ITS#2573 dynamic group support

moved labeledURI into system schema
  attribute types that inherit from labeledURI may be used in dynamic
    groups e.g. access to * by group/groupOfURLs/memberURL=foo

servers/slapd/aclparse.c

@@ -650,7 +650,8 @@ parse_acl(
 					if( !is_at_syntax( b->a_group_at->ad_type,
 						SLAPD_DN_SYNTAX ) &&
 					    !is_at_syntax( b->a_group_at->ad_type,
-						SLAPD_NAMEUID_SYNTAX ) )
+						SLAPD_NAMEUID_SYNTAX ) &&
+						!is_at_subtype( b->a_group_at->ad_type, slap_schema.si_ad_labeledURI->ad_type ))
 					{
 						fprintf( stderr,
 							"%s: line %d: group \"%s\": inappropriate syntax: %s\n",

servers/slapd/backend.c

@@ -1183,10 +1183,76 @@ backend_group(
 	if ( e ) {
 		a = attr_find( e->e_attrs, group_at );
 		if ( a ) {
-			rc = value_find_ex( group_at,
+			/* If the attribute is a subtype of labeledURI, treat this as
+			 * a dynamic group ala groupOfURLs
+			 */
+			if (is_at_subtype( group_at->ad_type, slap_schema.si_ad_labeledURI->ad_type ) ) {
+				int i;
+				LDAPURLDesc *ludp;
+				struct berval bv, nbase;
+				Filter *filter;
+				Entry *user;
+				Backend *b2 = op->o_bd;
+
+				if ( target && dn_match( &target->e_nname, op_ndn ) ) {
+					user = target;
+				} else {
+					op->o_bd = select_backend( op_ndn, 0, 0 );
+					rc = be_entry_get_rw(op, op_ndn, NULL, NULL, 0, &user );
+				}
+				
+				if ( rc == 0 ) {
+					rc = 1;
+					for (i=0; a->a_vals[i].bv_val; i++) {
+						if ( ldap_url_parse( a->a_vals[i].bv_val, &ludp ) != LDAP_SUCCESS )
+							continue;
+						nbase.bv_val = NULL;
+						/* host part must be empty */
+						/* attrs and extensions parts must be empty */
+						if (( ludp->lud_host && *ludp->lud_host )
+							|| ludp->lud_attrs || ludp->lud_exts )
+							goto loopit;
+						ber_str2bv( ludp->lud_dn, 0, 0, &bv );
+						if ( dnNormalize( 0, NULL, NULL, &bv, &nbase, op->o_tmpmemctx ) != LDAP_SUCCESS )
+							goto loopit;
+						switch(ludp->lud_scope) {
+						case LDAP_SCOPE_BASE:
+							if ( !dn_match(&nbase, op_ndn)) goto loopit;
+							break;
+						case LDAP_SCOPE_ONELEVEL:
+							dnParent(op_ndn, &bv );
+							if ( !dn_match(&nbase, &bv)) goto loopit;
+							break;
+						case LDAP_SCOPE_SUBTREE:
+							if ( !dnIsSuffix(op_ndn, &nbase)) goto loopit;
+							break;
+						}
+						filter = str2filter_x( op, ludp->lud_filter );
+						if ( filter ) {
+							if ( test_filter( NULL, user, filter ) == LDAP_COMPARE_TRUE )
+							{
+								rc = 0;
+							}
+							filter_free_x( op, filter );
+						}
+	loopit:
+						ldap_free_urldesc( ludp );
+						if ( nbase.bv_val ) {
+							op->o_tmpfree( nbase.bv_val, op->o_tmpmemctx );
+						}
+						if ( rc == 0 ) break;
+					}
+					if ( user != target ) {
+						be_entry_release_r( op, user );
+					}
+				}
+				op->o_bd = b2;
+			} else {
+				rc = value_find_ex( group_at,
 				SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
 				SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
 				a->a_nvals, op_ndn, op->o_tmpmemctx );
+			}
 		} else {
 			rc = LDAP_NO_SUCH_ATTRIBUTE;
 		}

servers/slapd/schema/core.schema

@@ -467,11 +467,11 @@ objectclass ( 2.5.6.23 NAME 'deltaCRL'
 
 #
 # Standard Track URI label schema from RFC 2079
-#
-attributetype ( 1.3.6.1.4.1.250.1.57 NAME 'labeledURI'
-	DESC 'RFC2079: Uniform Resource Identifier with optional label'
-	EQUALITY caseExactMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+# system schema
+#attributetype ( 1.3.6.1.4.1.250.1.57 NAME 'labeledURI'
+#	DESC 'RFC2079: Uniform Resource Identifier with optional label'
+#	EQUALITY caseExactMatch
+#	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
 
 objectclass ( 1.3.6.1.4.1.250.3.15 NAME 'labeledURIObject'
 	DESC 'RFC2079: object that contains the URI attribute type'

servers/slapd/schema/dyngroup.schema

@@ -0,0 +1,24 @@
+# $OpenLDAP$
+#
+# Dynamic Group schema, as defined by Netscape
+#
+# depends upon:
+#	core.schema
+
+objectIdentifier NetscapeRoot 2.16.840.1.113730
+
+objectIdentifier NetscapeLDAP NetscapeRoot:3
+objectIdentifier NetscapeLDAPattributeType NetscapeLDAP:1
+objectIdentifier NetscapeLDAPobjectClass NetscapeLDAP:2
+
+attributetype ( NetscapeLDAPattributeType:198
+	NAME 'memberURL'
+	DESC 'Identifies an URL associated with each member of a group. Any type of labeled URL can be used.'
+	SUP labeledURI )
+
+objectClass ( NetscapeLDAPobjectClass:33
+	NAME 'groupOfURLs'
+	SUP top STRUCTURAL
+	MUST cn
+	MAY ( memberURL $ businessCategory $ description $ o $ ou $
+		owner $ seeAlso ) )

servers/slapd/schema_prep.c

@@ -742,6 +742,15 @@ static struct slap_schema_ad_map {
 		NULL, NULL, NULL, NULL, NULL,
 		offsetof(struct slap_internal_schema, si_ad_userPassword) },
 
+	{ "labeledURI", "(  1.3.6.1.4.1.250.1.57 NAME 'labeledURI' "
+			"DESC 'RFC2079: Uniform Resource Identifier with optional label' "
+			"EQUALITY caseExactMatch "
+			"SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )",
+		NULL, 0,
+		NULL, NULL,
+		NULL, NULL, NULL, NULL, NULL,
+		offsetof(struct slap_internal_schema, si_ad_labeledURI) },
+
 #ifdef SLAPD_AUTHPASSWD
 	{ "authPassword", "( 1.3.6.1.4.1.4203.1.3.4 "
 			"NAME 'authPassword' "

servers/slapd/slap.h

@@ -791,6 +791,7 @@ struct slap_internal_schema {
 	AttributeDescription *si_ad_name;
 	AttributeDescription *si_ad_cn;
 	AttributeDescription *si_ad_userPassword;
+	AttributeDescription *si_ad_labeledURI;
 #ifdef SLAPD_AUTHPASSWD
 	AttributeDescription *si_ad_authPassword;
 #endif