diff options
| author | Noriko Hosoi <nhosoi@redhat.com> | 2008-10-31 00:16:02 +0000 |
|---|---|---|
| committer | Noriko Hosoi <nhosoi@redhat.com> | 2008-10-31 00:16:02 +0000 |
| commit | 6c1a7f34b435a5affff76759e36153b7df7c12ec (patch) | |
| tree | 22a90fd8779df892cac12625b164ceca9d3f753a | |
| parent | 77e2e8a93bd947d4c9957b4570f963a5508cd7b0 (diff) | |
Resolves: #469243
Summary: ACL: support group filter
Description: extended userattr #GROUPDN value to support LDAPURL
| -rw-r--r-- | ldap/servers/plugins/acl/acllas.c | 96 |
1 files changed, 83 insertions, 13 deletions
diff --git a/ldap/servers/plugins/acl/acllas.c b/ldap/servers/plugins/acl/acllas.c index b38150c2..88beea15 100644 --- a/ldap/servers/plugins/acl/acllas.c +++ b/ldap/servers/plugins/acl/acllas.c @@ -2355,36 +2355,90 @@ acllas__eval_memberGroupDnAttr (char *attrName, Slapi_Entry *e, Slapi_Attr *attr; char *s, *p; - char *str, *s_str, *base, *groupattr; + char *str, *s_str, *base, *groupattr = NULL; int i,j,k,matched, enumerate_groups; aclUserGroup *u_group; char ebuf [ BUFSIZ ]; Slapi_Value *sval=NULL; const struct berval *attrVal; - - /* Parse the URL -- We can't use the ldap_url_parse() - ** we don't follow thw complete url naming scheme - */ + int qcnt = 0; + Slapi_PBlock *myPb = NULL; + Slapi_Entry **grpentries = NULL; + + /* Parse the URL -- getting the group attr and counting up '?'s. + * If there is no group attr and there are 3 '?' marks, + * we parse the URL with ldap_url_parse to get base dn and filter. + */ s_str = str = slapi_ch_strdup(attrName); while (str && ldap_utf8isspace(str)) LDAP_UTF8INC( str ); str +=8; s = strchr (str, '?'); if (s) { + qcnt++; p = s; p++; *s = '\0'; base = str; s = strchr (p, '?'); - if (s) *s = '\0'; + if (s) { + qcnt++; + *s = '\0'; + if (NULL != strchr (++s, '?')) { + qcnt++; + } + } groupattr = p; } else { slapi_ch_free ( (void **)&s_str ); return ACL_FALSE; } + + /* Full LDAPURL is given? */ + if ((NULL == groupattr || 0 == strlen(groupattr)) && 3 == qcnt) { + LDAPURLDesc *ludp = NULL; + int rval; + + if ( 0 != ldap_url_parse( attrName, &ludp) ) { + slapi_ch_free ( (void **)&s_str ); + return ACL_FALSE; + } + + /* Use new search internal API */ + myPb = slapi_pblock_new (); + slapi_search_internal_set_pb( + myPb, + ludp->lud_dn, + ludp->lud_scope, + ludp->lud_filter, + NULL, + 0, + NULL /* controls */, + NULL /* uniqueid */, + aclplugin_get_identity (ACL_PLUGIN_IDENTITY), + 0 ); + slapi_search_internal_pb(myPb); + ldap_free_urldesc( ludp ); + slapi_pblock_get(myPb, SLAPI_PLUGIN_INTOP_RESULT, &rval); + if (rval != LDAP_SUCCESS) { + slapi_ch_free ( (void **)&s_str ); + slapi_free_search_results_internal(myPb); + slapi_pblock_destroy (myPb); + return ACL_FALSE; + } + + slapi_pblock_get(myPb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &grpentries); + if ((grpentries == NULL) || (grpentries[0] == NULL)) { + slapi_ch_free ( (void **)&s_str ); + slapi_free_search_results_internal(myPb); + slapi_pblock_destroy (myPb); + return ACL_FALSE; + } + } + if ( (u_group = aclg_get_usersGroup ( aclpb , n_clientdn )) == NULL) { - slapi_log_error( SLAPI_LOG_ACL, plugin_name, + slapi_log_error( SLAPI_LOG_ACL, plugin_name, "Failed to find/allocate a usergroup--aborting evaluation\n", 0, 0); slapi_ch_free ( (void **)&s_str ); return(ACL_DONT_KNOW); @@ -2540,12 +2594,28 @@ acllas__eval_memberGroupDnAttr (char *attrName, Slapi_Entry *e, j, ACL_ESCAPE_STRING_WITH_PUNCTUATION (u_group->aclug_member_groups[j], ebuf),0); matched = ACL_FALSE; - slapi_entry_attr_find( e, groupattr, &attr); - if (attr == NULL) { - slapi_ch_free ( (void **)&s_str ); - return ACL_FALSE; - } - { + if ((NULL == groupattr || 0 == strlen(groupattr)) && 3 == qcnt) { + /* Full LDAPURL case */ + for (k = 0; u_group->aclug_member_groups[k]; k++) { /* groups the bind + user belong to */ + Slapi_Entry **ep; + for (ep = grpentries; *ep; ep++) { /* groups having ACI */ + char *n_edn = slapi_entry_get_ndn(*ep); + if (slapi_utf8casecmp((ACLUCHP)u_group->aclug_member_groups[k], + (ACLUCHP)n_edn) == 0) { + matched = ACL_TRUE; + break; + } + } + } + slapi_free_search_results_internal(myPb); + slapi_pblock_destroy(myPb); + } else { + slapi_entry_attr_find( e, groupattr, &attr); + if (attr == NULL) { + slapi_ch_free ( (void **)&s_str ); + return ACL_FALSE; + } k = slapi_attr_first_value ( attr,&sval ); while ( k != -1 ) { char *n_attrval; |