Rework ACI codes to use OpenLDAPaci. Add needed schema elements.

Needs work.  Volunteers welcomed.

servers/slapd/acl.c

@@ -53,12 +53,6 @@ static int aci_mask(
 	regmatch_t *matches,
 	slap_access_t *grant,
 	slap_access_t *deny );
-
-char *supportedACIMechs[] = {
-	"1.3.6.1.4.1.4203.666.7.1",	/* experimental IETF aci family */
-	"1.3.6.1.4.1.4203.666.7.2",	/* experimental OpenLDAP aci family */
-	NULL
-};
 #endif
 
 static int	regex_matches(
@@ -1128,12 +1122,6 @@ aci_mask(
 	/* check that the aci family is supported */
 	if (aci_get_part(aci, 0, '#', &bv) < 0)
 		return(0);
-	for (i = 0; supportedACIMechs[i] != NULL; i++) {
-		if (aci_strbvcmp( supportedACIMechs[i], &bv ) == 0)
-			break;
-	}
-	if (supportedACIMechs[i] == NULL)
-		return(0);
 
 	/* check that the scope is "entry" */
 	if (aci_get_part(aci, 1, '#', &bv) < 0
@@ -1231,15 +1219,6 @@ aci_mask(
 	return(0);
 }
 
-char *
-get_supported_acimech(
-	int index )
-{
-	if (index < 0 || index >= (sizeof(supportedACIMechs) / sizeof(char *)))
-		return(NULL);
-	return(supportedACIMechs[index]);
-}
-
 #endif	/* SLAPD_ACI_ENABLED */
 
 static void

servers/slapd/oc.c

@@ -116,7 +116,7 @@ static char *oc_op_usermod_attrs[] = {
 	 * which slapd supports modification of.
 	 *
 	 * Currently none.
-	 * Likely candidate, "aci"
+	 * Likely candidate, "OpenLDAPaci"
 	 */
 	NULL
 };
@@ -139,7 +139,6 @@ static char *oc_op_attrs[] = {
 	"supportedControl",
 	"supportedSASLMechanisms",
 	"supportedLDAPversion",
-	"supportedACIMechanisms",
 	"subschemaSubentry",		/* NO USER MOD */
 	NULL
 

servers/slapd/proto-slap.h

@@ -66,8 +66,6 @@ LIBSLAPD_F (int) acl_check_modlist LDAP_P((
 
 LIBSLAPD_F (void) acl_append( AccessControl **l, AccessControl *a );
 
-LIBSLAPD_F (char *) get_supported_acimech LDAP_P((int index));
-
 /*
  * aclparse.c
  */

servers/slapd/root_dse.c

@@ -33,9 +33,6 @@ root_dse_info( Entry **entry, const char **text )
 	AttributeDescription *ad_supportedExtension = slap_schema.si_ad_supportedExtension;
 	AttributeDescription *ad_supportedLDAPVersion = slap_schema.si_ad_supportedLDAPVersion;
 	AttributeDescription *ad_supportedSASLMechanisms = slap_schema.si_ad_supportedSASLMechanisms;
-#	ifdef SLAPD_ACI_ENABLED
-	AttributeDescription *ad_supportedACIMechanisms = slap_schema.si_ad_supportedACIMechanisms;
-#	endif
 	AttributeDescription *ad_ref = slap_schema.si_ad_ref;
 #else
 	char *ad_objectClass = "objectClass";
@@ -44,9 +41,6 @@ root_dse_info( Entry **entry, const char **text )
 	char *ad_supportedExtension = "supportedExtension";
 	char *ad_supportedLDAPVersion = "supportedLDAPVersion";
 	char *ad_supportedSASLMechanisms = "supportedSASLMechanisms";
-#	ifdef SLAPD_ACI_ENABLED
-	char *ad_supportedACIMechanisms = "supportedACIMechanisms";
-#	endif
 	char *ad_ref = "ref";
 #endif
 
@@ -109,14 +103,6 @@ root_dse_info( Entry **entry, const char **text )
 		}
 	}
 
-#ifdef SLAPD_ACI_ENABLED
-	/* supportedACIMechanisms */
-	for ( i=0; (val.bv_val = get_supported_acimech(i)) != NULL; i++ ) {
-		val.bv_len = strlen( val.bv_val );
-		attr_merge( e, ad_supportedACIMechanisms, vals );
-	}
-#endif
-
 	if ( default_referral != NULL ) {
 		attr_merge( e, ad_ref, default_referral );
 	}

servers/slapd/schema/core.schema

@@ -581,19 +581,3 @@ objectclass ( 1.3.6.1.4.1.4203.666.3.2
 	DESC 'OpenLDAP Root DSE object'
 	SUP top STRUCTURAL MAY cn )
 
-#
-# IETF LDAPext WG Access Control Model
-#	likely to change!
-attributetype ( supportedACIMechanismsOID NAME 'supportedACIMechanisms'
-     DESC 'list of access control mechanisms supported by this directory server'
-     SYNTAX 1.3.6.1.4.1.1466.115.121.1.38  USAGE dSAOperation )
-
-attributetype ( aCIMechanismOID NAME 'aCIMechanism'
-     DESC 'list of access control mechanism supported in this subtree'
-     SYNTAX 1.3.6.1.4.1.1466.115.121.1.38  USAGE dSAOperation )
-
-attributetype ( ldapACIOID NAME 'ldapACI'
-	DESC 'LDAP access control information'
-	EQUALITY caseIgnoreMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
-	USAGE directoryOperation )

servers/slapd/schema/openldap.schema

@@ -33,6 +33,12 @@ attributetype ( 1.3.6.1.4.1.4203.666.1.4 NAME 'children'
 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.5
 	SINGLE-VALUE NO-USER-MODIFICATION USAGE dSAOperation )
 
+attributetype ( 1.3.6.1.4.1.4203.666.1.5 NAME 'OpenLDAPaci'
+	DESC 'OpenLDAP access control information'
+	EQUALITY OpenLDAPaciMatch
+	SYNTAX 1.3.6.1.4.1.4203.666.2.1
+	USAGE directoryOperation )
+
 #
 # From U-Mich
 #

servers/slapd/schema_init.c

@@ -852,10 +852,12 @@ struct syntax_defs_rec syntax_defs[] = {
 	/* OpenLDAP Experimental Syntaxes */
 	{"( 1.3.6.1.4.1.4203.666.2.1 DESC 'OpenLDAP Experimental ACI' )",
 		0, NULL, NULL, NULL},
-	{"( 1.3.6.1.4.1.4203.666.2.2 DESC 'OpenLDAP void' " X_HIDE ")" ,
-		SLAP_SYNTAX_HIDE, NULL, NULL, NULL},
-	{"( 1.3.6.1.4.1.4203.666.2.3 DESC 'OpenLDAP DN' " X_HIDE ")" ,
-		SLAP_SYNTAX_HIDE, NULL, NULL, NULL},
+	{"( 1.3.6.1.4.1.4203.666.2.2 DESC 'OpenLDAP authPassword' )",
+		0, NULL, NULL, NULL},
+	{"( 1.3.6.1.4.1.4203.666.2.3 DESC 'OpenLDAP void' " X_HIDE ")" ,
+		SLAP_SYNTAX_HIDE, inValidate, NULL, NULL},
+	{"( 1.3.6.1.4.1.4203.666.2.4 DESC 'OpenLDAP DN' " X_HIDE ")" ,
+		SLAP_SYNTAX_HIDE, inValidate, NULL, NULL},
 
 	{NULL, 0, NULL, NULL, NULL}
 };
@@ -926,6 +928,9 @@ struct mrule_defs_rec {
 #define integerFirstComponentMatch NULL
 #define objectIdentifierFirstComponentMatch NULL
 
+#define OpenLDAPaciMatch NULL
+#define authPasswordMatch NULL
+
 struct mrule_defs_rec mrule_defs[] = {
 	{"( 2.5.13.0 NAME 'objectIdentifierMatch' "
 		"SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )",
@@ -1063,6 +1068,16 @@ struct mrule_defs_rec mrule_defs[] = {
 		SLAP_MR_SUBSTR,
 		NULL, NULL, caseIgnoreIA5SubstringsMatch, NULL, NULL},
 
+	{"( 1.3.6.1.4.1.4203.666.4.1 NAME 'authPasswordMatch' "
+		"SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )",
+		SLAP_MR_EQUALITY,
+		NULL, NULL, authPasswordMatch, NULL, NULL},
+
+	{"( 1.3.6.1.4.1.4203.666.4.2 NAME 'OpenLDAPaciMatch' "
+		"SYNTAX 1.3.6.1.4.1.4203.666.2.1 )",
+		SLAP_MR_EQUALITY,
+		NULL, NULL, OpenLDAPaciMatch, NULL, NULL},
+
 	{NULL, SLAP_MR_NONE, NULL, NULL, NULL}
 };
 

servers/slapd/schema_prep.c

@@ -79,10 +79,6 @@ struct slap_schema_ad_map {
 		offsetof(struct slap_internal_schema, si_ad_supportedExtension) },
 	{ "supportedLDAPVersion", NULL,
 		offsetof(struct slap_internal_schema, si_ad_supportedLDAPVersion) },
-#ifdef SLAPD_ACI_ENABLED
-	{ "supportedACIMechanisms", NULL,
-		offsetof(struct slap_internal_schema, si_ad_supportedACIMechanisms) },
-#endif
 	{ "supportedSASLMechanisms", NULL,
 		offsetof(struct slap_internal_schema, si_ad_supportedSASLMechanisms) },
 
@@ -107,6 +103,10 @@ struct slap_schema_ad_map {
 		offsetof(struct slap_internal_schema, si_ad_entry) },
 	{ "children", NULL,
 		offsetof(struct slap_internal_schema, si_ad_children) },
+#ifdef SLAPD_ACI_ENABLED
+	{ "OpenLDAPaci", NULL,
+		offsetof(struct slap_internal_schema, si_ad_aci) },
+#endif
 
 	{ "userPassword", NULL,
 		offsetof(struct slap_internal_schema, si_ad_userPassword) },

servers/slapd/slap.h

@@ -101,7 +101,7 @@ LDAP_BEGIN_DECL
 #define SLAPD_ROLE_CLASS		"organizationalRole"
 
 #define SLAPD_ACI_SYNTAX		"1.3.6.1.4.1.4203.666.2.1"
-#define SLAPD_ACI_ATTR			"aci"
+#define SLAPD_ACI_ATTR			"OpenLDAPaci"
 
 LIBSLAPD_F (int) slap_debug;
 
@@ -355,9 +355,6 @@ struct slap_internal_schema {
 	AttributeDescription *si_ad_supportedControl;
 	AttributeDescription *si_ad_supportedExtension;
 	AttributeDescription *si_ad_supportedLDAPVersion;
-#ifdef SLAPD_ACI_ENABLED
-	AttributeDescription *si_ad_supportedACIMechanisms;
-#endif
 	AttributeDescription *si_ad_supportedSASLMechanisms;
 
 	/* subschema subentry attributes */
@@ -374,6 +371,9 @@ struct slap_internal_schema {
 	/* Access Control Internals */
 	AttributeDescription *si_ad_entry;
 	AttributeDescription *si_ad_children;
+#ifdef SLAPD_ACI_ENABLED
+	AttributeDescription *si_ad_aci;
+#endif
 
 	/* Other */
 	AttributeDescription *si_ad_userPassword;