,7 +178,7 @@ parse_acl(
} else if ( strcasecmp( argv[i], "by" ) == 0 ) {
if ( a == NULL ) {
fprintf( stderr,
"%s: line %d: to clause required before by clause in access line\n",
"%s: line %d: to clause required before by clause in access line\n",
fname, lineno );
acl_usage();
}
@ -131,38 +203,55 @@ parse_acl(
} else if ( strcasecmp( argv[i], "self" ) == 0 ) {
b->a_dnpat = strdup( "self" );
} else if ( strcasecmp( left, "dn" ) == 0 ) {
if ( (e = re_comp( right )) != NULL ) {
fprintf( stderr,
"%s: line %d: regular expression \"%s\" bad: %s\n",
fname, lineno, right, e );
acl_usage();
}
regtest(fname, lineno, right);
b->a_dnpat = dn_upcase( strdup( right ) );
} else if ( strcasecmp( left, "dnattr" )
== 0 ) {
} else if ( strcasecmp( left, "dnattr" ) == 0 ) {
b->a_dnattr = strdup( right );
} else if ( strcasecmp( left, "domain" )
== 0 ) {
char *s;
if ( (e = re_comp( right )) != NULL ) {
fprintf( stderr,
"%s: line %d: regular expression \"%s\" bad: %s\n",
fname, lineno, right, e );
acl_usage();
}
#ifdef SLAPD_ACLGROUPS
} else if ( strcasecmp( left, "group" ) == 0 ) {
char *name = NULL;
char *value = NULL;
regtest(fname, lineno, right);
/* format of string is "group/objectClassValue/groupAttrName"
*/
if ((value = strchr(right, '/')) != NULL) {
*value++ = '\0';
if (value && *value && (name = strchr(value, '/')) != NULL)
*name++ = '\0';
}
b->a_group = dn_upcase(strdup( right ));
if (value && *value) {
b->a_objectclassvalue = strdup(value);
*--value = '/';
}
else
b->a_objectclassvalue = strdup("groupOfNames");
if (name && *name) {
b->a_groupattrname = strdup(name);
*--name = '/';
}
else
b->a_groupattrname = strdup("member");
#endif /* SLAPD_ACLGROUPS */
} else if ( strcasecmp( left, "domain" ) == 0 ) {
char *s;
regtest(fname, lineno, right);
b->a_domainpat = strdup( right );
/* normalize the domain */
for ( s = b->a_domainpat; *s; s++ ) {
*s = TOLOWER( *s );
}
} else if ( strcasecmp( left, "addr" ) == 0 ) {
if ( (e = re_comp( right )) != NULL ) {
fprintf( stderr,
"%s: line %d: regular expression \"%s\" bad: %s\n",
fname, lineno, right, e );
acl_usage();
}
regtest(fname, lineno, right);
b->a_addrpat = strdup( right );
} else {
fprintf( stderr,
@ -198,16 +287,19 @@ parse_acl(
/* if we have no real access clause, complain and do nothing */
if ( a == NULL ) {
fprintf( stderr,
"%s: line %d: warning: no access clause(s) specified in access line\n",
"%s: line %d: warning: no access clause(s) specified in access line\n",
fname, lineno );
} else {
if (ldap_debug&LDAP_DEBUG_ACL)
print_acl(a);
if ( a->acl_access == NULL ) {
fprintf( stderr,
"%s: line %d: warning: no by clause(s) specified in access line\n",
"%s: line %d: warning: no by clause(s) specified in access line\n",
fname, lineno );
}
@ -326,15 +418,24 @@ print_access( struct access *b )
{
printf( "\tby" );
if ( b->a_dnpat != NULL ) {
printf( " dn=%s", b->a_dnpat );
fprintf( stderr, " dn=%s", b->a_dnpat );
} else if ( b->a_addrpat != NULL ) {
printf( " addr=%s", b->a_addrpat );
fprintf( stderr, " addr=%s", b->a_addrpat );
} else if ( b->a_domainpat != NULL ) {
printf( " domain=%s", b->a_domainpat );
fprintf( stderr, " domain=%s", b->a_domainpat );
} else if ( b->a_dnattr != NULL ) {
printf( " dnattr=%s", b->a_dnattr );
fprintf( stderr, " dnattr=%s", b->a_dnattr );
}
printf( " %s\n", access2str( b->a_access ) );
#ifdef SLAPD_ACLGROUPS
else if ( b->a_group != NULL ) {
fprintf( stderr, " group: %s", b->a_group );
if ( b->a_objectclassvalue )
fprintf( stderr, " objectClassValue: %s", b->a_objectclassvalue );
if ( b->a_groupattrname )
fprintf( stderr, " groupAttrName: %s", b->a_groupattrname );
}
#endif
fprintf( stderr, "\n" );
}
static void
@ -344,33 +445,34 @@ print_acl( struct acl *a )
struct access *b;
if ( a == NULL ) {
printf( "NULL\n" );
fprintf( stderr, "NULL\n" );
}
printf( "access to" );
fprintf( stderr, "ACL: access to" );
if ( a->acl_filter != NULL ) {
printf( " filter=" );
fprintf( stderr," filter=" );
filter_print( a->acl_filter );
}
if ( a->acl_dnpat != NULL ) {
printf( " dn=" );
printf( a->acl_dnpat );
fprintf( stderr, " dn=" );
fprintf( stderr, a->acl_dnpat );
}
if ( a->acl_attrs != NULL ) {
int first = 1;
printf( " attrs=" );
fprintf( stderr, "\n attrs=" );
for ( i = 0; a->acl_attrs[i] != NULL; i++ ) {
if ( ! first ) {
printf( "," );
fprintf( stderr, "," );
}
printf( a->acl_attrs[i] );
fprintf( stderr, a->acl_attrs[i] );
first = 0;
}
}
printf( "\n" );
fprintf( stderr, "\n" );
for ( b = a->acl_access; b != NULL; b = b->a_next ) {
print_access( b );
}
fprintf( stderr, "\n" );
}
#endif
#endif /* LDAP_DEBUG */

31
servers/slapd/back-ldbm/group.c
View File

@ -15,7 +15,7 @@ extern Attribute *attr_find();
#ifdef SLAPD_ACLGROUPS
/* return 0 IFF edn is a value in uniqueMember attribute
/* return 0 IFF edn is a value in member attribute
* of entry with bdn AND that entry has an objectClass
* value of groupOfNames
*/
@ -23,7 +23,9 @@ int
ldbm_back_group(
Backend *be,
char *bdn,
char *edn
char *edn,
char *objectclassValue,
char *groupattrName
)
{
struct ldbminfo *li = (struct ldbminfo *) be->be_private;
@ -35,6 +37,8 @@ ldbm_back_group(
Debug( LDAP_DEBUG_TRACE, "=> ldbm_back_group: bdn: %s\n", bdn, 0, 0 );
Debug( LDAP_DEBUG_TRACE, "=> ldbm_back_group: edn: %s\n", edn, 0, 0 );
Debug( LDAP_DEBUG_TRACE, "=> ldbm_back_group: objectClass: %s attrName: %s\n",
objectclassValue, groupattrName, 0 );
/* can we find bdn entry with reader lock */
if ((e = dn2entry_r(be, bdn, &matched )) == NULL) {
@ -56,32 +60,33 @@ ldbm_back_group(
if ((objectClass = attr_find(e->e_attrs, "objectclass")) == NULL) {
Debug( LDAP_DEBUG_TRACE, "<= ldbm_back_group: failed to find objectClass\n", 0, 0, 0 );
}
else if ((member = attr_find(e->e_attrs, "member")) == NULL) {
Debug( LDAP_DEBUG_TRACE, "<= ldbm_back_group: failed to find member\n", 0, 0, 0 );
else if ((member = attr_find(e->e_attrs, groupattrName)) == NULL) {
Debug( LDAP_DEBUG_TRACE, "<= ldbm_back_group: failed to find %s\n", groupattrName, 0, 0 );
}
else {
struct berval bvObjectClass;
struct berval bvMembers;
Debug( LDAP_DEBUG_ARGS, "<= ldbm_back_group: found objectClass and members\n", 0, 0, 0 );
Debug( LDAP_DEBUG_ARGS, "<= ldbm_back_group: found objectClass and %s\n", groupattrName, 0, 0 );
bvObjectClass.bv_val = "groupofnames";
bvObjectClass.bv_val = objectclassValue;
bvObjectClass.bv_len = strlen( bvObjectClass.bv_val );
bvMembers.bv_val = edn;
bvMembers.bv_len = strlen( edn );
if (value_find(objectClass->a_vals, &bvObjectClass, SYNTAX_CIS, 1) != 0) {
Debug( LDAP_DEBUG_TRACE,
"<= ldbm_back_group: failed to find objectClass in groupOfNames\n",
0, 0, 0 );
"<= ldbm_back_group: failed to find %s in objectClass\n",
objectclassValue, 0, 0 );
}
else if (value_find(member->a_vals, &bvMembers, SYNTAX_CIS, 1) != 0) {
Debug( LDAP_DEBUG_ACL, "<= ldbm_back_group: %s not in %s: groupOfNames\n",
edn, bdn, 0 );
Debug( LDAP_DEBUG_ACL, "<= ldbm_back_group: %s not in %s: %s\n",
edn, bdn, groupattrName );
}
else {
Debug( LDAP_DEBUG_ACL, "<= ldbm_back_group: %s is in %s: groupOfNames\n",
edn, bdn, 0 );
Debug( LDAP_DEBUG_ACL, "<= ldbm_back_group: %s is in %s: %s\n",
edn, bdn, groupattrName );
rc = 0;
}
}
@ -91,5 +96,5 @@ ldbm_back_group(
Debug( LDAP_DEBUG_ARGS, "ldbm_back_group: rc: %d\n", rc, 0, 0 );
return(rc);
}
#endif
#endif /* SLAPD_ACLGROUPS */

134
servers/slapd/back-ldbm/search.c
View File

@ -1,19 +1,20 @@
/* search.c - ldbm backend search function */
#include "portable.h"
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <ac/string.h>
#include <ac/socket.h>
#include "slap.h"
#include "back-ldbm.h"
#include "proto-back-ldbm.h"
extern time_t currenttime;
extern pthread_mutex_t currenttime_mutex;
extern ID dn2id();
extern IDList *idl_alloc();
extern Entry *id2entry();
extern Entry *dn2entry();
extern Attribute *attr_find();
extern IDList *filter_candidates();
extern char *ch_realloc();
@ -61,6 +62,9 @@ ldbm_back_search(
int rmaxsize, nrefs;
char *rbuf, *rcur, *r;
int nentries = 0;
char *realBase;
Debug(LDAP_DEBUG_ARGS, "=> ldbm_back_search\n", 0, 0, 0);
if ( tlimit == 0 && be_isroot( be, op->o_dn ) ) {
tlimit = -1; /* allow root to set no limit */
@ -76,19 +80,37 @@ ldbm_back_search(
be->be_sizelimit : slimit;
}
/*
* check and apply aliasing where the dereferencing applies to
* the subordinates of the base
*/
realBase = strdup (base);
switch ( deref ) {
case LDAP_DEREF_FINDING:
case LDAP_DEREF_ALWAYS:
free (realBase);
realBase = derefDN ( be, conn, op, base );
break;
}
(void) dn_normalize (realBase);
Debug( LDAP_DEBUG_TRACE, "using base %s\n",
realBase, 0, 0 );
switch ( scope ) {
case LDAP_SCOPE_BASE:
candidates = base_candidates( be, conn, op, base, filter,
candidates = base_candidates( be, conn, op, realBase, filter,
attrs, attrsonly, &matched, &err );
break;
case LDAP_SCOPE_ONELEVEL:
candidates = onelevel_candidates( be, conn, op, base, filter,
candidates = onelevel_candidates( be, conn, op, realBase, filter,
attrs, attrsonly, &matched, &err );
break;
case LDAP_SCOPE_SUBTREE:
candidates = subtree_candidates( be, conn, op, base, filter,
candidates = subtree_candidates( be, conn, op, realBase, filter,
attrs, attrsonly, &matched, NULL, &err, 1 );
break;
@ -139,10 +161,9 @@ ldbm_back_search(
}
pthread_mutex_unlock( &currenttime_mutex );
/* get the entry */
if ( (e = id2entry( be, id )) == NULL ) {
Debug( LDAP_DEBUG_ARGS, "candidate %d not found\n", id,
0, 0 );
/* get the entry with reader lock */
if ( (e = id2entry_r( be, id )) == NULL ) {
Debug( LDAP_DEBUG_ARGS, "candidate %d not found\n", id, 0, 0 );
continue;
}
@ -151,22 +172,23 @@ ldbm_back_search(
* this for subtree searches, and don't check the filter explicitly
* here since it's only a candidate anyway.
*/
if ( e->e_dn != NULL && strncasecmp( e->e_dn, "ref=", 4 )
== 0 && (ref = attr_find( e->e_attrs, "ref" )) != NULL &&
scope == LDAP_SCOPE_SUBTREE )
if ( e->e_dn != NULL &&
strncasecmp( e->e_dn, "ref=", 4 ) == 0 &&
(ref = attr_find( e->e_attrs, "ref" )) != NULL &&
scope == LDAP_SCOPE_SUBTREE )
{
int i, len;
if ( ref->a_vals == NULL ) {
Debug( LDAP_DEBUG_ANY, "null ref in (%s)\n", 0,
0, 0 );
Debug( LDAP_DEBUG_ANY, "null ref in (%s)\n",
e->e_dn, 0, 0 );
} else {
for ( i = 0; ref->a_vals[i] != NULL; i++ ) {
/* referral + newline + null */
MAKE_SPACE( ref->a_vals[i]->bv_len + 2 );
*rcur++ = '\n';
strncpy( rcur, ref->a_vals[i]->bv_val,
ref->a_vals[i]->bv_len );
ref->a_vals[i]->bv_len );
rcur = rcur + ref->a_vals[i]->bv_len;
*rcur = '\0';
nrefs++;
@ -185,22 +207,22 @@ ldbm_back_search(
if ( scope == LDAP_SCOPE_ONELEVEL ) {
if ( (dn = dn_parent( be, e->e_dn )) != NULL ) {
(void) dn_normalize( dn );
scopeok = (dn == base) ? 1 : (! strcasecmp( dn, base ));
scopeok = (dn == realBase) ? 1 : (! strcasecmp( dn, realBase ));
} else {
scopeok = (base == NULL || *base == '\0');
scopeok = (realBase == NULL || *realBase == '\0');
}
free( dn );
} else if ( scope == LDAP_SCOPE_SUBTREE ) {
dn = strdup( e->e_dn );
(void) dn_normalize( dn );
scopeok = dn_issuffix( dn, base );
scopeok = dn_issuffix( dn, realBase );
free( dn );
}
if ( scopeok ) {
/* check size limit */
if ( --slimit == -1 ) {
cache_return_entry( &li->li_cache, e );
cache_return_entry_r( &li->li_cache, e );
send_ldap_search_result( conn, op,
LDAP_SIZELIMIT_EXCEEDED, NULL,
nrefs > 0 ? rbuf : NULL, nentries );
@ -209,6 +231,21 @@ ldbm_back_search(
return( 0 );
}
/*
* check and apply aliasing where the dereferencing applies to
* the subordinates of the base
*/
switch ( deref ) {
case LDAP_DEREF_SEARCHING:
case LDAP_DEREF_ALWAYS:
{
Entry *newe = derefAlias_r( be, conn, op, e );
cache_return_entry_r( &li->li_cache, e );
e = newe;
}
break;
}
switch ( send_search_entry( be, conn, op, e,
attrs, attrsonly ) ) {
case 0: /* entry sent ok */
@ -217,7 +254,7 @@ ldbm_back_search(
case 1: /* entry not sent */
break;
case -1: /* connection closed */
cache_return_entry( &li->li_cache, e );
cache_return_entry_r( &li->li_cache, e );
idl_free( candidates );
free( rbuf );
return( 0 );
@ -226,7 +263,10 @@ ldbm_back_search(
}
}
cache_return_entry( &li->li_cache, e );
if( e != NULL ) {
/* free reader lock */
cache_return_entry_r( &li->li_cache, e );
}
pthread_yield();
}
@ -262,16 +302,24 @@ base_candidates(
IDList *idl;
Entry *e;
Debug(LDAP_DEBUG_TRACE, "base_candidates: base: %s\n", base, 0, 0);
*err = LDAP_SUCCESS;
if ( (e = dn2entry( be, base, matched )) == NULL ) {
/* get entry with reader lock */
if ( (e = dn2entry_r( be, base, matched )) == NULL ) {
*err = LDAP_NO_SUCH_OBJECT;
return( NULL );
}
/* check for deleted */
idl = idl_alloc( 1 );
idl_insert( &idl, e->e_id, 1 );
cache_return_entry( &li->li_cache, e );
/* free reader lock */
cache_return_entry_r( &li->li_cache, e );
return( idl );
}
@ -295,11 +343,14 @@ onelevel_candidates(
char buf[20];
IDList *candidates;
Debug(LDAP_DEBUG_TRACE, "onelevel_candidates: base: %s\n", base, 0, 0);
*err = LDAP_SUCCESS;
e = NULL;
/* get the base object */
if ( base != NULL && *base != '\0' && (e = dn2entry( be, base,
matched )) == NULL ) {
/* get the base object with reader lock */
if ( base != NULL && *base != '\0' &&
(e = dn2entry_r( be, base, matched )) == NULL )
{
*err = LDAP_NO_SUCH_OBJECT;
return( NULL );
}
@ -329,6 +380,8 @@ onelevel_candidates(
f->f_and->f_next = NULL;
filter_free( f );
/* free entry and reader lock */
cache_return_entry_r( &li->li_cache, e );
return( candidates );
}
@ -351,6 +404,9 @@ subtree_candidates(
Filter *f;
IDList *candidates;
Debug(LDAP_DEBUG_TRACE, "subtree_candidates: base: %s\n",
base ? base : "NULL", 0, 0);
/*
* get the base object - unless we already have it (from one-level).
* also, unless this is a one-level search or a subtree search
@ -365,20 +421,26 @@ subtree_candidates(
*err = LDAP_SUCCESS;
f = NULL;
if ( lookupbase ) {
if ( base != NULL && *base != '\0' && (e = dn2entry( be, base,
matched )) == NULL ) {
if ( base != NULL && *base != '\0' &&
(e = dn2entry_r( be, base, matched )) == NULL )
{
*err = LDAP_NO_SUCH_OBJECT;
return( NULL );
}
if (e) {
cache_return_entry_r( &li->li_cache, e );
}
f = (Filter *) ch_malloc( sizeof(Filter) );
f->f_next = NULL;
f->f_choice = LDAP_FILTER_OR;
f->f_or = (Filter *) ch_malloc( sizeof(Filter) );
f->f_or->f_choice = LDAP_FILTER_EQUALITY;
f->f_or->f_avtype = strdup( "objectclass" );
f->f_or->f_avvalue.bv_val = strdup( "referral" );
f->f_or->f_avvalue.bv_len = strlen( "referral" );
/* Patch to use normalized uppercase */
f->f_or->f_avvalue.bv_val = strdup( "REFERRAL" );
f->f_or->f_avvalue.bv_len = strlen( "REFERRAL" );
f->f_or->f_next = filter;
filter = f;
@ -406,9 +468,5 @@ subtree_candidates(
filter_free( f );
}
if ( e != NULL ) {
cache_return_entry( &li->li_cache, e );
}
return( candidates );
}

31
servers/slapd/back-passwd/search.c
View File

@ -1,12 +1,15 @@
/* search.c - /etc/passwd backend search function */
#include <stdio.h>
#include <string.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <pwd.h>
#include "portable.h"
#include <stdio.h>
#include <ac/socket.h>
#include <ac/string.h>
#include <ac/time.h>
#include <pwd.h>
#include "slap.h"
extern time_t currenttime;
@ -80,14 +83,6 @@ passwd_back_search(
}
pthread_mutex_unlock( &op->o_abandonmutex );
/* check size limit */
if ( --slimit == -1 ) {
send_ldap_result( conn, op, LDAP_SIZELIMIT_EXCEEDED,
NULL, NULL );
endpwent();
return( 0 );
}
/* check time limit */
pthread_mutex_lock( &currenttime_mutex );
time( &currenttime );
@ -103,6 +98,14 @@ passwd_back_search(
e = pw2entry( be, pw );
if ( test_filter( be, conn, op, e, filter ) == 0 ) {
/* check size limit */
if ( --slimit == -1 ) {
send_ldap_result( conn, op, LDAP_SIZELIMIT_EXCEEDED,
NULL, NULL );
endpwent();
return( 0 );
}
send_search_entry( be, conn, op, e, attrs, attrsonly );
}

79
servers/slapd/backend.c
View File

@ -1,14 +1,18 @@
/* backend.c - routines for dealing with back-end databases */
#include "portable.h"
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <ac/string.h>
#include <ac/socket.h>
#include <sys/stat.h>
#include "slap.h"
#ifdef LDAP_LDBM
#ifdef SLAPD_LDBM
extern int ldbm_back_bind();
extern int ldbm_back_unbind();
extern int ldbm_back_search();
@ -21,14 +25,15 @@ extern int ldbm_back_abandon();
extern int ldbm_back_config();
extern int ldbm_back_init();
extern int ldbm_back_close();
extern int ldbm_back_group();
#endif
#ifdef LDAP_PASSWD
#ifdef SLAPD_PASSWD
extern int passwd_back_search();
extern int passwd_back_config();
#endif
#ifdef LDAP_SHELL
#ifdef SLAPD_SHELL
extern int shell_back_bind();
extern int shell_back_unbind();
extern int shell_back_search();
@ -72,7 +77,7 @@ new_backend(
be->be_timelimit = deftime;
foundit = 0;
#ifdef LDAP_LDBM
#ifdef SLAPD_LDBM
if ( strcasecmp( type, "ldbm" ) == 0 ) {
be->be_bind = ldbm_back_bind;
be->be_unbind = ldbm_back_unbind;
@ -86,12 +91,15 @@ new_backend(
be->be_config = ldbm_back_config;
be->be_init = ldbm_back_init;
be->be_close = ldbm_back_close;
#ifdef SLAPD_ACLGROUPS
be->be_group = ldbm_back_group;
#endif
be->be_type = "ldbm";
foundit = 1;
}
#endif
#ifdef LDAP_PASSWD
#ifdef SLAPD_PASSWD
if ( strcasecmp( type, "passwd" ) == 0 ) {
be->be_bind = NULL;
be->be_unbind = NULL;
@ -105,12 +113,15 @@ new_backend(
be->be_config = passwd_back_config;
be->be_init = NULL;
be->be_close = NULL;
#ifdef SLAPD_ACLGROUPS
be->be_group = NULL;
#endif
be->be_type = "passwd";
foundit = 1;
}
#endif
#ifdef LDAP_SHELL
#ifdef SLAPD_SHELL
if ( strcasecmp( type, "shell" ) == 0 ) {
be->be_bind = shell_back_bind;
be->be_unbind = shell_back_unbind;
@ -124,6 +135,9 @@ new_backend(
be->be_config = shell_back_config;
be->be_init = shell_back_init;
be->be_close = NULL;
#ifdef SLAPD_ACLGROUPS
be->be_group = NULL;
#endif
be->be_type = "shell";
foundit = 1;
}
@ -149,7 +163,20 @@ select_backend( char * dn )
dnlen = strlen( dn );
for ( i = 0; i < nbackends; i++ ) {
for ( j = 0; backends[i].be_suffix != NULL &&
backends[i].be_suffix[j] != NULL; j++ ) {
backends[i].be_suffix[j] != NULL; j++ )
{
#ifdef LDAP_ALLOW_NULL_SEARCH_BASE
/* Add greg@greg.rim.or.jp
* It's quick hack for cheap client
* Some browser offer a NULL base at ldap_search
*/
if(dnlen == 0) {
Debug( LDAP_DEBUG_TRACE,
"select_backend: use default backend\n", 0, 0, 0 );
return (&backends[i]);
}
#endif /* LDAP_ALLOW_NULL_SEARCH_BASE */
len = strlen( backends[i].be_suffix[j] );
if ( len > dnlen ) {
@ -163,6 +190,27 @@ select_backend( char * dn )
}
}
/* if no proper suffix could be found then check for aliases */
for ( i = 0; i < nbackends; i++ ) {
for ( j = 0;
backends[i].be_suffixAlias != NULL &&
backends[i].be_suffixAlias[j] != NULL;
j += 2 )
{
len = strlen( backends[i].be_suffixAlias[j] );
if ( len > dnlen ) {
continue;
}
if ( strcasecmp( backends[i].be_suffixAlias[j],
dn + (dnlen - len) ) == 0 ) {
return( &backends[i] );
}
}
}
return( NULL );
}
@ -231,3 +279,14 @@ be_unbind(
}
}
}
#ifdef SLAPD_ACLGROUPS
int
be_group(Backend *be, char *bdn, char *edn, char *objectclassValue, char *groupattrName)
{
if (be->be_group)
return(be->be_group(be, bdn, edn, objectclassValue, groupattrName));
else
return(1);
}
#endif

52
servers/slapd/filter.c
View File

@ -1,9 +1,12 @@
/* filter.c - routines for parsing and dealing with filters */
#include "portable.h"
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <ac/socket.h>
#include <ac/string.h>
#include "slap.h"
static int get_filter_list();
@ -54,7 +57,7 @@ get_filter( Connection *conn, BerElement *ber, Filter **filt, char **fstr )
err = 0;
*fstr = NULL;
f->f_choice = ber_peek_tag( ber, &len );
#ifdef COMPAT30
#ifdef LDAP_COMPAT30
if ( conn->c_version == 30 ) {
switch ( f->f_choice ) {
case LDAP_FILTER_EQUALITY:
@ -135,6 +138,7 @@ get_filter( Connection *conn, BerElement *ber, Filter **filt, char **fstr )
Debug( LDAP_DEBUG_FILTER, "AND\n", 0, 0, 0 );
if ( (err = get_filter_list( conn, ber, &f->f_and, &ftmp ))
== 0 ) {
if (ftmp == NULL) ftmp = strdup("");
*fstr = ch_malloc( 4 + strlen( ftmp ) );
sprintf( *fstr, "(&%s)", ftmp );
free( ftmp );
@ -145,6 +149,7 @@ get_filter( Connection *conn, BerElement *ber, Filter **filt, char **fstr )
Debug( LDAP_DEBUG_FILTER, "OR\n", 0, 0, 0 );
if ( (err = get_filter_list( conn, ber, &f->f_or, &ftmp ))
== 0 ) {
if (ftmp == NULL) ftmp = strdup("");
*fstr = ch_malloc( 4 + strlen( ftmp ) );
sprintf( *fstr, "(|%s)", ftmp );
free( ftmp );
@ -155,6 +160,7 @@ get_filter( Connection *conn, BerElement *ber, Filter **filt, char **fstr )
Debug( LDAP_DEBUG_FILTER, "NOT\n", 0, 0, 0 );
(void) ber_skip_tag( ber, &len );
if ( (err = get_filter( conn, ber, &f->f_not, &ftmp )) == 0 ) {
if (ftmp == NULL) ftmp = strdup("");
*fstr = ch_malloc( 4 + strlen( ftmp ) );
sprintf( *fstr, "(!%s)", ftmp );
free( ftmp );
@ -189,7 +195,7 @@ get_filter_list( Connection *conn, BerElement *ber, Filter **f, char **fstr )
Debug( LDAP_DEBUG_FILTER, "begin get_filter_list\n", 0, 0, 0 );
#ifdef COMPAT30
#ifdef LDAP_COMPAT30
if ( conn->c_version == 30 ) {
(void) ber_skip_tag( ber, &len );
}
@ -230,7 +236,7 @@ get_substring_filter(
Debug( LDAP_DEBUG_FILTER, "begin get_substring_filter\n", 0, 0, 0 );
#ifdef COMPAT30
#ifdef LDAP_COMPAT30
if ( conn->c_version == 30 ) {
(void) ber_skip_tag( ber, &len );
}
@ -248,7 +254,7 @@ get_substring_filter(
sprintf( *fstr, "(%s=", f->f_sub_type );
for ( tag = ber_first_element( ber, &len, &last ); tag != LBER_DEFAULT;
tag = ber_next_element( ber, &len, last ) ) {
#ifdef COMPAT30
#ifdef LDAP_COMPAT30
if ( conn->c_version == 30 ) {
rc = ber_scanf( ber, "{a}", &val );
} else
@ -266,7 +272,7 @@ get_substring_filter(
value_normalize( val, syntax );
switch ( tag ) {
#ifdef COMPAT30
#ifdef LDAP_COMPAT30
case LDAP_SUBSTRING_INITIAL_30:
#endif
case LDAP_SUBSTRING_INITIAL:
@ -280,7 +286,7 @@ get_substring_filter(
strcat( *fstr, val );
break;
#ifdef COMPAT30
#ifdef LDAP_COMPAT30
case LDAP_SUBSTRING_ANY_30:
#endif
case LDAP_SUBSTRING_ANY:
@ -292,7 +298,7 @@ get_substring_filter(
strcat( *fstr, val );
break;
#ifdef COMPAT30
#ifdef LDAP_COMPAT30
case LDAP_SUBSTRING_FINAL_30:
#endif
case LDAP_SUBSTRING_FINAL:
@ -385,63 +391,63 @@ filter_print( Filter *f )
Filter *p;
if ( f == NULL ) {
printf( "NULL" );
fprintf( stderr, "NULL" );
}
switch ( f->f_choice ) {
case LDAP_FILTER_EQUALITY:
printf( "(%s=%s)", f->f_ava.ava_type,
fprintf( stderr, "(%s=%s)", f->f_ava.ava_type,
f->f_ava.ava_value.bv_val );
break;
case LDAP_FILTER_GE:
printf( "(%s>=%s)", f->f_ava.ava_type,
fprintf( stderr, "(%s>=%s)", f->f_ava.ava_type,
f->f_ava.ava_value.bv_val );
break;
case LDAP_FILTER_LE:
printf( "(%s<=%s)", f->f_ava.ava_type,
fprintf( stderr, "(%s<=%s)", f->f_ava.ava_type,
f->f_ava.ava_value.bv_val );
break;
case LDAP_FILTER_APPROX:
printf( "(%s~=%s)", f->f_ava.ava_type,
fprintf( stderr, "(%s~=%s)", f->f_ava.ava_type,
f->f_ava.ava_value.bv_val );
break;
case LDAP_FILTER_SUBSTRINGS:
printf( "(%s=", f->f_sub_type );
fprintf( stderr, "(%s=", f->f_sub_type );
if ( f->f_sub_initial != NULL ) {
printf( "%s", f->f_sub_initial );
fprintf( stderr, "%s", f->f_sub_initial );
}
if ( f->f_sub_any != NULL ) {
for ( i = 0; f->f_sub_any[i] != NULL; i++ ) {
printf( "*%s", f->f_sub_any[i] );
fprintf( stderr, "*%s", f->f_sub_any[i] );
}
}
charray_free( f->f_sub_any );
if ( f->f_sub_final != NULL ) {
printf( "*%s", f->f_sub_final );
fprintf( stderr, "*%s", f->f_sub_final );
}
break;
case LDAP_FILTER_PRESENT:
printf( "%s=*", f->f_type );
fprintf( stderr, "%s=*", f->f_type );
break;
case LDAP_FILTER_AND:
case LDAP_FILTER_OR:
case LDAP_FILTER_NOT:
printf( "(%c", f->f_choice == LDAP_FILTER_AND ? '&' :
fprintf( stderr, "(%c", f->f_choice == LDAP_FILTER_AND ? '&' :
f->f_choice == LDAP_FILTER_OR ? '|' : '!' );
for ( p = f->f_list; p != NULL; p = p->f_next ) {
filter_print( p );
}
printf( ")" );
fprintf( stderr, ")" );
break;
default:
printf( "unknown type %d", f->f_choice );
fprintf( stderr, "unknown type %d", f->f_choice );
break;
}
}

45
servers/slapd/slap.h
View File

@ -3,13 +3,22 @@
#ifndef _SLDAPD_H_
#define _SLDAPD_H_
#define LDAP_SYSLOG
#include "portable.h"
#include <stdlib.h>
#include <sys/types.h>
#include <ac/syslog.h>
#include <ac/regex.h>
#undef NDEBUG
#include <assert.h>
#include <syslog.h>
#include "avl.h"
#include "lber.h"
#include "ldap.h"
#include "lthread.h"
#include "lthread_rdwr.h"
#include "ldif.h"
#define DN_DNS 0
@ -17,6 +26,11 @@
#define ON 1
#define OFF (-1)
#define UNDEFINED 0
#define MAXREMATCHES 10
LDAP_BEGIN_DECL
/*
* represents an attribute value assertion (i.e., attr=value)
@ -103,6 +117,9 @@ typedef struct entry {
ID e_id; /* id of this entry - this should */
/* really be private to back-ldbm */
char e_state; /* for the cache */
pthread_rdwr_t e_rdwr; /* reader/writer lock */
#define ENTRY_STATE_DELETED 1
#define ENTRY_STATE_CREATING 2
int e_refcnt; /* # threads ref'ing this entry */
@ -121,6 +138,13 @@ struct access {
char *a_domainpat;
char *a_dnattr;
long a_access;
#ifdef SLAPD_ACLGROUPS
char *a_group;
char *a_objectclassvalue;
char *a_groupattrname;
#endif
#define ACL_NONE 0x01
#define ACL_COMPARE 0x02
#define ACL_SEARCH 0x04
@ -134,6 +158,7 @@ struct access {
struct acl {
/* "to" part: the entries this acl applies to */
Filter *acl_filter;
regex_t acl_dnre;
char *acl_dnpat;
char **acl_attrs;
@ -160,9 +185,11 @@ struct objclass {
typedef struct backend {
char **be_suffix; /* the DN suffixes of data in this backend */
char **be_suffixAlias; /* the DN suffix aliases of data in this backend */
char *be_rootdn; /* the magic "root" dn for this db */
char *be_rootpw; /* the magic "root" password for this db */
int be_readonly; /* 1 => db is in "read only" mode */
int be_maxDerefDepth; /* limit for depth of an alias deref */
int be_sizelimit; /* size limit for this backend */
int be_timelimit; /* time limit for this backend */
struct acl *be_acl; /* access control list for this backend */
@ -187,6 +214,10 @@ typedef struct backend {
IFP be_config; /* backend config routine */
IFP be_init; /* backend init routine */
IFP be_close; /* backend close routine */
#ifdef SLAPD_ACLGROUPS
IFP be_group; /* backend group member test */
#endif
} Backend;
/*
@ -199,12 +230,14 @@ typedef struct op {
unsigned long o_tag; /* tag of the request */
time_t o_time; /* time op was initiated */
char *o_dn; /* dn bound when op was initiated */
char *o_suffix; /* suffix if aliased */
char *o_suffixAliased; /* pending suffix translation */
int o_authtype; /* auth method used to bind dn */
/* values taken from ldap.h */
/* LDAP_AUTH_* */
int o_opid; /* id of this operation */
int o_connid; /* id of conn initiating this op */
#ifdef CLDAP
#ifdef LDAP_CONNECTIONLESS
int o_cldap; /* != 0 if this came in via CLDAP */
struct sockaddr o_clientaddr; /* client address if via CLDAP */
char o_searchbase; /* search base if via CLDAP */
@ -226,7 +259,7 @@ typedef struct conn {
char *c_dn; /* current DN bound to this conn */
pthread_mutex_t c_dnmutex; /* mutex for c_dn field */
int c_authtype; /* auth method used to bind c_dn */
#ifdef COMPAT
#ifdef LDAP_COMPAT
int c_version; /* for compatibility w/2.0, 3.0 */
#endif
char *c_addr; /* address of client on this conn */
@ -258,8 +291,8 @@ typedef struct conn {
#define Statslog( level, fmt, connid, opid, arg1, arg2, arg3 )
#endif
#ifdef NEEDPROTOS
#include "proto-slap.h"
#endif
LDAP_END_DECL
#endif /* _slap_h_ */