summaryrefslogtreecommitdiffstats
path: root/ldap/servers/plugins/acl
diff options
context:
space:
mode:
authorRich Megginson <rmeggins@redhat.com>2010-08-25 12:45:11 -0600
committerRich Megginson <rmeggins@redhat.com>2010-08-31 13:35:55 -0600
commiteec41e2fc71addeef503fd6e2294e723e68bf263 (patch)
tree5ec3b96145e703b9e6dbb56d3e182bb733206dbe /ldap/servers/plugins/acl
parent685cb4c361452a26394c897ddaa0b6c2d8040e1d (diff)
downloadds-eec41e2fc71addeef503fd6e2294e723e68bf263.tar.gz
ds-eec41e2fc71addeef503fd6e2294e723e68bf263.tar.xz
ds-eec41e2fc71addeef503fd6e2294e723e68bf263.zip
use slapi_ldap_url_parse in the acl code
I missed a couple of places in the acl code that should use slapi_ldap_url_parse - I also added some more debugging
Diffstat (limited to 'ldap/servers/plugins/acl')
-rw-r--r--ldap/servers/plugins/acl/acllas.c41
1 files changed, 33 insertions, 8 deletions
diff --git a/ldap/servers/plugins/acl/acllas.c b/ldap/servers/plugins/acl/acllas.c
index 9ba39259..668316fd 100644
--- a/ldap/servers/plugins/acl/acllas.c
+++ b/ldap/servers/plugins/acl/acllas.c
@@ -867,12 +867,13 @@ DS_LASGroupDnEval(NSErr_t *errp, char *attr_name, CmpOp_t comparator,
groupName);
} else {
LDAPURLDesc *ludp = NULL;
+ int urlerr = 0;
int rval;
Slapi_PBlock *myPb = NULL;
Slapi_Entry **grpentries = NULL;
/* Groupdn is full ldapurl? */
- if (0 == ldap_url_parse(groupNameOrig, &ludp) &&
+ if ((0 == (urlerr = slapi_ldap_url_parse(groupNameOrig, &ludp, 0, NULL))) &&
NULL != ludp->lud_dn &&
-1 != ludp->lud_scope &&
NULL != ludp->lud_filter) {
@@ -911,6 +912,11 @@ DS_LASGroupDnEval(NSErr_t *errp, char *attr_name, CmpOp_t comparator,
slapi_pblock_destroy (myPb);
} else {
+ if (urlerr) {
+ slapi_log_error ( SLAPI_LOG_ACL, plugin_name,
+ "DS_LASGroupDnEval: Groupname [%s] not a valid ldap url: %d (%s)\n",
+ groupNameOrig, urlerr, slapi_urlparse_err2string(urlerr));
+ }
/* normal evaluation */
matched = acllas_eval_one_group( groupName, &lasinfo );
}
@@ -3484,7 +3490,7 @@ acllas__client_match_URL (struct acl_pblock *aclpb, char *n_clientdn, char *url
{
LDAPURLDesc *ludp = NULL;
- int rc;
+ int rc = 0;
Slapi_Filter *f = NULL;
char *rawdn = NULL;
char *dn = NULL;
@@ -3603,12 +3609,19 @@ acllas__client_match_URL (struct acl_pblock *aclpb, char *n_clientdn, char *url
slapi_ch_free_string(&dn);
}
rc = ldap_url_parse(normed, &ludp);
- slapi_ch_free_string(&normed);
if (rc) {
+ slapi_log_error( SLAPI_LOG_FATAL, plugin_name,
+ "acllas__client_match_URL: url [%s] is invalid: %d (%s)\n",
+ normed, rc, slapi_urlparse_err2string(rc));
rc = ACL_FALSE;
goto done;
}
if ( ( NULL == ludp->lud_dn) || ( NULL == ludp->lud_filter) ) {
+ slapi_log_error( SLAPI_LOG_FATAL, plugin_name,
+ "acllas__client_match_URL: url [%s] has no base dn [%s] or filter [%s]\n",
+ normed,
+ NULL == ludp->lud_dn ? "null" : ludp->lud_dn,
+ NULL == ludp->lud_filter ? "null" : ludp->lud_filter );
rc = ACL_FALSE;
goto done;
}
@@ -3616,6 +3629,10 @@ acllas__client_match_URL (struct acl_pblock *aclpb, char *n_clientdn, char *url
/* Check the scope */
if ( ludp->lud_scope == LDAP_SCOPE_SUBTREE ) {
if (!slapi_dn_issuffix(n_clientdn, ludp->lud_dn)) {
+ slapi_log_error( SLAPI_LOG_FATAL, plugin_name,
+ "acllas__client_match_URL: url [%s] scope is subtree but dn [%s] "
+ "is not a suffix of [%s]\n",
+ normed, ludp->lud_dn, n_clientdn );
rc = ACL_FALSE;
goto done;
}
@@ -3623,6 +3640,11 @@ acllas__client_match_URL (struct acl_pblock *aclpb, char *n_clientdn, char *url
char *parent = slapi_dn_parent (n_clientdn);
if (slapi_utf8casecmp ((ACLUCHP)parent, (ACLUCHP)ludp->lud_dn) != 0 ) {
+ slapi_log_error( SLAPI_LOG_FATAL, plugin_name,
+ "acllas__client_match_URL: url [%s] scope is onelevel but dn [%s] "
+ "is not a direct child of [%s]\n",
+ normed, ludp->lud_dn, parent );
+ slapi_ch_free_string(&normed);
slapi_ch_free ( (void **) &parent);
rc = ACL_FALSE;
goto done;
@@ -3630,20 +3652,23 @@ acllas__client_match_URL (struct acl_pblock *aclpb, char *n_clientdn, char *url
slapi_ch_free ( (void **) &parent);
} else { /* default */
if (slapi_utf8casecmp ( (ACLUCHP)n_clientdn, (ACLUCHP)ludp->lud_dn) != 0 ) {
+ slapi_log_error( SLAPI_LOG_FATAL, plugin_name,
+ "acllas__client_match_URL: url [%s] scope is base but dn [%s] "
+ "does not match [%s]\n",
+ normed, ludp->lud_dn, n_clientdn );
rc = ACL_FALSE;
goto done;
}
}
-
/* Convert the filter string */
f = slapi_str2filter ( ludp->lud_filter );
if (ludp->lud_filter && (f == NULL)) { /* bogus filter */
slapi_log_error(SLAPI_LOG_FATAL, plugin_name,
- "DS_LASUserAttrEval: The member URL search filter in entry [%s] is not valid: [%s]\n",
- n_clientdn, ludp->lud_filter);
+ "DS_LASUserAttrEval: The member URL [%s] search filter in entry [%s] is not valid: [%s]\n",
+ normed, n_clientdn, ludp->lud_filter);
rc = ACL_FALSE;
goto done;
}
@@ -3653,9 +3678,9 @@ acllas__client_match_URL (struct acl_pblock *aclpb, char *n_clientdn, char *url
aclpb->aclpb_client_entry, f, 0 /* no acces chk */ )))
rc = ACL_FALSE;
- slapi_filter_free ( f, 1 ) ;
-
done:
+ slapi_filter_free ( f, 1 ) ;
+ slapi_ch_free_string(&normed);
slapi_ch_free_string(&hostport);
ldap_free_urldesc( ludp );
return rc;