← Back to branch summary

~ubuntu-branches/debian/experimental/389-ds-base/experimental

« back to all changes in this revision

Viewing changes to ldap/servers/plugins/acl/acllas.c

  • Committer: Package Import Robot
  • Author(s): Timo Aaltonen
  • Date: 2014-07-08 15:50:11 UTC
  • mfrom: (0.2.2)
  • Revision ID: package-import@ubuntu.com-20140708155011-r66lvtioamqwaype
Tags: 1.3.2.19-1
* New upstream release.
* admin_scripts.diff: Updated to fix more bashisms.
* watch: Update the url.
* Install failedbinds.py and logregex.py scripts.
* init: Use status from init-functions.
* control: Update my email.

Show diffs side-by-side

added added

removed removed

Lines of Context:
ldap/servers/plugins/acl/acllas.c
179
179
                DS_LASRoleDnEval                - LAS Evaluation for ROLEDN             -
180
180
                        three-valued logic
181
181
                        logical combination: || and !=
182
 
                DS_LASUserDnAttrEval    - LAS Evaluation for USERDNATTR -
 
182
                DS_LASUserDnAttrEval    - LAS Evaluation for USERDNATTR and SELFDNATTR-
183
183
                        three-valued logic  
184
184
                        logical combination || (over specified attribute values and
185
185
                        parent keyword levels), !=
1170
1170
        char                    *attrs[2] = { LDAP_ALL_USER_ATTRS, NULL };
1171
1171
        lasInfo                 lasinfo;
1172
1172
        int                             got_undefined = 0;
 
1173
        PRBool selfdn;
 
1174
        
 
1175
        if (attr_name == NULL ||
 
1176
                (strcmp(DS_LAS_SELFDNATTR, attr_name) && strcmp(DS_LAS_USERDNATTR, attr_name))) {
 
1177
                slapi_log_error( SLAPI_LOG_FATAL, plugin_name, 
 
1178
                        "DS_LASUserDnattr: invalid attr_name (should be %s or %s)\n",
 
1179
                        DS_LAS_SELFDNATTR, DS_LAS_USERDNATTR);
 
1180
                return LAS_EVAL_FAIL;
 
1181
        }
 
1182
        selfdn = (strcmp(DS_LAS_SELFDNATTR, attr_name) == 0) ? PR_TRUE : PR_FALSE;
1173
1183
 
1174
1184
        if ( 0 !=  (rc = __acllas_setup (errp, attr_name, comparator, 0, /* Don't allow range comparators */
1175
1185
                                                                        attr_pattern,cachable,LAS_cookie,
1176
1186
                                                                        subject, resource, auth_info,global_auth,
1177
 
                                                                        DS_LAS_USERDNATTR, "DS_LASUserDnAttrEval", 
 
1187
                                                                        attr_name, "DS_LASUserDnAttrEval", 
1178
1188
                                                                        &lasinfo )) ) {
1179
1189
                return LAS_EVAL_FAIL;
1180
1190
        }
1269
1279
                if ( levels[i] == 0 ) {
1270
1280
                        Slapi_Value *sval=NULL;
1271
1281
                        const struct berval             *attrVal;
 
1282
                        int numValues = 0;
1272
1283
                        int j;
1273
1284
 
1274
1285
                        /*
1280
1291
                        */
1281
1292
 
1282
1293
                        if ( lasinfo.aclpb->aclpb_optype == SLAPI_OPERATION_ADD) {
1283
 
                                slapi_log_error( SLAPI_LOG_ACL, plugin_name,
1284
 
                                        "ACL info: userdnAttr does not allow ADD permission at level 0.\n");
1285
 
                                got_undefined = 1;
1286
 
                                continue;
 
1294
                                if (selfdn) {
 
1295
                                        slapi_log_error(SLAPI_LOG_ACL, plugin_name,
 
1296
                                                "ACL info: %s DOES allow ADD permission at level 0.\n", attr_name);
 
1297
                                } else {
 
1298
                                        slapi_log_error(SLAPI_LOG_ACL, plugin_name,
 
1299
                                                "ACL info: %s does not allow ADD permission at level 0.\n", attr_name);
 
1300
                                        got_undefined = 1;
 
1301
                                        continue;
 
1302
                                }
1287
1303
                        }
1288
1304
                        slapi_entry_attr_find( lasinfo.resourceEntry, attrName, &a);
1289
1305
                        if ( NULL == a ) continue;
 
1306
                        
 
1307
                        if (selfdn) {
 
1308
                                /* Checks that attrName has only one value. This is the only condition enforced
 
1309
                                 * when using SELFDN
 
1310
                                 */
 
1311
                                slapi_attr_get_numvalues((const Slapi_Attr *) a, &numValues);
 
1312
                                if (numValues != 1) {
 
1313
                                        slapi_log_error(SLAPI_LOG_ACL, plugin_name,
 
1314
                                                "DS_LASSelfDnAttrEval: fail because the retrieved %s in resource has more than one value (%d)\n",
 
1315
                                                attrName, numValues);
 
1316
                                        got_undefined = 1;
 
1317
                                        continue;
 
1318
                                }
 
1319
                        }
1290
1320
                        j= slapi_attr_first_value ( a,&sval );
1291
1321
                        while ( j != -1 ) {
1292
1322
                                attrVal = slapi_value_get_berval ( sval );
1304
1334
                                        char    ebuf [ BUFSIZ ];
1305
1335
                                        /* Wow it matches */
1306
1336
                                        slapi_log_error( SLAPI_LOG_ACL, plugin_name,
1307
 
                                                "userdnAttr matches(%s, %s) level (%d)\n",
 
1337
                                                "%s matches(%s, %s) level (%d)\n", attr_name,
1308
1338
                                                val,
1309
1339
                                ACL_ESCAPE_STRING_WITH_PUNCTUATION (lasinfo.clientDn, ebuf),
1310
1340
                                                0);
1356
1386
                        if (info.result) {
1357
1387
                                matched = ACL_TRUE;
1358
1388
                                slapi_log_error( SLAPI_LOG_ACL, plugin_name,
1359
 
                                                "userdnAttr matches at level (%d)\n", levels[i]);
 
1389
                                                "%s matches at level (%d)\n", attr_name, levels[i]);
1360
1390
                        }
1361
1391
                }
1362
1392
                if (matched == ACL_TRUE) {                              
1380
1410
        } else {
1381
1411
                rc = LAS_EVAL_FAIL;
1382
1412
                slapi_log_error( SLAPI_LOG_ACL, plugin_name, 
1383
 
                        "Returning UNDEFINED for userdnattr evaluation.\n");
 
1413
                        "Returning UNDEFINED for %s evaluation.\n", attr_name);
1384
1414
        } 
1385
1415
 
1386
1416
        return rc;
3385
3415
                                                        attrName, cachable, LAS_cookie,
3386
3416
                                                        subject, resource, auth_info, global_auth);
3387
3417
                goto done_las;
3388
 
        }
 
3418
        } else if (0 == strncasecmp ( attrValue, "SELFDN", 6)) {
 
3419
                matched = DS_LASUserDnAttrEval (errp,DS_LAS_SELFDNATTR, comparator,
 
3420
                                                        attrName, cachable, LAS_cookie,
 
3421
                                                        subject, resource, auth_info, global_auth);
 
3422
                goto done_las;
 
3423
        }
3389
3424
 
3390
3425
        if ( lasinfo.aclpb && ( NULL == lasinfo.aclpb->aclpb_client_entry )) {
3391
3426
                /* SD 00/16/03 pass NULL in case the req is chained */
3618
3653
        /* Check the scope */
3619
3654
        if ( ludp->lud_scope == LDAP_SCOPE_SUBTREE ) {
3620
3655
                if (!slapi_dn_issuffix(n_clientdn, ludp->lud_dn)) {
3621
 
                        slapi_log_error( SLAPI_LOG_FATAL, plugin_name,
 
3656
                        slapi_log_error( SLAPI_LOG_ACL, plugin_name,
3622
3657
                                                         "acllas__client_match_URL: url [%s] scope is subtree but dn [%s] "
3623
3658
                                                         "is not a suffix of [%s]\n",
3624
3659
                                                         normed, ludp->lud_dn, n_clientdn );
3628
3663
                char    *parent = slapi_dn_parent (n_clientdn);
3629
3664
 
3630
3665
                if (slapi_utf8casecmp ((ACLUCHP)parent, (ACLUCHP)ludp->lud_dn) != 0 ) {
3631
 
                        slapi_log_error( SLAPI_LOG_FATAL, plugin_name,
 
3666
                        slapi_log_error( SLAPI_LOG_ACL, plugin_name,
3632
3667
                                                         "acllas__client_match_URL: url [%s] scope is onelevel but dn [%s] "
3633
3668
                                                         "is not a direct child of [%s]\n",
3634
3669
                                                         normed, ludp->lud_dn, parent );
3638
3673
                slapi_ch_free_string(&parent);
3639
3674
        } else  { /* default */
3640
3675
                if (slapi_utf8casecmp ( (ACLUCHP)n_clientdn, (ACLUCHP)ludp->lud_dn) != 0 ) {
3641
 
                        slapi_log_error( SLAPI_LOG_FATAL, plugin_name,
 
3676
                        slapi_log_error( SLAPI_LOG_ACL, plugin_name,
3642
3677
                                                         "acllas__client_match_URL: url [%s] scope is base but dn [%s] "
3643
3678
                                                         "does not match [%s]\n",
3644
3679
                                                         normed, ludp->lud_dn, n_clientdn );