/* $OpenLDAP$ */ /* This work is part of OpenLDAP Software . * * Copyright 2004-2018 The OpenLDAP Foundation. * Portions Copyright 2004 Pierangelo Masarati. * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted only as authorized by the OpenLDAP * Public License. * * A copy of this license is available in file LICENSE in the * top-level directory of the distribution or, alternatively, at * . */ /* ACKNOWLEDGEMENTS: * This work was initially developed by Pierangelo Masarati for inclusion * in OpenLDAP Software. */ #include "portable.h" #include #include #include #include #include #include #include #include #include #include "slapcommon.h" static int print_access( Operation *op, Entry *e, AttributeDescription *desc, struct berval *val, struct berval *nval ) { int rc; slap_mask_t mask; char accessmaskbuf[ACCESSMASK_MAXLEN]; rc = access_allowed_mask( op, e, desc, nval, ACL_AUTH, NULL, &mask ); fprintf( stderr, "%s%s%s: %s\n", desc->ad_cname.bv_val, ( val && !BER_BVISNULL( val ) ) ? "=" : "", ( val && !BER_BVISNULL( val ) ) ? ( desc == slap_schema.si_ad_userPassword ? "****" : val->bv_val ) : "", accessmask2str( mask, accessmaskbuf, 1 ) ); return rc; } int slapacl( int argc, char **argv ) { int rc = EXIT_SUCCESS; const char *progname = "slapacl"; Connection conn = { 0 }; Listener listener; OperationBuffer opbuf; Operation *op = NULL; Entry e = { 0 }, *ep = &e; char *attr = NULL; int doclose = 0; BackendDB *bd; void *thrctx; slap_tool_init( progname, SLAPACL, argc, argv ); if ( !dryrun ) { int i = 0; LDAP_STAILQ_FOREACH( bd, &backendDB, be_next ) { if ( bd != be && backend_startup( bd ) ) { fprintf( stderr, "backend_startup(#%d%s%s) failed\n", i, bd->be_suffix ? ": " : "", bd->be_suffix ? bd->be_suffix[0].bv_val : "" ); rc = 1; goto destroy; } i++; } } argv = &argv[ optind ]; argc -= optind; thrctx = ldap_pvt_thread_pool_context(); connection_fake_init( &conn, &opbuf, thrctx ); op = &opbuf.ob_op; op->o_tmpmemctx = NULL; conn.c_listener = &listener; conn.c_listener_url = listener_url; conn.c_peer_domain = peer_domain; conn.c_peer_name = peer_name; conn.c_sock_name = sock_name; op->o_ssf = ssf; op->o_transport_ssf = transport_ssf; op->o_tls_ssf = tls_ssf; op->o_sasl_ssf = sasl_ssf; if ( !BER_BVISNULL( &authcID ) ) { if ( !BER_BVISNULL( &authcDN ) ) { fprintf( stderr, "both authcID=\"%s\" " "and authcDN=\"%s\" provided\n", authcID.bv_val, authcDN.bv_val ); rc = 1; goto destroy; } rc = slap_sasl_getdn( &conn, op, &authcID, NULL, &authcDN, SLAP_GETDN_AUTHCID ); if ( rc != LDAP_SUCCESS ) { fprintf( stderr, "authcID: <%s> check failed %d (%s)\n", authcID.bv_val, rc, ldap_err2string( rc ) ); rc = 1; goto destroy; } } else if ( !BER_BVISNULL( &authcDN ) ) { struct berval ndn; rc = dnNormalize( 0, NULL, NULL, &authcDN, &ndn, NULL ); if ( rc != LDAP_SUCCESS ) { fprintf( stderr, "autchDN=\"%s\" normalization failed %d (%s)\n", authcDN.bv_val, rc, ldap_err2string( rc ) ); rc = 1; goto destroy; } ch_free( authcDN.bv_val ); authcDN = ndn; } if ( !BER_BVISNULL( &authzID ) ) { if ( !BER_BVISNULL( &authzDN ) ) { fprintf( stderr, "both authzID=\"%s\" " "and authzDN=\"%s\" provided\n", authzID.bv_val, authzDN.bv_val ); rc = 1; goto destroy; } rc = slap_sasl_getdn( &conn, op, &authzID, NULL, &authzDN, SLAP_GETDN_AUTHZID ); if ( rc != LDAP_SUCCESS ) { fprintf( stderr, "authzID: <%s> check failed %d (%s)\n", authzID.bv_val, rc, ldap_err2string( rc ) ); rc = 1; goto destroy; } } else if ( !BER_BVISNULL( &authzDN ) ) { struct berval ndn; rc = dnNormalize( 0, NULL, NULL, &authzDN, &ndn, NULL ); if ( rc != LDAP_SUCCESS ) { fprintf( stderr, "autchDN=\"%s\" normalization failed %d (%s)\n", authzDN.bv_val, rc, ldap_err2string( rc ) ); rc = 1; goto destroy; } ch_free( authzDN.bv_val ); authzDN = ndn; } if ( !BER_BVISNULL( &authcDN ) ) { fprintf( stderr, "authcDN: \"%s\"\n", authcDN.bv_val ); } if ( !BER_BVISNULL( &authzDN ) ) { fprintf( stderr, "authzDN: \"%s\"\n", authzDN.bv_val ); } if ( !BER_BVISNULL( &authzDN ) ) { op->o_dn = authzDN; op->o_ndn = authzDN; if ( !BER_BVISNULL( &authcDN ) ) { op->o_conn->c_dn = authcDN; op->o_conn->c_ndn = authcDN; } else { op->o_conn->c_dn = authzDN; op->o_conn->c_ndn = authzDN; } } else if ( !BER_BVISNULL( &authcDN ) ) { op->o_conn->c_dn = authcDN; op->o_conn->c_ndn = authcDN; op->o_dn = authcDN; op->o_ndn = authcDN; } assert( !BER_BVISNULL( &baseDN ) ); rc = dnPrettyNormal( NULL, &baseDN, &e.e_name, &e.e_nname, NULL ); if ( rc != LDAP_SUCCESS ) { fprintf( stderr, "base=\"%s\" normalization failed %d (%s)\n", baseDN.bv_val, rc, ldap_err2string( rc ) ); rc = 1; goto destroy; } op->o_bd = be; if ( op->o_bd == NULL ) { /* NOTE: if no database could be found (e.g. because * accessing the rootDSE or so), use the frontendDB * rules; might need work */ op->o_bd = frontendDB; } if ( !dryrun ) { ID id; if ( be == NULL ) { fprintf( stderr, "%s: no target database " "has been found for baseDN=\"%s\"; " "you may try with \"-u\" (dry run).\n", baseDN.bv_val, progname ); rc = 1; goto destroy; } if ( !be->be_entry_open || !be->be_entry_close || !be->be_dn2id_get || !be->be_entry_get ) { fprintf( stderr, "%s: target database " "doesn't support necessary operations; " "you may try with \"-u\" (dry run).\n", progname ); rc = 1; goto destroy; } if ( be->be_entry_open( be, 0 ) != 0 ) { fprintf( stderr, "%s: could not open database.\n", progname ); rc = 1; goto destroy; } doclose = 1; id = be->be_dn2id_get( be, &e.e_nname ); if ( id == NOID ) { fprintf( stderr, "%s: unable to fetch ID of DN \"%s\"\n", progname, e.e_nname.bv_val ); rc = 1; goto destroy; } ep = be->be_entry_get( be, id ); if ( ep == NULL ) { fprintf( stderr, "%s: unable to fetch entry \"%s\" (%lu)\n", progname, e.e_nname.bv_val, id ); rc = 1; goto destroy; } if ( argc == 0 ) { Attribute *a; (void)print_access( op, ep, slap_schema.si_ad_entry, NULL, NULL ); (void)print_access( op, ep, slap_schema.si_ad_children, NULL, NULL ); for ( a = ep->e_attrs; a; a = a->a_next ) { int i; for ( i = 0; !BER_BVISNULL( &a->a_nvals[ i ] ); i++ ) { (void)print_access( op, ep, a->a_desc, &a->a_vals[ i ], &a->a_nvals[ i ] ); } } } } for ( ; argc--; argv++ ) { slap_mask_t mask; AttributeDescription *desc = NULL; struct berval val = BER_BVNULL, *valp = NULL; const char *text; char accessmaskbuf[ACCESSMASK_MAXLEN]; char *accessstr; slap_access_t access = ACL_AUTH; if ( attr == NULL ) { attr = argv[ 0 ]; } val.bv_val = strchr( attr, ':' ); if ( val.bv_val != NULL ) { val.bv_val[0] = '\0'; val.bv_val++; val.bv_len = strlen( val.bv_val ); valp = &val; } accessstr = strchr( attr, '/' ); if ( accessstr != NULL ) { int invalid = 0; accessstr[0] = '\0'; accessstr++; access = str2access( accessstr ); switch ( access ) { case ACL_INVALID_ACCESS: fprintf( stderr, "unknown access \"%s\" for attribute \"%s\"\n", accessstr, attr ); invalid = 1; break; case ACL_NONE: fprintf( stderr, "\"none\" not allowed for attribute \"%s\"\n", attr ); invalid = 1; break; default: break; } if ( invalid ) { if ( continuemode ) { continue; } break; } } rc = slap_str2ad( attr, &desc, &text ); if ( rc != LDAP_SUCCESS ) { fprintf( stderr, "slap_str2ad(%s) failed %d (%s)\n", attr, rc, ldap_err2string( rc ) ); if ( continuemode ) { continue; } break; } rc = access_allowed_mask( op, ep, desc, valp, access, NULL, &mask ); if ( accessstr ) { fprintf( stderr, "%s access to %s%s%s: %s\n", accessstr, desc->ad_cname.bv_val, val.bv_val ? "=" : "", val.bv_val ? val.bv_val : "", rc ? "ALLOWED" : "DENIED" ); } else { fprintf( stderr, "%s%s%s: %s\n", desc->ad_cname.bv_val, val.bv_val ? "=" : "", val.bv_val ? val.bv_val : "", accessmask2str( mask, accessmaskbuf, 1 ) ); } rc = 0; attr = NULL; } destroy:; if ( !BER_BVISNULL( &e.e_name ) ) { ber_memfree( e.e_name.bv_val ); } if ( !BER_BVISNULL( &e.e_nname ) ) { ber_memfree( e.e_nname.bv_val ); } if ( !dryrun && be ) { if ( ep && ep != &e ) { be_entry_release_r( op, ep ); } if ( doclose ) { be->be_entry_close( be ); } LDAP_STAILQ_FOREACH( bd, &backendDB, be_next ) { if ( bd != be ) { backend_shutdown( bd ); } } } if ( slap_tool_destroy()) rc = EXIT_FAILURE; return rc; }