search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Patrick Welche <prlw1@cam.ac.uk>
[netbsd-mini2440.git] / external / bsd / openldap / dist / servers / slapd / slapacl.c
blob67cf7b3b56b62ee8e14659fd7f67c7e06a8ea9cb
1 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
2 *
3 * Copyright 2004-2008 The OpenLDAP Foundation.
4 * Portions Copyright 2004 Pierangelo Masarati.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted only as authorized by the OpenLDAP
9 * Public License.
10 *
11 * A copy of this license is available in file LICENSE in the
12 * top-level directory of the distribution or, alternatively, at
13 * <http://www.OpenLDAP.org/license.html>.
14 */
15 /* ACKNOWLEDGEMENTS:
16 * This work was initially developed by Pierangelo Masarati for inclusion
17 * in OpenLDAP Software.
18 */
19
20 #include "portable.h"
21
22 #include <stdio.h>
23
24 #include <ac/stdlib.h>
25
26 #include <ac/ctype.h>
27 #include <ac/string.h>
28 #include <ac/socket.h>
29 #include <ac/unistd.h>
30
31 #include <lber.h>
32 #include <ldif.h>
33 #include <lutil.h>
34
35 #include "slapcommon.h"
36
37 static int
38 print_access(
39 Operation *op,
40 Entry *e,
41 AttributeDescription *desc,
42 struct berval *val,
43 struct berval *nval )
44 {
45 int rc;
46 slap_mask_t mask;
47 char accessmaskbuf[ACCESSMASK_MAXLEN];
48
49 rc = access_allowed_mask( op, e, desc, nval, ACL_AUTH, NULL, &mask );
50
51 fprintf( stderr, "%s%s%s: %s\n",
52 desc->ad_cname.bv_val,
53 ( val && !BER_BVISNULL( val ) ) ? "=" : "",
54 ( val && !BER_BVISNULL( val ) ) ?
55 ( desc == slap_schema.si_ad_userPassword ?
56 "****" : val->bv_val ) : "",
57 accessmask2str( mask, accessmaskbuf, 1 ) );
58
59 return rc;
60 }
61
62 int
63 slapacl( int argc, char **argv )
64 {
65 int rc = EXIT_SUCCESS;
66 const char *progname = "slapacl";
67 Connection conn = { 0 };
68 Listener listener;
69 OperationBuffer opbuf;
70 Operation *op = NULL;
71 Entry e = { 0 }, *ep = &e;
72 char *attr = NULL;
73 int doclose = 0;
74 BackendDB *bd;
75
76 slap_tool_init( progname, SLAPACL, argc, argv );
77
78 if ( !dryrun ) {
79 int i = 0;
80
81 LDAP_STAILQ_FOREACH( bd, &backendDB, be_next ) {
82 if ( bd != be && backend_startup( bd ) ) {
83 fprintf( stderr, "backend_startup(#%d%s%s) failed\n",
84 i,
85 bd->be_suffix ? ": " : "",
86 bd->be_suffix ? bd->be_suffix[0].bv_val : "" );
87 rc = 1;
88 goto destroy;
89 }
90
91 i++;
92 }
93 }
94
95 argv = &argv[ optind ];
96 argc -= optind;
97
98 connection_fake_init( &conn, &opbuf, &conn );
99 op = &opbuf.ob_op;
100
101 conn.c_listener = &listener;
102 conn.c_listener_url = listener_url;
103 conn.c_peer_domain = peer_domain;
104 conn.c_peer_name = peer_name;
105 conn.c_sock_name = sock_name;
106 op->o_ssf = ssf;
107 op->o_transport_ssf = transport_ssf;
108 op->o_tls_ssf = tls_ssf;
109 op->o_sasl_ssf = sasl_ssf;
110
111 if ( !BER_BVISNULL( &authcID ) ) {
112 if ( !BER_BVISNULL( &authcDN ) ) {
113 fprintf( stderr, "both authcID=\"%s\" "
114 "and authcDN=\"%s\" provided\n",
115 authcID.bv_val, authcDN.bv_val );
116 rc = 1;
117 goto destroy;
118 }
119
120 rc = slap_sasl_getdn( &conn, op, &authcID, NULL,
121 &authcDN, SLAP_GETDN_AUTHCID );
122 if ( rc != LDAP_SUCCESS ) {
123 fprintf( stderr, "authcID: <%s> check failed %d (%s)\n",
124 authcID.bv_val, rc,
125 ldap_err2string( rc ) );
126 rc = 1;
127 goto destroy;
128 }
129
130 } else if ( !BER_BVISNULL( &authcDN ) ) {
131 struct berval ndn;
132
133 rc = dnNormalize( 0, NULL, NULL, &authcDN, &ndn, NULL );
134 if ( rc != LDAP_SUCCESS ) {
135 fprintf( stderr, "autchDN=\"%s\" normalization failed %d (%s)\n",
136 authcDN.bv_val, rc,
137 ldap_err2string( rc ) );
138 rc = 1;
139 goto destroy;
140 }
141 ch_free( authcDN.bv_val );
142 authcDN = ndn;
143 }
144
145 if ( !BER_BVISNULL( &authzID ) ) {
146 if ( !BER_BVISNULL( &authzDN ) ) {
147 fprintf( stderr, "both authzID=\"%s\" "
148 "and authzDN=\"%s\" provided\n",
149 authzID.bv_val, authzDN.bv_val );
150 rc = 1;
151 goto destroy;
152 }
153
154 rc = slap_sasl_getdn( &conn, op, &authzID, NULL,
155 &authzDN, SLAP_GETDN_AUTHZID );
156 if ( rc != LDAP_SUCCESS ) {
157 fprintf( stderr, "authzID: <%s> check failed %d (%s)\n",
158 authzID.bv_val, rc,
159 ldap_err2string( rc ) );
160 rc = 1;
161 goto destroy;
162 }
163
164 } else if ( !BER_BVISNULL( &authzDN ) ) {
165 struct berval ndn;
166
167 rc = dnNormalize( 0, NULL, NULL, &authzDN, &ndn, NULL );
168 if ( rc != LDAP_SUCCESS ) {
169 fprintf( stderr, "autchDN=\"%s\" normalization failed %d (%s)\n",
170 authzDN.bv_val, rc,
171 ldap_err2string( rc ) );
172 rc = 1;
173 goto destroy;
174 }
175 ch_free( authzDN.bv_val );
176 authzDN = ndn;
177 }
178
179
180 if ( !BER_BVISNULL( &authcDN ) ) {
181 fprintf( stderr, "authcDN: \"%s\"\n", authcDN.bv_val );
182 }
183
184 if ( !BER_BVISNULL( &authzDN ) ) {
185 fprintf( stderr, "authzDN: \"%s\"\n", authzDN.bv_val );
186 }
187
188 if ( !BER_BVISNULL( &authzDN ) ) {
189 op->o_dn = authzDN;
190 op->o_ndn = authzDN;
191
192 if ( !BER_BVISNULL( &authcDN ) ) {
193 op->o_conn->c_dn = authcDN;
194 op->o_conn->c_ndn = authcDN;
195
196 } else {
197 op->o_conn->c_dn = authzDN;
198 op->o_conn->c_ndn = authzDN;
199 }
200
201 } else if ( !BER_BVISNULL( &authcDN ) ) {
202 op->o_conn->c_dn = authcDN;
203 op->o_conn->c_ndn = authcDN;
204 op->o_dn = authcDN;
205 op->o_ndn = authcDN;
206 }
207
208 assert( !BER_BVISNULL( &baseDN ) );
209 rc = dnPrettyNormal( NULL, &baseDN, &e.e_name, &e.e_nname, NULL );
210 if ( rc != LDAP_SUCCESS ) {
211 fprintf( stderr, "base=\"%s\" normalization failed %d (%s)\n",
212 baseDN.bv_val, rc,
213 ldap_err2string( rc ) );
214 rc = 1;
215 goto destroy;
216 }
217
218 op->o_bd = be;
219 if ( op->o_bd == NULL ) {
220 /* NOTE: if no database could be found (e.g. because
221 * accessing the rootDSE or so), use the frontendDB
222 * rules; might need work */
223 op->o_bd = frontendDB;
224 }
225
226 if ( !dryrun ) {
227 ID id;
228
229 if ( be == NULL ) {
230 fprintf( stderr, "%s: no target database "
231 "has been found for baseDN=\"%s\"; "
232 "you may try with \"-u\" (dry run).\n",
233 baseDN.bv_val, progname );
234 rc = 1;
235 goto destroy;
236 }
237
238 if ( !be->be_entry_open ||
239 !be->be_entry_close ||
240 !be->be_dn2id_get ||
241 !be->be_entry_get )
242 {
243 fprintf( stderr, "%s: target database "
244 "doesn't support necessary operations; "
245 "you may try with \"-u\" (dry run).\n",
246 progname );
247 rc = 1;
248 goto destroy;
249 }
250
251 if ( be->be_entry_open( be, 0 ) != 0 ) {
252 fprintf( stderr, "%s: could not open database.\n",
253 progname );
254 rc = 1;
255 goto destroy;
256 }
257
258 doclose = 1;
259
260 id = be->be_dn2id_get( be, &e.e_nname );
261 if ( id == NOID ) {
262 fprintf( stderr, "%s: unable to fetch ID of DN \"%s\"\n",
263 progname, e.e_nname.bv_val );
264 rc = 1;
265 goto destroy;
266 }
267 ep = be->be_entry_get( be, id );
268 if ( ep == NULL ) {
269 fprintf( stderr, "%s: unable to fetch entry \"%s\" (%lu)\n",
270 progname, e.e_nname.bv_val, id );
271 rc = 1;
272 goto destroy;
273
274 }
275
276 if ( argc == 0 ) {
277 Attribute *a;
278
279 (void)print_access( op, ep, slap_schema.si_ad_entry, NULL, NULL );
280 (void)print_access( op, ep, slap_schema.si_ad_children, NULL, NULL );
281
282 for ( a = ep->e_attrs; a; a = a->a_next ) {
283 int i;
284
285 for ( i = 0; !BER_BVISNULL( &a->a_nvals[ i ] ); i++ ) {
286 (void)print_access( op, ep, a->a_desc,
287 &a->a_vals[ i ],
288 &a->a_nvals[ i ] );
289 }
290 }
291 }
292 }
293
294 for ( ; argc--; argv++ ) {
295 slap_mask_t mask;
296 AttributeDescription *desc = NULL;
297 struct berval val = BER_BVNULL,
298 *valp = NULL;
299 const char *text;
300 char accessmaskbuf[ACCESSMASK_MAXLEN];
301 char *accessstr;
302 slap_access_t access = ACL_AUTH;
303
304 if ( attr == NULL ) {
305 attr = argv[ 0 ];
306 }
307
308 val.bv_val = strchr( attr, ':' );
309 if ( val.bv_val != NULL ) {
310 val.bv_val[0] = '\0';
311 val.bv_val++;
312 val.bv_len = strlen( val.bv_val );
313 valp = &val;
314 }
315
316 accessstr = strchr( attr, '/' );
317 if ( accessstr != NULL ) {
318 int invalid = 0;
319
320 accessstr[0] = '\0';
321 accessstr++;
322 access = str2access( accessstr );
323 switch ( access ) {
324 case ACL_INVALID_ACCESS:
325 fprintf( stderr, "unknown access \"%s\" for attribute \"%s\"\n",
326 accessstr, attr );
327 invalid = 1;
328 break;
329
330 case ACL_NONE:
331 fprintf( stderr, "\"none\" not allowed for attribute \"%s\"\n",
332 attr );
333 invalid = 1;
334 break;
335
336 default:
337 break;
338 }
339
340 if ( invalid ) {
341 if ( continuemode ) {
342 continue;
343 }
344 break;
345 }
346 }
347
348 rc = slap_str2ad( attr, &desc, &text );
349 if ( rc != LDAP_SUCCESS ) {
350 fprintf( stderr, "slap_str2ad(%s) failed %d (%s)\n",
351 attr, rc, ldap_err2string( rc ) );
352 if ( continuemode ) {
353 continue;
354 }
355 break;
356 }
357
358 rc = access_allowed_mask( op, ep, desc, valp, access,
359 NULL, &mask );
360
361 if ( accessstr ) {
362 fprintf( stderr, "%s access to %s%s%s: %s\n",
363 accessstr,
364 desc->ad_cname.bv_val,
365 val.bv_val ? "=" : "",
366 val.bv_val ? val.bv_val : "",
367 rc ? "ALLOWED" : "DENIED" );
368
369 } else {
370 fprintf( stderr, "%s%s%s: %s\n",
371 desc->ad_cname.bv_val,
372 val.bv_val ? "=" : "",
373 val.bv_val ? val.bv_val : "",
374 accessmask2str( mask, accessmaskbuf, 1 ) );
375 }
376 rc = 0;
377 attr = NULL;
378 }
379
380 destroy:;
381 if ( !BER_BVISNULL( &e.e_name ) ) {
382 ber_memfree( e.e_name.bv_val );
383 }
384 if ( !BER_BVISNULL( &e.e_nname ) ) {
385 ber_memfree( e.e_nname.bv_val );
386 }
387 if ( !dryrun && be ) {
388 if ( ep && ep != &e ) {
389 be_entry_release_r( op, ep );
390 }
391 if ( doclose ) {
392 be->be_entry_close( be );
393 }
394
395 LDAP_STAILQ_FOREACH( bd, &backendDB, be_next ) {
396 if ( bd != be ) {
397 backend_shutdown( bd );
398 }
399 }
400 }
401
402 slap_tool_destroy();
403
404 return rc;
405 }
406
NetBSD on the FriendlyARM MINI2440