mirror/openldap
2
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2025-01-06 10:46:21 +08:00
Code Issues Packages Projects Releases Wiki Activity

unifdef -DSLAP_ACL_HONOR_DISCLOSE

Browse Source 
unifdef -DSLAP_ACL_HONOR_MANAGE
unifdef -DSLAP_OVERLAY_ACCESS
unifdef -DSLAP_ORDERED_PRETTYNORM
unifdef -DSLAP_AUTHZ_SYNTAX
Move LDAP_COLLECTIVE_ATTRIBUTES, LDAP_COMP_MATCH, and LDAP_SYNC_TIMESTAMP
back behind LDAP_DEVEL (as these either too experimental or not yet
implemented).
This commit is contained in:
Kurt Zeilenga 2006-04-12 05:53:26 +00:00
parent 444ec670e3
commit eb9a3c1876
29 changed files with 22 additions and 488 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

276
servers/slapd/acl.c
View File

@ -94,7 +94,6 @@ SLAP_SET_GATHER acl_set_gather2;
* - can be legally called with op->o_bd == NULL
*/
#ifdef SLAP_OVERLAY_ACCESS
int
slap_access_always_allowed(
Operation *op,
@ -462,281 +461,6 @@ done:
return ret;
}
#else /* !SLAP_OVERLAY_ACCESS */
int
access_allowed_mask(
Operation *op,
Entry *e,
AttributeDescription *desc,
struct berval *val,
slap_access_t access,
AccessControlState *state,
slap_mask_t *maskp )
{
int ret = 1;
int count;
AccessControl *a = NULL;
Backend *be;
int be_null = 0;
#ifdef LDAP_DEBUG
char accessmaskbuf[ACCESSMASK_MAXLEN];
#endif
slap_mask_t mask;
slap_control_t control;
slap_access_t access_level;
const char *attr;
regmatch_t matches[MAXREMATCHES];
int st_same_attr = 0;
static AccessControlState state_init = ACL_STATE_INIT;
assert( e != NULL );
assert( desc != NULL );
access_level = ACL_LEVEL( access );
assert( access_level > ACL_NONE );
if ( maskp ) ACL_INVALIDATE( *maskp );
attr = desc->ad_cname.bv_val;
assert( attr != NULL );
if ( op ) {
if ( op->o_is_auth_check &&
( access_level == ACL_SEARCH || access_level == ACL_READ ) )
{
access = ACL_AUTH;
} else if ( get_manageDIT( op ) && access_level == ACL_WRITE &&
desc == slap_schema.si_ad_entry )
{
access = ACL_MANAGE;
}
}
if ( state ) {
if ( state->as_vd_ad == desc ) {
if ( ( state->as_recorded & ACL_STATE_RECORDED_NV ) &&
val == NULL )
{
return state->as_result;
} else if ( ( state->as_recorded & ACL_STATE_RECORDED_VD ) &&
val != NULL && state->as_vd_acl == NULL )
{
return state->as_result;
}
st_same_attr = 1;
} else {
*state = state_init;
}
state->as_vd_ad = desc;
}
Debug( LDAP_DEBUG_ACL,
"=> access_allowed: %s access to \"%s\" \"%s\" requested\n",
access2str( access ), e->e_dn, attr );
if ( op == NULL ) {
/* no-op call */
goto done;
}
be = op->o_bd;
if ( be == NULL ) {
be = LDAP_STAILQ_FIRST(&backendDB);
be_null = 1;
#ifdef LDAP_DEVEL
/*
* FIXME: experimental; use first backend rules
* iff there is no global_acl (ITS#3100) */
if ( frontendDB->be_acl == NULL )
#endif
{
op->o_bd = be;
}
}
assert( be != NULL );
/* grant database root access */
if ( be_isroot( op ) ) {
Debug( LDAP_DEBUG_ACL, "<= root access granted\n", 0, 0, 0 );
if ( maskp ) {
mask = ACL_LVL_MANAGE;
}
goto done;
}
/*
* no-user-modification operational attributes are ignored
* by ACL_WRITE checking as any found here are not provided
* by the user
*
* NOTE: but they are not ignored for ACL_MANAGE, because
* if we get here it means a non-root user is trying to
* manage data, so we need to check its privileges.
*/
if ( access_level == ACL_WRITE && is_at_no_user_mod( desc->ad_type )
&& desc != slap_schema.si_ad_entry
&& desc != slap_schema.si_ad_children )
{
Debug( LDAP_DEBUG_ACL, "NoUserMod Operational attribute:"
" %s access granted\n",
attr, 0, 0 );
goto done;
}
/* use backend default access if no backend acls */
if ( be->be_acl == NULL ) {
Debug( LDAP_DEBUG_ACL,
"=> access_allowed: backend default %s "
"access %s to \"%s\"\n",
access2str( access ),
be->be_dfltaccess >= access_level ? "granted" : "denied",
op->o_dn.bv_val ? op->o_dn.bv_val : "(anonymous)" );
ret = be->be_dfltaccess >= access_level;
if ( maskp ) {
int i;
mask = ACL_PRIV_LEVEL;
for ( i = ACL_NONE; i <= be->be_dfltaccess; i++ ) {
mask |= ACL_ACCESS2PRIV( i );
}
}
goto done;
#ifdef notdef
/* be is always non-NULL */
/* use global default access if no global acls */
} else if ( be == NULL && frontendDB->be_acl == NULL ) {
Debug( LDAP_DEBUG_ACL,
"=> access_allowed: global default %s access %s to \"%s\"\n",
access2str( access ),
frontendDB->be_dfltaccess >= access_level ?
"granted" : "denied", op->o_dn.bv_val );
ret = frontendDB->be_dfltaccess >= access_level;
if ( maskp ) {
int i;
mask = ACL_PRIV_LEVEL;
for ( i = ACL_NONE; i <= global_default_access; i++ ) {
mask |= ACL_ACCESS2PRIV( i );
}
}
goto done;
#endif
}
ret = 0;
control = ACL_BREAK;
if ( st_same_attr ) {
assert( state->as_vd_acl != NULL );
a = state->as_vd_acl;
count = state->as_vd_acl_count;
if ( !ACL_IS_INVALID( state->as_vd_acl_mask ) ) {
mask = state->as_vd_acl_mask;
AC_MEMCPY( matches, state->as_vd_acl_matches, sizeof(matches) );
goto vd_access;
}
} else {
if ( state ) state->as_vi_acl = NULL;
a = NULL;
ACL_INIT(mask);
count = 0;
memset( matches, '\0', sizeof(matches) );
}
while ( ( a = slap_acl_get( a, &count, op, e, desc, val,
MAXREMATCHES, matches, state ) ) != NULL )
{
int i;
for ( i = 0; i < MAXREMATCHES && matches[i].rm_so > 0; i++ ) {
Debug( LDAP_DEBUG_ACL, "=> match[%d]: %d %d ", i,
(int)matches[i].rm_so, (int)matches[i].rm_eo );
if ( matches[i].rm_so <= matches[0].rm_eo ) {
int n;
for ( n = matches[i].rm_so; n < matches[i].rm_eo; n++ ) {
Debug( LDAP_DEBUG_ACL, "%c", e->e_ndn[n], 0, 0 );
}
}
Debug( LDAP_DEBUG_ARGS, "\n", 0, 0, 0 );
}
if ( state ) {
if ( state->as_vi_acl == a &&
( state->as_recorded & ACL_STATE_RECORDED_NV ) )
{
Debug( LDAP_DEBUG_ACL,
"access_allowed: result from state (%s)\n",
attr, 0, 0 );
ret = state->as_result;
goto done;
} else {
Debug( LDAP_DEBUG_ACL,
"access_allowed: no res from state (%s)\n",
attr, 0, 0 );
}
}
vd_access:
control = slap_acl_mask( a, &mask, op,
e, desc, val, MAXREMATCHES, matches, count, state );
if ( control != ACL_BREAK ) {
break;
}
memset( matches, '\0', sizeof(matches) );
}
if ( ACL_IS_INVALID( mask ) ) {
Debug( LDAP_DEBUG_ACL,
"=> access_allowed: \"%s\" (%s) invalid!\n",
e->e_dn, attr, 0 );
ACL_INIT(mask);
} else if ( control == ACL_BREAK ) {
Debug( LDAP_DEBUG_ACL,
"=> access_allowed: no more rules\n", 0, 0, 0 );
goto done;
}
Debug( LDAP_DEBUG_ACL,
"=> access_allowed: %s access %s by %s\n",
access2str( access ),
ACL_GRANT(mask, access) ? "granted" : "denied",
accessmask2str( mask, accessmaskbuf, 1 ) );
ret = ACL_GRANT(mask, access);
done:
if ( state != NULL ) {
/* If not value-dependent, save ACL in case of more attrs */
if ( !( state->as_recorded & ACL_STATE_RECORDED_VD ) ) {
state->as_vi_acl = a;
state->as_result = ret;
}
state->as_recorded |= ACL_STATE_RECORDED;
}
if ( be_null ) op->o_bd = NULL;
if ( maskp ) *maskp = mask;
return ret;
}
#endif /* !SLAP_OVERLAY_ACCESS */
/*
* slap_acl_get - return the acl applicable to entry e, attribute

5
servers/slapd/aclparse.c
View File

@ -2453,11 +2453,6 @@ str2access( const char *str )
return ACL_NONE;
} else if ( strcasecmp( str, "disclose" ) == 0 ) {
#ifndef SLAP_ACL_HONOR_DISCLOSE
Debug( LDAP_DEBUG_ACL, "str2access: warning, "
"\"disclose\" privilege disabled.\n",
0, 0, 0 );
#endif /* SLAP_ACL_HONOR_DISCLOSE */
return ACL_DISCLOSE;
} else if ( strcasecmp( str, "auth" ) == 0 ) {

20
servers/slapd/back-bdb/compare.c
View File

@ -66,16 +66,13 @@ dn2entry_retry:
e = ei->bei_e;
if ( rs->sr_err == DB_NOTFOUND ) {
if ( e != NULL ) {
#ifdef SLAP_ACL_HONOR_DISCLOSE
/* return referral only if "disclose" is granted on the object */
if ( ! access_allowed( op, e, slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL ) )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
} else
#endif /* SLAP_ACL_HONOR_DISCLOSE */
{
} else {
rs->sr_matched = ch_strdup( e->e_dn );
rs->sr_ref = is_entry_referral( e )
? get_entry_referrals( op, e )
@ -103,15 +100,12 @@ dn2entry_retry:
}
if (!manageDSAit && is_entry_referral( e ) ) {
#ifdef SLAP_ACL_HONOR_DISCLOSE
/* return referral only if "disclose" is granted on the object */
if ( !access_allowed( op, e, slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL ) )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
} else
#endif /* SLAP_ACL_HONOR_DISCLOSE */
{
} else {
/* entry is a referral, don't allow compare */
rs->sr_ref = get_entry_referrals( op, e );
rs->sr_err = LDAP_REFERRAL;
@ -131,14 +125,11 @@ dn2entry_retry:
if ( get_assert( op ) &&
( test_filter( op, e, get_assertion( op )) != LDAP_COMPARE_TRUE ))
{
#ifdef SLAP_ACL_HONOR_DISCLOSE
if ( !access_allowed( op, e, slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL ) )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
} else
#endif /* SLAP_ACL_HONOR_DISCLOSE */
{
} else {
rs->sr_err = LDAP_ASSERTION_FAILED;
}
goto return_results;
@ -147,16 +138,13 @@ dn2entry_retry:
if ( !access_allowed( op, e, op->oq_compare.rs_ava->aa_desc,
&op->oq_compare.rs_ava->aa_value, ACL_COMPARE, NULL ) )
{
#ifdef SLAP_ACL_HONOR_DISCLOSE
/* return error only if "disclose"
* is granted on the object */
if ( !access_allowed( op, e, slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL ) )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
} else
#endif /* SLAP_ACL_HONOR_DISCLOSE */
{
} else {
rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
}
goto return_results;

9
servers/slapd/back-bdb/search.c
View File

@ -319,9 +319,7 @@ bdb_search( Operation *op, SlapReply *rs )
Entry *matched = NULL;
EntryInfo *ei, ei_root = {0};
struct berval realbase = BER_BVNULL;
#ifdef SLAP_ACL_HONOR_DISCLOSE
slap_mask_t mask;
#endif
int manageDSAit;
int tentries = 0;
ID lastid = NOID;
@ -424,7 +422,6 @@ dn2entry_retry:
if ( matched != NULL ) {
BerVarray erefs = NULL;
#ifdef SLAP_ACL_HONOR_DISCLOSE
/* return referral only if "disclose"
* is granted on the object */
if ( ! access_allowed( op, matched,
@ -433,9 +430,7 @@ dn2entry_retry:
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
} else
#endif /* SLAP_ACL_HONOR_DISCLOSE */
{
} else {
ber_dupbv( &matched_dn, &matched->e_name );
erefs = is_entry_referral( matched )
@ -483,7 +478,6 @@ dn2entry_retry:
return rs->sr_err;
}
#ifdef SLAP_ACL_HONOR_DISCLOSE
/* NOTE: __NEW__ "search" access is required
* on searchBase object */
if ( ! access_allowed_mask( op, e, slap_schema.si_ad_entry,
@ -504,7 +498,6 @@ dn2entry_retry:
send_ldap_result( op, rs );
return rs->sr_err;
}
#endif /* SLAP_ACL_HONOR_DISCLOSE */
if ( !manageDSAit && e != &e_root && is_entry_referral( e ) ) {
/* entry is a referral, don't allow add */

2
servers/slapd/back-dnssrv/init.c
View File

@ -67,9 +67,7 @@ dnssrv_back_initialize(
bi->bi_connection_init = 0;
bi->bi_connection_destroy = 0;
#ifdef SLAP_OVERLAY_ACCESS
bi->bi_access_allowed = slap_access_always_allowed;
#endif /* SLAP_OVERLAY_ACCESS */
return 0;
}

4
servers/slapd/back-ldap/config.c
View File

@ -1059,7 +1059,6 @@ done_url:;
case LDAP_BACK_CFG_IDASSERT_AUTHZFROM: {
struct berval bv;
#ifdef SLAP_AUTHZ_SYNTAX
struct berval in;
int rc;
@ -1072,9 +1071,6 @@ done_url:;
Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->msg, 0 );
return 1;
}
#else /* !SLAP_AUTHZ_SYNTAX */
ber_str2bv( c->argv[ 1 ], 0, 1, &bv );
#endif /* !SLAP_AUTHZ_SYNTAX */
ber_bvarray_add( &li->li_idassert_authz, &bv );
} break;

2
servers/slapd/back-ldif/ldif.c
View File

@ -1249,9 +1249,7 @@ ldif_back_initialize(
bi->bi_entry_get_rw = ldif_back_entry_get;
#if 0 /* NOTE: uncomment to completely disable access control */
#ifdef SLAP_OVERLAY_ACCESS
bi->bi_access_allowed = slap_access_always_allowed;
#endif /* SLAP_OVERLAY_ACCESS */
#endif
bi->bi_tool_entry_open = ldif_tool_entry_open;

7
servers/slapd/back-monitor/compare.c
View File

@ -39,15 +39,12 @@ monitor_back_compare( struct slap_op *op, struct slap_rep *rs)
if ( e == NULL ) {
rs->sr_err = LDAP_NO_SUCH_OBJECT;
if ( matched ) {
#ifdef SLAP_ACL_HONOR_DISCLOSE
if ( !access_allowed_mask( op, matched,
slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL, NULL ) )
{
/* do nothing */ ;
} else
#endif /* SLAP_ACL_HONOR_DISCLOSE */
{
} else {
rs->sr_matched = matched->e_dn;
}
}
@ -97,13 +94,11 @@ return_results:;
break;
default:
#ifdef SLAP_ACL_HONOR_DISCLOSE
if ( !access_allowed_mask( op, e, slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL, NULL ) )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
}
#endif /* SLAP_ACL_HONOR_DISCLOSE */
break;
}

7
servers/slapd/back-monitor/modify.c
View File

@ -45,15 +45,12 @@ monitor_back_modify( Operation *op, SlapReply *rs )
if ( e == NULL ) {
rs->sr_err = LDAP_NO_SUCH_OBJECT;
if ( matched ) {
#ifdef SLAP_ACL_HONOR_DISCLOSE
if ( !access_allowed_mask( op, matched,
slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL, NULL ) )
{
/* do nothing */ ;
} else
#endif /* SLAP_ACL_HONOR_DISCLOSE */
{
} else {
rs->sr_matched = matched->e_dn;
}
}
@ -75,7 +72,6 @@ monitor_back_modify( Operation *op, SlapReply *rs )
rc = monitor_entry_modify( op, rs, e );
}
#ifdef SLAP_ACL_HONOR_DISCLOSE
if ( rc != LDAP_SUCCESS ) {
if ( !access_allowed_mask( op, e, slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL, NULL ) )
@ -83,7 +79,6 @@ monitor_back_modify( Operation *op, SlapReply *rs )
rc = LDAP_NO_SUCH_OBJECT;
}
}
#endif /* SLAP_ACL_HONOR_DISCLOSE */
rs->sr_err = rc;
send_ldap_result( op, rs );

10
servers/slapd/back-monitor/search.c
View File

@ -175,15 +175,12 @@ monitor_back_search( Operation *op, SlapReply *rs )
if ( e == NULL ) {
rs->sr_err = LDAP_NO_SUCH_OBJECT;
if ( matched ) {
#ifdef SLAP_ACL_HONOR_DISCLOSE
if ( !access_allowed_mask( op, matched,
slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL, NULL ) )
{
/* do nothing */ ;
} else
#endif /* SLAP_ACL_HONOR_DISCLOSE */
{
} else {
rs->sr_matched = matched->e_dn;
}
}
@ -204,12 +201,9 @@ monitor_back_search( Operation *op, SlapReply *rs )
{
monitor_cache_release( mi, e );
#ifdef SLAP_ACL_HONOR_DISCLOSE
if ( !ACL_GRANT( mask, ACL_DISCLOSE ) ) {
rs->sr_err = LDAP_NO_SUCH_OBJECT;
} else
#endif /* SLAP_ACL_HONOR_DISCLOSE */
{
} else {
rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
}

2
servers/slapd/back-sql/add.c
View File

@ -1478,7 +1478,6 @@ done:;
* in deleting that row.
*/
#ifdef SLAP_ACL_HONOR_DISCLOSE
if ( e != NULL ) {
int disclose = 1;
@ -1503,7 +1502,6 @@ done:;
}
}
}
#endif /* SLAP_ACL_HONOR_DISCLOSE */
send_ldap_result( op, rs );
slap_graduate_commit_csn( op );

2
servers/slapd/back-sql/compare.c
View File

@ -150,7 +150,6 @@ return_results:;
break;
default:
#ifdef SLAP_ACL_HONOR_DISCLOSE
if ( !BER_BVISNULL( &e.e_nname ) &&
! access_allowed( op, &e,
slap_schema.si_ad_entry, NULL,
@ -159,7 +158,6 @@ return_results:;
rs->sr_err = LDAP_NO_SUCH_OBJECT;
rs->sr_text = NULL;
}
#endif /* SLAP_ACL_HONOR_DISCLOSE */
break;
}

2
servers/slapd/back-sql/delete.c
View File

@ -448,7 +448,6 @@ backsql_delete( Operation *op, SlapReply *rs )
}
done:;
#ifdef SLAP_ACL_HONOR_DISCLOSE
if ( e != NULL ) {
if ( !access_allowed( op, e, slap_schema.si_ad_entry, NULL,
ACL_DISCLOSE, NULL ) )
@ -462,7 +461,6 @@ done:;
}
}
}
#endif /* SLAP_ACL_HONOR_DISCLOSE */
send_ldap_result( op, rs );

2
servers/slapd/back-sql/modify.c
View File

@ -174,7 +174,6 @@ do_transact:;
SQLTransact( SQL_NULL_HENV, dbh, CompletionType );
done:;
#ifdef SLAP_ACL_HONOR_DISCLOSE
if ( e != NULL ) {
if ( !access_allowed( op, e, slap_schema.si_ad_entry, NULL,
ACL_DISCLOSE, NULL ) )
@ -188,7 +187,6 @@ done:;
}
}
}
#endif /* SLAP_ACL_HONOR_DISCLOSE */
send_ldap_result( op, rs );
slap_graduate_commit_csn( op );

2
servers/slapd/back-sql/modrdn.c
View File

@ -464,7 +464,6 @@ backsql_modrdn( Operation *op, SlapReply *rs )
}
done:;
#ifdef SLAP_ACL_HONOR_DISCLOSE
if ( e != NULL ) {
if ( !access_allowed( op, e, slap_schema.si_ad_entry, NULL,
ACL_DISCLOSE, NULL ) )
@ -478,7 +477,6 @@ done:;
}
}
}
#endif /* SLAP_ACL_HONOR_DISCLOSE */
/*
* Commit only if all operations succeed

4
servers/slapd/back-sql/search.c
View File

@ -1968,7 +1968,6 @@ backsql_search( Operation *op, SlapReply *rs )
/* fall thru */
default:
#ifdef SLAP_ACL_HONOR_DISCLOSE
if ( !BER_BVISNULL( &base_entry.e_nname )
&& !access_allowed( op, &base_entry,
slap_schema.si_ad_entry, NULL,
@ -1982,7 +1981,6 @@ backsql_search( Operation *op, SlapReply *rs )
rs->sr_matched = NULL;
rs->sr_text = NULL;
}
#endif /* SLAP_ACL_HONOR_DISCLOSE */
send_ldap_result( op, rs );
@ -1997,7 +1995,6 @@ backsql_search( Operation *op, SlapReply *rs )
goto done;
}
#ifdef SLAP_ACL_HONOR_DISCLOSE
/* NOTE: __NEW__ "search" access is required
* on searchBase object */
{
@ -2028,7 +2025,6 @@ backsql_search( Operation *op, SlapReply *rs )
goto done;
}
}
#endif /* SLAP_ACL_HONOR_DISCLOSE */
bsi.bsi_e = NULL;

10
servers/slapd/backend.c
View File

@ -1420,13 +1420,8 @@ backend_group(
be_orig = op->o_bd;
op->o_bd = frontendDB;
#ifdef SLAP_OVERLAY_ACCESS
rc = frontendDB->be_group( op, target, gr_ndn,
op_ndn, group_oc, group_at );
#else /* ! SLAP_OVERLAY_ACCESS */
rc = fe_acl_group( op, target, gr_ndn,
op_ndn, group_oc, group_at );
#endif /* ! SLAP_OVERLAY_ACCESS */
op->o_bd = be_orig;
return rc;
@ -1573,13 +1568,8 @@ backend_attribute(
be_orig = op->o_bd;
op->o_bd = frontendDB;
#ifdef SLAP_OVERLAY_ACCESS
rc = frontendDB->be_attribute( op, target, edn,
entry_at, vals, access );
#else /* !SLAP_OVERLAY_ACCESS */
rc = fe_acl_attribute( op, target, edn,
entry_at, vals, access );
#endif /* !SLAP_OVERLAY_ACCESS */
op->o_bd = be_orig;
return rc;

4
servers/slapd/backover.c
View File

@ -239,7 +239,6 @@ over_back_response ( Operation *op, SlapReply *rs )
return rc;
}
#ifdef SLAP_OVERLAY_ACCESS
static int
over_access_allowed(
Operation *op,
@ -450,7 +449,6 @@ over_acl_attribute(
return rc;
}
#endif /* SLAP_OVERLAY_ACCESS */
/*
* default return code in case of missing backend function
@ -1018,12 +1016,10 @@ overlay_config( BackendDB *be, const char *ov )
bi->bi_chk_referrals = over_aux_chk_referrals;
bi->bi_chk_controls = over_aux_chk_controls;
#ifdef SLAP_OVERLAY_ACCESS
/* these have specific arglists */
bi->bi_access_allowed = over_access_allowed;
bi->bi_acl_group = over_acl_group;
bi->bi_acl_attribute = over_acl_attribute;
#endif /* SLAP_OVERLAY_ACCESS */
bi->bi_connection_init = over_connection_init;
bi->bi_connection_destroy = over_connection_destroy;

2
servers/slapd/bconfig.c
View File

@ -4928,9 +4928,7 @@ config_back_initialize( BackendInfo *bi )
bi->bi_chk_referrals = 0;
#ifdef SLAP_OVERLAY_ACCESS
bi->bi_access_allowed = slap_access_always_allowed;
#endif /* SLAP_OVERLAY_ACCESS */
bi->bi_connection_init = 0;
bi->bi_connection_destroy = 0;

6
servers/slapd/compare.c
View File

@ -284,7 +284,6 @@ fe_op_compare( Operation *op, SlapReply *rs )
}
} else {
#ifdef SLAP_ACL_HONOR_DISCLOSE
/* return error only if "disclose"
* is granted on the object */
if ( backend_access( op, NULL, &op->o_req_ndn,
@ -293,7 +292,6 @@ fe_op_compare( Operation *op, SlapReply *rs )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
}
#endif /* SLAP_ACL_HONOR_DISCLOSE */
}
send_ldap_result( op, rs );
@ -328,7 +326,6 @@ fe_op_compare( Operation *op, SlapReply *rs )
ava.aa_desc, &vals, ACL_COMPARE );
switch ( rs->sr_err ) {
default:
#ifdef SLAP_ACL_HONOR_DISCLOSE
/* return error only if "disclose"
* is granted on the object */
if ( backend_access( op, NULL, &op->o_req_ndn,
@ -338,7 +335,6 @@ fe_op_compare( Operation *op, SlapReply *rs )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
}
#endif /* SLAP_ACL_HONOR_DISCLOSE */
break;
case LDAP_SUCCESS:
@ -416,7 +412,6 @@ static int compare_entry(
}
done:
#ifdef LDAP_ACL_HONOR_DISCLOSE
if( rc != LDAP_COMPARE_TRUE && rc != LDAP_COMPARE_FALSE ) {
if ( ! access_allowed( op, e,
slap_schema.si_ad_entry, NULL, ACL_DISCLOSE, NULL ) )
@ -424,7 +419,6 @@ done:
rc = LDAP_NO_SUCH_OBJECT;
}
}
#endif
return rc;
}

17
servers/slapd/entry.c
View File

@ -269,23 +269,14 @@ str2entry2( char *s, int checkvals )
ad->ad_type->sat_syntax->ssyn_pretty;
if ( pretty ) {
#ifdef SLAP_ORDERED_PRETTYNORM
rc = ordered_value_pretty( ad,
&vals[i], &pval, NULL );
#else /* ! SLAP_ORDERED_PRETTYNORM */
rc = pretty( ad->ad_type->sat_syntax,
&vals[i], &pval, NULL );
#endif /* ! SLAP_ORDERED_PRETTYNORM */
} else if ( validate ) {
/*
* validate value per syntax
*/
#ifdef SLAP_ORDERED_PRETTYNORM
rc = ordered_value_validate( ad, &vals[i], LDAP_MOD_ADD );
#else /* ! SLAP_ORDERED_PRETTYNORM */
rc = validate( ad->ad_type->sat_syntax, &vals[i] );
#endif /* ! SLAP_ORDERED_PRETTYNORM */
} else {
Debug( LDAP_DEBUG_ANY,
@ -315,19 +306,11 @@ str2entry2( char *s, int checkvals )
if ( ad->ad_type->sat_equality &&
ad->ad_type->sat_equality->smr_normalize )
{
#ifdef SLAP_ORDERED_PRETTYNORM
rc = ordered_value_normalize(
SLAP_MR_VALUE_OF_ATTRIBUTE_SYNTAX,
ad,
ad->ad_type->sat_equality,
&vals[i], &nvals[i], NULL );
#else /* ! SLAP_ORDERED_PRETTYNORM */
rc = ad->ad_type->sat_equality->smr_normalize(
SLAP_MR_VALUE_OF_ATTRIBUTE_SYNTAX,
ad->ad_type->sat_syntax,
ad->ad_type->sat_equality,
&vals[i], &nvals[i], NULL );
#endif /* ! SLAP_ORDERED_PRETTYNORM */
if ( rc ) {
Debug( LDAP_DEBUG_ANY,

2
servers/slapd/frontend.c
View File

@ -119,11 +119,9 @@ frontend_init( void )
frontendDB->bd_info->bi_entry_get_rw = fe_entry_get_rw;
frontendDB->bd_info->bi_entry_release_rw = fe_entry_release_rw;
#endif
#ifdef SLAP_OVERLAY_ACCESS
frontendDB->bd_info->bi_access_allowed = fe_access_allowed;
frontendDB->bd_info->bi_acl_group = fe_acl_group;
frontendDB->bd_info->bi_acl_attribute = fe_acl_attribute;
#endif /* SLAP_OVERLAY_ACCESS */
#if 0
/* FIXME: is this too early? */

18
servers/slapd/modify.c
View File

@ -656,21 +656,11 @@ int slap_mods_check(
struct berval pval;
if ( pretty ) {
#ifdef SLAP_ORDERED_PRETTYNORM
rc = ordered_value_pretty( ad,
&ml->sml_values[nvals], &pval, ctx );
#else /* ! SLAP_ORDERED_PRETTYNORM */
rc = pretty( ad->ad_type->sat_syntax,
&ml->sml_values[nvals], &pval, ctx );
#endif /* ! SLAP_ORDERED_PRETTYNORM */
} else {
#ifdef SLAP_ORDERED_PRETTYNORM
rc = ordered_value_validate( ad,
&ml->sml_values[nvals], ml->sml_op );
#else /* ! SLAP_ORDERED_PRETTYNORM */
rc = validate( ad->ad_type->sat_syntax,
&ml->sml_values[nvals] );
#endif /* ! SLAP_ORDERED_PRETTYNORM */
}
if( rc != 0 ) {
@ -716,19 +706,11 @@ int slap_mods_check(
(nvals+1)*sizeof(struct berval), ctx );
for ( nvals = 0; !BER_BVISNULL( &ml->sml_values[nvals] ); nvals++ ) {
#ifdef SLAP_ORDERED_PRETTYNORM
rc = ordered_value_normalize(
SLAP_MR_VALUE_OF_ATTRIBUTE_SYNTAX,
ad,
ad->ad_type->sat_equality,
&ml->sml_values[nvals], &ml->sml_nvalues[nvals], ctx );
#else /* ! SLAP_ORDERED_PRETTYNORM */
rc = ad->ad_type->sat_equality->smr_normalize(
SLAP_MR_VALUE_OF_ATTRIBUTE_SYNTAX,
ad->ad_type->sat_syntax,
ad->ad_type->sat_equality,
&ml->sml_values[nvals], &ml->sml_nvalues[nvals], ctx );
#endif /* ! SLAP_ORDERED_PRETTYNORM */
if ( rc ) {
Debug( LDAP_DEBUG_ANY,
"<= str2entry NULL (ssyn_normalize %d)\n",

34
servers/slapd/overlays/dds.c
View File

@ -357,7 +357,6 @@ dds_op_add( Operation *op, SlapReply *rs )
slap_schema.si_oc_dynamicObject, NULL, 0, &e );
if ( rc == LDAP_SUCCESS && e != NULL ) {
if ( !is_dynamicObject ) {
#ifdef SLAP_ACL_HONOR_DISCLOSE
/* return referral only if "disclose"
* is granted on the object */
if ( ! access_allowed( op, e,
@ -367,9 +366,7 @@ dds_op_add( Operation *op, SlapReply *rs )
rc = rs->sr_err = LDAP_NO_SUCH_OBJECT;
send_ldap_result( op, rs );
} else
#endif /* SLAP_ACL_HONOR_DISCLOSE */
{
} else {
rc = rs->sr_err = LDAP_CONSTRAINT_VIOLATION;
send_ldap_error( op, rs, rc, "no static subordinate entries allowed for dynamicObject" );
}
@ -580,15 +577,12 @@ dds_op_modify( Operation *op, SlapReply *rs )
if ( BER_BVISEMPTY( &bv_entryTtl )
|| !bvmatch( &bv_entryTtl, &mod->sml_values[ 0 ] ) )
{
#ifdef SLAP_ACL_HONOR_DISCLOSE
rs->sr_err = backend_attribute( op, NULL, &op->o_req_ndn,
slap_schema.si_ad_entry, NULL, ACL_DISCLOSE );
if ( rs->sr_err == LDAP_INSUFFICIENT_ACCESS ) {
rs->sr_err = LDAP_NO_SUCH_OBJECT;
} else
#endif /* SLAP_ACL_HONOR_DISCLOSE */
{
} else {
rs->sr_err = LDAP_NO_SUCH_ATTRIBUTE;
}
goto done;
@ -609,15 +603,12 @@ dds_op_modify( Operation *op, SlapReply *rs )
assert( BER_BVISNULL( &mod->sml_values[ 1 ] ) );
if ( !BER_BVISEMPTY( &bv_entryTtl ) ) {
#ifdef SLAP_ACL_HONOR_DISCLOSE
rs->sr_err = backend_attribute( op, NULL, &op->o_req_ndn,
slap_schema.si_ad_entry, NULL, ACL_DISCLOSE );
if ( rs->sr_err == LDAP_INSUFFICIENT_ACCESS ) {
rs->sr_err = LDAP_NO_SUCH_OBJECT;
} else
#endif /* SLAP_ACL_HONOR_DISCLOSE */
{
} else {
rs->sr_text = "attribute 'entryTtl' cannot have multiple values";
rs->sr_err = LDAP_CONSTRAINT_VIOLATION;
}
@ -649,15 +640,12 @@ dds_op_modify( Operation *op, SlapReply *rs )
case LDAP_MOD_INCREMENT:
if ( BER_BVISEMPTY( &bv_entryTtl ) ) {
#ifdef SLAP_ACL_HONOR_DISCLOSE
rs->sr_err = backend_attribute( op, NULL, &op->o_req_ndn,
slap_schema.si_ad_entry, NULL, ACL_DISCLOSE );
if ( rs->sr_err == LDAP_INSUFFICIENT_ACCESS ) {
rs->sr_err = LDAP_NO_SUCH_OBJECT;
} else
#endif /* SLAP_ACL_HONOR_DISCLOSE */
{
} else {
rs->sr_err = LDAP_NO_SUCH_ATTRIBUTE;
rs->sr_text = "modify/increment: entryTtl: no such attribute";
}
@ -678,7 +666,6 @@ dds_op_modify( Operation *op, SlapReply *rs )
}
if ( rs->sr_err != LDAP_SUCCESS ) {
#ifdef SLAP_ACL_HONOR_DISCLOSE
rc = backend_attribute( op, NULL, &op->o_req_ndn,
slap_schema.si_ad_entry, NULL, ACL_DISCLOSE );
if ( rc == LDAP_INSUFFICIENT_ACCESS ) {
@ -686,7 +673,6 @@ dds_op_modify( Operation *op, SlapReply *rs )
rs->sr_err = LDAP_NO_SUCH_OBJECT;
}
#endif /* SLAP_ACL_HONOR_DISCLOSE */
goto done;
}
@ -761,7 +747,6 @@ done:;
rs->sr_err = LDAP_OBJECT_CLASS_VIOLATION;
}
#ifdef SLAP_ACL_HONOR_DISCLOSE
if ( rc != LDAP_SUCCESS ) {
rc = backend_attribute( op, NULL, &op->o_req_ndn,
slap_schema.si_ad_entry, NULL, ACL_DISCLOSE );
@ -770,7 +755,6 @@ done:;
rs->sr_err = LDAP_NO_SUCH_OBJECT;
}
}
#endif /* SLAP_ACL_HONOR_DISCLOSE */
}
}
@ -850,7 +834,6 @@ dds_op_rename( Operation *op, SlapReply *rs )
slap_schema.si_oc_dynamicObject, NULL, 0, &e );
if ( rc == LDAP_SUCCESS && e != NULL ) {
if ( !is_dynamicObject ) {
#ifdef SLAP_ACL_HONOR_DISCLOSE
/* return referral only if "disclose"
* is granted on the object */
if ( ! access_allowed( op, e,
@ -860,9 +843,7 @@ dds_op_rename( Operation *op, SlapReply *rs )
rs->sr_err = LDAP_NO_SUCH_OBJECT;
send_ldap_result( op, rs );
} else
#endif /* SLAP_ACL_HONOR_DISCLOSE */
{
} else {
send_ldap_error( op, rs, LDAP_CONSTRAINT_VIOLATION,
"static entry cannot have dynamicObject as newSuperior" );
}
@ -1072,7 +1053,6 @@ dds_op_extended( Operation *op, SlapReply *rs )
rs->sr_err = be_entry_get_rw( op, &op->o_req_ndn,
NULL, NULL, 0, &e );
if ( rs->sr_err == LDAP_SUCCESS && e != NULL ) {
#ifdef SLAP_ACL_HONOR_DISCLOSE
/* return referral only if "disclose"
* is granted on the object */
if ( ! access_allowed( op, e,
@ -1081,9 +1061,7 @@ dds_op_extended( Operation *op, SlapReply *rs )
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
} else
#endif /* SLAP_ACL_HONOR_DISCLOSE */
{
} else {
rs->sr_err = LDAP_OBJECT_CLASS_VIOLATION;
rs->sr_text = "refresh operation only applies to dynamic objects";
}

4
servers/slapd/proto-slap.h
View File

@ -50,7 +50,6 @@ LDAP_SLAPD_F (int) access_allowed_mask LDAP_P((
AccessControlState *state,
slap_mask_t *mask ));
#define access_allowed(op,e,desc,val,access,state) access_allowed_mask(op,e,desc,val,access,state,NULL)
#ifdef SLAP_OVERLAY_ACCESS
LDAP_SLAPD_F (int) slap_access_allowed LDAP_P((
Operation *op,
Entry *e,
@ -67,7 +66,6 @@ LDAP_SLAPD_F (int) slap_access_always_allowed LDAP_P((
slap_access_t access,
AccessControlState *state,
slap_mask_t *maskp ));
#endif /* SLAP_OVERLAY_ACCESS */
LDAP_SLAPD_F (int) acl_check_modlist LDAP_P((
Operation *op, Entry *e, Modifications *ml ));
@ -1440,7 +1438,6 @@ LDAP_SLAPD_F (int) slap_sasl_rewrite_config LDAP_P((
int argc,
char **argv ));
#endif /* SLAP_AUTH_REWRITE */
#ifdef SLAP_AUTHZ_SYNTAX
LDAP_SLAPD_F (int) authzValidate LDAP_P((
Syntax *syn, struct berval *in ));
#if 0
@ -1464,7 +1461,6 @@ LDAP_SLAPD_F (int) authzNormalize LDAP_P((
struct berval *val,
struct berval *normalized,
void *ctx ));
#endif /* SLAP_AUTHZ_SYNTAX */
/*
* schema.c

14
servers/slapd/saslauthz.c
View File

@ -202,7 +202,6 @@ int slap_parse_user( struct berval *id, struct berval *user,
return LDAP_SUCCESS;
}
#ifdef SLAP_AUTHZ_SYNTAX
int
authzValidate(
Syntax *syntax,
@ -919,7 +918,6 @@ authzPretty(
return rc;
}
#endif /* SLAP_AUTHZ_SYNTAX */
static int
slap_parseURI(
@ -936,9 +934,7 @@ slap_parseURI(
int rc;
LDAPURLDesc *ludp;
#ifdef SLAP_ORDERED_PRETTYNORM
struct berval idx;
#endif /* SLAP_ORDERED_PRETTYNORM */
assert( uri != NULL && !BER_BVISNULL( uri ) );
BER_BVZERO( base );
@ -952,7 +948,6 @@ slap_parseURI(
rc = LDAP_PROTOCOL_ERROR;
#ifdef SLAP_ORDERED_PRETTYNORM
idx = *uri;
if ( idx.bv_val[ 0 ] == '{' ) {
char *ptr;
@ -965,7 +960,6 @@ slap_parseURI(
idx.bv_val = ptr;
uri = &idx;
}
#endif /* SLAP_ORDERED_PRETTYNORM */
/*
* dn[.<dnstyle>]:<dnpattern>
@ -1677,13 +1671,7 @@ slap_sasl_match( Operation *opx, struct berval *rule,
/* NOTE: don't normalize rule if authz syntax is enabled */
rc = slap_parseURI( opx, rule, &base, &op.o_req_ndn,
&op.ors_scope, &op.ors_filter, &op.ors_filterstr,
#ifdef SLAP_AUTHZ_SYNTAX
0
#else /* ! SLAP_AUTHZ_SYNTAX */
1
#endif /* ! SLAP_AUTHZ_SYNTAX */
);
&op.ors_scope, &op.ors_filter, &op.ors_filterstr, 0 );
if( rc != LDAP_SUCCESS ) goto CONCLUDED;

6
servers/slapd/schema_init.c
View File

@ -67,10 +67,8 @@
#define csnIndexer generalizedTimeIndexer
#define csnFilter generalizedTimeFilter
#ifdef SLAP_AUTHZ_SYNTAX
/* FIXME: temporary */
#define authzMatch octetStringMatch
#endif /* SLAP_AUTHZ_SYNTAX */
unsigned int index_substr_if_minlen = SLAP_INDEX_SUBSTR_IF_MINLEN_DEFAULT;
unsigned int index_substr_if_maxlen = SLAP_INDEX_SUBSTR_IF_MAXLEN_DEFAULT;
@ -4180,11 +4178,9 @@ static slap_syntax_defs_rec syntax_defs[] = {
{"( 1.3.6.1.4.1.4203.1.1.1 DESC 'OpenLDAP void' )" ,
SLAP_SYNTAX_HIDE, inValidate, NULL},
#ifdef SLAP_AUTHZ_SYNTAX
/* FIXME: OID is unused, but not registered yet */
{"( 1.3.6.1.4.1.4203.666.2.7 DESC 'OpenLDAP authz' )",
SLAP_SYNTAX_HIDE, authzValidate, authzPretty},
#endif /* SLAP_AUTHZ_SYNTAX */
{NULL, 0, NULL, NULL}
};
@ -4618,7 +4614,6 @@ static slap_mrule_defs_rec mrule_defs[] = {
NULL, NULL,
"CSNMatch" },
#ifdef SLAP_AUTHZ_SYNTAX
/* FIXME: OID is unused, but not registered yet */
{"( 1.3.6.1.4.1.4203.666.4.12 NAME 'authzMatch' "
"SYNTAX 1.3.6.1.4.1.4203.666.2.7 )",
@ -4626,7 +4621,6 @@ static slap_mrule_defs_rec mrule_defs[] = {
NULL, authzNormalize, authzMatch,
NULL, NULL,
NULL},
#endif /* SLAP_AUTHZ_SYNTAX */
{NULL, SLAP_MR_NONE, NULL,
NULL, NULL, NULL, NULL, NULL,

14
servers/slapd/schema_prep.c
View File

@ -855,16 +855,9 @@ static struct slap_schema_ad_map {
{ "authzTo", "( 1.3.6.1.4.1.4203.666.1.8 "
"NAME ( 'authzTo' 'saslAuthzTo' ) "
"DESC 'proxy authorization targets' "
#ifdef SLAP_AUTHZ_SYNTAX
"EQUALITY authzMatch "
"SYNTAX 1.3.6.1.4.1.4203.666.2.7 "
#else /* ! SLAP_AUTHZ_SYNTAX */
"EQUALITY caseExactMatch "
"SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 "
#endif /* ! SLAP_AUTHZ_SYNTAX */
#ifdef SLAP_ORDERED_PRETTYNORM
"X-ORDERED 'VALUES' "
#endif /* SLAP_ORDERED_PRETTYNORM */
"USAGE distributedOperation )",
NULL, SLAP_AT_HIDE,
NULL, NULL,
@ -873,16 +866,9 @@ static struct slap_schema_ad_map {
{ "authzFrom", "( 1.3.6.1.4.1.4203.666.1.9 "
"NAME ( 'authzFrom' 'saslAuthzFrom' ) "
"DESC 'proxy authorization sources' "
#ifdef SLAP_AUTHZ_SYNTAX
"EQUALITY authzMatch "
"SYNTAX 1.3.6.1.4.1.4203.666.2.7 "
#else /* ! SLAP_AUTHZ_SYNTAX */
"EQUALITY caseExactMatch "
"SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 "
#endif /* ! SLAP_AUTHZ_SYNTAX */
#ifdef SLAP_ORDERED_PRETTYNORM
"X-ORDERED 'VALUES' "
#endif /* SLAP_ORDERED_PRETTYNORM */
"USAGE distributedOperation )",
NULL, SLAP_AT_HIDE,
NULL, NULL,

23
servers/slapd/slap.h
View File

@ -64,26 +64,19 @@ LDAP_BEGIN_DECL
#define SLAP_SEM_LOAD_CONTROL
#endif
#define SLAP_ACL_HONOR_DISCLOSE /* partially implemented */
#define SLAP_ACL_HONOR_MANAGE /* not yet implemented */
#define SLAP_OVERLAY_ACCESS
#define LDAP_COMP_MATCH
#define LDAP_DYNAMIC_OBJECTS
#define LDAP_SYNC_TIMESTAMP
#ifdef LDAP_DEVEL
#define LDAP_COLLECTIVE_ATTRIBUTES
#define SLAP_CONTROL_X_TREE_DELETE LDAP_CONTROL_X_TREE_DELETE
#define LDAP_COMP_MATCH
#define LDAP_SYNC_TIMESTAMP
#endif
#define SLAP_ORDERED_PRETTYNORM
#define SLAP_AUTHZ_SYNTAX
#define LDAP_DYNAMIC_OBJECTS
#define SLAP_CONTROL_X_TREE_DELETE LDAP_CONTROL_X_TREE_DELETE
#ifdef ENABLE_REWRITE
#define SLAP_AUTH_REWRITE 1 /* use librewrite for sasl-regexp */
#endif
#if defined(LDAP_SLAPI) && !defined(SLAP_OVERLAY_ACCESS)
#define SLAP_OVERLAY_ACCESS
#endif
/*
* SLAPD Memory allocation macros
*
@ -2019,7 +2012,6 @@ typedef int (BI_entry_get_rw) LDAP_P(( struct slap_op *op, struct berval *ndn,
typedef int (BI_operational) LDAP_P(( struct slap_op *op, struct slap_rep *rs ));
typedef int (BI_has_subordinates) LDAP_P(( struct slap_op *op,
Entry *e, int *hasSubs ));
#ifdef SLAP_OVERLAY_ACCESS
typedef int (BI_access_allowed) LDAP_P(( struct slap_op *op, Entry *e,
AttributeDescription *desc, struct berval *val, slap_access_t access,
AccessControlState *state, slap_mask_t *maskp ));
@ -2029,7 +2021,6 @@ typedef int (BI_acl_group) LDAP_P(( struct slap_op *op, Entry *target,
typedef int (BI_acl_attribute) LDAP_P(( struct slap_op *op, Entry *target,
struct berval *entry_ndn, AttributeDescription *entry_at,
BerVarray *vals, slap_access_t access ));
#endif /* SLAP_OVERLAY_ACCESS */
typedef int (BI_conn_func) LDAP_P(( BackendDB *bd, struct slap_conn *c ));
typedef BI_conn_func BI_connection_init;
@ -2128,11 +2119,9 @@ struct slap_backend_info {
BI_entry_release_rw *bi_entry_release_rw;
BI_has_subordinates *bi_has_subordinates;
#ifdef SLAP_OVERLAY_ACCESS
BI_access_allowed *bi_access_allowed;
BI_acl_group *bi_acl_group;
BI_acl_attribute *bi_acl_attribute;
#endif /* SLAP_OVERLAY_ACCESS */
BI_connection_init *bi_connection_init;
BI_connection_destroy *bi_connection_destroy;