Add "disclose" and "manage" ACL levels (but no meat).

Disclose permission intended to be used for "disclose on error"
(as in our present "none"), none being "don't disclose on error".

Manage permission is intended to be used to allow DSA IT management
(e.g., changing entryCSNs, structuralObjectClass, etc.).

servers/slapd/acl.c

@@ -253,7 +253,7 @@ access_allowed_mask(
 		    "<= root access granted\n",
 			0, 0, 0 );
 		if ( maskp ) {
-			mask = ACL_LVL_WRITE;
+			mask = ACL_LVL_MANAGE;
 		}
 
 		goto done;
@@ -1741,7 +1741,9 @@ acl_check_modlist(
 		Debug( LDAP_DEBUG_ACL,
 			"=> access_allowed: backend default %s access %s to \"%s\"\n",
 			access2str( ACL_WRITE ),
-			op->o_bd->be_dfltaccess >= ACL_WRITE ? "granted" : "denied", op->o_dn.bv_val );
+			op->o_bd->be_dfltaccess >= ACL_WRITE
+				? "granted" : "denied",
+			op->o_dn.bv_val );
 		ret = (op->o_bd->be_dfltaccess >= ACL_WRITE);
 		goto done;
 	}

servers/slapd/aclparse.c

@@ -62,10 +62,7 @@ static void		print_acl(Backend *be, AccessControl *a);
 static void		print_access(Access *b);
 #endif
 
-#ifdef LDAP_DEVEL
-static int
-check_scope( BackendDB *be, AccessControl *a );
-#endif /* LDAP_DEVEL */
+static int		check_scope( BackendDB *be, AccessControl *a );
 
 #ifdef SLAP_DYNACL
 static int
@@ -160,7 +157,6 @@ regtest(const char *fname, int lineno, char *pat) {
 	regfree(&re);
 }
 
-#ifdef LDAP_DEVEL
 /*
  * Experimental
  *
@@ -295,7 +291,6 @@ regex_done:;
 
 	return ACL_SCOPE_UNKNOWN;
 }
-#endif /* LDAP_DEVEL */
 
 void
 parse_acl(
@@ -303,8 +298,7 @@ parse_acl(
     const char	*fname,
     int		lineno,
     int		argc,
-    char	**argv
-)
+    char	**argv )
 {
 	int		i;
 	char		*left, *right, *style, *next;
@@ -1653,7 +1647,6 @@ parse_acl(
 		}
 
 		if ( be != NULL ) {
-#ifdef LDAP_DEVEL
 			if ( !BER_BVISNULL( &be->be_nsuffix[ 1 ] ) ) {
 				fprintf( stderr, "%s: line %d: warning: "
 					"scope checking only applies to single-valued "
@@ -1693,7 +1686,6 @@ parse_acl(
 			default:
 				break;
 			}
-#endif /* LDAP_DEVEL */
 			acl_append( &be->be_acl, a );
 
 		} else {
@@ -1720,6 +1712,9 @@ accessmask2str( slap_mask_t mask, char *buf )
 		if ( ACL_LVL_IS_NONE(mask) ) {
 			ptr = lutil_strcopy( ptr, "none" );
 
+		} else if ( ACL_LVL_IS_DISCLOSE(mask) ) {
+			ptr = lutil_strcopy( ptr, "disclose" );
+
 		} else if ( ACL_LVL_IS_AUTH(mask) ) {
 			ptr = lutil_strcopy( ptr, "auth" );
 
@@ -1734,6 +1729,10 @@ accessmask2str( slap_mask_t mask, char *buf )
 
 		} else if ( ACL_LVL_IS_WRITE(mask) ) {
 			ptr = lutil_strcopy( ptr, "write" );
+
+		} else if ( ACL_LVL_IS_MANAGE(mask) ) {
+			ptr = lutil_strcopy( ptr, "manage" );
+
 		} else {
 			ptr = lutil_strcopy( ptr, "unknown" );
 		}
@@ -1751,6 +1750,11 @@ accessmask2str( slap_mask_t mask, char *buf )
 		*ptr++ = '=';
 	}
 
+	if ( ACL_PRIV_ISSET(mask, ACL_PRIV_MANAGE) ) {
+		none = 0;
+		*ptr++ = 'm';
+	} 
+
 	if ( ACL_PRIV_ISSET(mask, ACL_PRIV_WRITE) ) {
 		none = 0;
 		*ptr++ = 'w';
@@ -1776,6 +1780,11 @@ accessmask2str( slap_mask_t mask, char *buf )
 		*ptr++ = 'x';
 	} 
 
+	if ( ACL_PRIV_ISSET(mask, ACL_PRIV_DISCLOSE) ) {
+		none = 0;
+		*ptr++ = 'd';
+	} 
+
 	if ( none && ACL_PRIV_ISSET(mask, ACL_PRIV_NONE) ) {
 		none = 0;
 		*ptr++ = 'n';
@@ -1817,7 +1826,10 @@ str2accessmask( const char *str )
 		}
 
 		for( i=1; str[i] != '\0'; i++ ) {
-			if( TOLOWER((unsigned char) str[i]) == 'w' ) {
+			if( TOLOWER((unsigned char) str[i]) == 'm' ) {
+				ACL_PRIV_SET(mask, ACL_PRIV_MANAGE);
+
+			} else if( TOLOWER((unsigned char) str[i]) == 'w' ) {
 				ACL_PRIV_SET(mask, ACL_PRIV_WRITE);
 
 			} else if( TOLOWER((unsigned char) str[i]) == 'r' ) {
@@ -1832,6 +1844,9 @@ str2accessmask( const char *str )
 			} else if( TOLOWER((unsigned char) str[i]) == 'x' ) {
 				ACL_PRIV_SET(mask, ACL_PRIV_AUTH);
 
+			} else if( TOLOWER((unsigned char) str[i]) == 'd' ) {
+				ACL_PRIV_SET(mask, ACL_PRIV_DISCLOSE);
+
 			} else if( str[i] != '0' ) {
 				ACL_INVALIDATE(mask);
 				return mask;
@@ -1844,6 +1859,9 @@ str2accessmask( const char *str )
 	if ( strcasecmp( str, "none" ) == 0 ) {
 		ACL_LVL_ASSIGN_NONE(mask);
 
+	} else if ( strcasecmp( str, "disclose" ) == 0 ) {
+		ACL_LVL_ASSIGN_DISCLOSE(mask);
+
 	} else if ( strcasecmp( str, "auth" ) == 0 ) {
 		ACL_LVL_ASSIGN_AUTH(mask);
 
@@ -1859,6 +1877,9 @@ str2accessmask( const char *str )
 	} else if ( strcasecmp( str, "write" ) == 0 ) {
 		ACL_LVL_ASSIGN_WRITE(mask);
 
+	} else if ( strcasecmp( str, "manage" ) == 0 ) {
+		ACL_LVL_ASSIGN_MANAGE(mask);
+
 	} else {
 		ACL_INVALIDATE( mask );
 	}
@@ -1890,8 +1911,8 @@ acl_usage( void )
 		"<peernamestyle> ::= exact | regex | ip | path\n"
 		"<domainstyle> ::= exact | regex | base(Object) | sub(tree)\n"
 		"<access> ::= [self]{<level>|<priv>}\n"
-		"<level> ::= none | auth | compare | search | read | write\n"
-		"<priv> ::= {=|+|-}{w|r|s|c|x|0}+\n"
+		"<level> ::= none|disclose|auth|compare|search|read|write|manage\n"
+		"<priv> ::= {=|+|-}{0|d|x|c|s|r|w|m}+\n"
 		"<control> ::= [ stop | continue | break ]\n"
 	);
 	exit( EXIT_FAILURE );
@@ -2053,6 +2074,9 @@ access2str( slap_access_t access )
 	if ( access == ACL_NONE ) {
 		return "none";
 
+	} else if ( access == ACL_DISCLOSE ) {
+		return "disclose";
+
 	} else if ( access == ACL_AUTH ) {
 		return "auth";
 
@@ -2067,6 +2091,10 @@ access2str( slap_access_t access )
 
 	} else if ( access == ACL_WRITE ) {
 		return "write";
+
+	} else if ( access == ACL_MANAGE ) {
+		return "manage";
+
 	}
 
 	return "unknown";
@@ -2078,6 +2106,9 @@ str2access( const char *str )
 	if ( strcasecmp( str, "none" ) == 0 ) {
 		return ACL_NONE;
 
+	} else if ( strcasecmp( str, "disclose" ) == 0 ) {
+		return ACL_DISCLOSE;
+
 	} else if ( strcasecmp( str, "auth" ) == 0 ) {
 		return ACL_AUTH;
 
@@ -2092,6 +2123,9 @@ str2access( const char *str )
 
 	} else if ( strcasecmp( str, "write" ) == 0 ) {
 		return ACL_WRITE;
+
+	} else if ( strcasecmp( str, "manage" ) == 0 ) {
+		return ACL_MANAGE;
 	}
 
 	return( ACL_INVALID_ACCESS );

servers/slapd/slap.h

@@ -1123,11 +1123,13 @@ typedef struct slap_ldap_modlist {
 typedef enum slap_access_e {
 	ACL_INVALID_ACCESS = -1,
 	ACL_NONE = 0,
+	ACL_DISCLOSE,
 	ACL_AUTH,
 	ACL_COMPARE,
 	ACL_SEARCH,
 	ACL_READ,
-	ACL_WRITE
+	ACL_WRITE,
+	ACL_MANAGE
 } slap_access_t;
 
 typedef enum slap_control_e {
@@ -1209,11 +1211,13 @@ typedef struct slap_access {
 #define ACL_ACCESS2PRIV(access)	(0x01U << (access))
 
 #define ACL_PRIV_NONE			ACL_ACCESS2PRIV( ACL_NONE )
+#define ACL_PRIV_DISCLOSE		ACL_ACCESS2PRIV( ACL_DISCLOSE )
 #define ACL_PRIV_AUTH			ACL_ACCESS2PRIV( ACL_AUTH )
 #define ACL_PRIV_COMPARE		ACL_ACCESS2PRIV( ACL_COMPARE )
 #define ACL_PRIV_SEARCH			ACL_ACCESS2PRIV( ACL_SEARCH )
 #define ACL_PRIV_READ			ACL_ACCESS2PRIV( ACL_READ )
 #define ACL_PRIV_WRITE			ACL_ACCESS2PRIV( ACL_WRITE )
+#define ACL_PRIV_MANAGE			ACL_ACCESS2PRIV( ACL_MANAGE )
 
 #define ACL_PRIV_MASK			0x00ffUL
 
@@ -1242,26 +1246,32 @@ typedef struct slap_access {
 #define ACL_IS_SUBTRACTIVE(m)	ACL_PRIV_ISSET((m),ACL_PRIV_SUBSTRACTIVE)
 
 #define ACL_LVL_NONE			(ACL_PRIV_NONE|ACL_PRIV_LEVEL)
-#define ACL_LVL_AUTH			(ACL_PRIV_AUTH|ACL_LVL_NONE)
+#define ACL_LVL_DISCLOSE		(ACL_PRIV_DISCLOSE|ACL_LVL_NONE)
+#define ACL_LVL_AUTH			(ACL_PRIV_AUTH|ACL_LVL_DISCLOSE)
 #define ACL_LVL_COMPARE			(ACL_PRIV_COMPARE|ACL_LVL_AUTH)
 #define ACL_LVL_SEARCH			(ACL_PRIV_SEARCH|ACL_LVL_COMPARE)
 #define ACL_LVL_READ			(ACL_PRIV_READ|ACL_LVL_SEARCH)
 #define ACL_LVL_WRITE			(ACL_PRIV_WRITE|ACL_LVL_READ)
+#define ACL_LVL_MANAGE			(ACL_PRIV_MANAGE|ACL_LVL_WRITE)
 
 #define ACL_LVL(m,l)			(((m)&ACL_PRIV_MASK) == ((l)&ACL_PRIV_MASK))
 #define ACL_LVL_IS_NONE(m)		ACL_LVL((m),ACL_LVL_NONE)
+#define ACL_LVL_IS_DISCLOSE(m)	ACL_LVL((m),ACL_LVL_DISCLOSE)
 #define ACL_LVL_IS_AUTH(m)		ACL_LVL((m),ACL_LVL_AUTH)
 #define ACL_LVL_IS_COMPARE(m)	ACL_LVL((m),ACL_LVL_COMPARE)
 #define ACL_LVL_IS_SEARCH(m)	ACL_LVL((m),ACL_LVL_SEARCH)
 #define ACL_LVL_IS_READ(m)		ACL_LVL((m),ACL_LVL_READ)
 #define ACL_LVL_IS_WRITE(m)		ACL_LVL((m),ACL_LVL_WRITE)
+#define ACL_LVL_IS_MANAGE(m)	ACL_LVL((m),ACL_LVL_MANAGE)
 
 #define ACL_LVL_ASSIGN_NONE(m)		ACL_PRIV_ASSIGN((m),ACL_LVL_NONE)
+#define ACL_LVL_ASSIGN_DISCLOSE(m)	ACL_PRIV_ASSIGN((m),ACL_LVL_DISCLOSE)
 #define ACL_LVL_ASSIGN_AUTH(m)		ACL_PRIV_ASSIGN((m),ACL_LVL_AUTH)
 #define ACL_LVL_ASSIGN_COMPARE(m)	ACL_PRIV_ASSIGN((m),ACL_LVL_COMPARE)
 #define ACL_LVL_ASSIGN_SEARCH(m)	ACL_PRIV_ASSIGN((m),ACL_LVL_SEARCH)
 #define ACL_LVL_ASSIGN_READ(m)		ACL_PRIV_ASSIGN((m),ACL_LVL_READ)
 #define ACL_LVL_ASSIGN_WRITE(m)		ACL_PRIV_ASSIGN((m),ACL_LVL_WRITE)
+#define ACL_LVL_ASSIGN_MANAGE(m)	ACL_PRIV_ASSIGN((m),ACL_LVL_MANAGE)
 
 	slap_mask_t	a_access_mask;