cleanup previous commits

servers/slapd/acl.c

@@ -113,7 +113,7 @@ static int aci_mask(
 	slap_access_t *grant,
 	slap_access_t *deny,
 	slap_aci_scope_t scope);
-#endif
+#endif /* SLAPD_ACI_ENABLED */
 
 static int	regex_matches(
 	struct berval *pat, char *str, char *buf,
@@ -1030,7 +1030,7 @@ acl_mask(
 	char accessmaskbuf[ACCESSMASK_MAXLEN];
 #if !defined( SLAP_DYNACL ) && defined( SLAPD_ACI_ENABLED )
 	char accessmaskbuf1[ACCESSMASK_MAXLEN];
-#endif /* SLAPD_ACI_ENABLED */
+#endif /* !SLAP_DYNACL && SLAPD_ACI_ENABLED */
 #endif /* DEBUG */
 	const char *attr;
 
@@ -1109,7 +1109,8 @@ acl_mask(
 			 * is maintaned in a_dn_pat.
 			 */
 
-			if ( op->o_conn && !BER_BVISNULL( &op->o_conn->c_ndn ) ) {
+			if ( op->o_conn && !BER_BVISNULL( &op->o_conn->c_ndn ) )
+			{
 				ndn = op->o_conn->c_ndn;
 			} else {
 				ndn = op->o_ndn;
@@ -1376,7 +1377,8 @@ acl_mask(
 		if ( b->a_realdn_at != NULL ) {
 			struct berval	ndn;
 
-			if ( op->o_conn && !BER_BVISNULL( &op->o_conn->c_ndn ) ) {
+			if ( op->o_conn && !BER_BVISNULL( &op->o_conn->c_ndn ) )
+			{
 				ndn = op->o_conn->c_ndn;
 			} else {
 				ndn = op->o_ndn;
@@ -1390,87 +1392,6 @@ acl_mask(
 			}
 		}
 
-#if 0
-		if ( b->a_dn_at != NULL ) {
-			Attribute	*at;
-			struct berval	bv;
-			int rc, match = 0;
-			const char *text;
-			const char *attr = b->a_dn_at->ad_cname.bv_val;
-
-			assert( attr != NULL );
-
-			if ( op->o_ndn.bv_len == 0 ) {
-				continue;
-			}
-
-			Debug( LDAP_DEBUG_ACL, "<= check a_dn_at: %s\n",
-				attr, 0, 0);
-			bv = op->o_ndn;
-
-			/* see if asker is listed in dnattr */
-			for( at = attrs_find( e->e_attrs, b->a_dn_at );
-				at != NULL;
-				at = attrs_find( at->a_next, b->a_dn_at ) )
-			{
-				if( value_find_ex( b->a_dn_at,
-					SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
-						SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
-					at->a_nvals,
-					&bv, op->o_tmpmemctx ) == 0 )
-				{
-					/* found it */
-					match = 1;
-					break;
-				}
-			}
-
-			if ( match ) {
-				/* have a dnattr match. if this is a self clause then
-				 * the target must also match the op dn.
-				 */
-				if ( b->a_dn_self ) {
-					/* check if the target is an attribute. */
-					if ( val == NULL ) continue;
-
-					/* target is attribute, check if the attribute value
-					 * is the op dn.
-					 */
-					rc = value_match( &match, b->a_dn_at,
-						b->a_dn_at->ad_type->sat_equality, 0,
-						val, &bv, &text );
-					/* on match error or no match, fail the ACL clause */
-					if (rc != LDAP_SUCCESS || match != 0 )
-						continue;
-				}
-
-			} else {
-				/* no dnattr match, check if this is a self clause */
-				if ( ! b->a_dn_self )
-					continue;
-
-				ACL_RECORD_VALUE_STATE;
-				
-				/* this is a self clause, check if the target is an
-				 * attribute.
-				 */
-				if ( val == NULL )
-					continue;
-
-				/* target is attribute, check if the attribute value
-				 * is the op dn.
-				 */
-				rc = value_match( &match, b->a_dn_at,
-					b->a_dn_at->ad_type->sat_equality, 0,
-					val, &bv, &text );
-
-				/* on match error or no match, fail the ACL clause */
-				if (rc != LDAP_SUCCESS || match != 0 )
-					continue;
-			}
-		}
-#endif
-
 		if ( !BER_BVISEMPTY( &b->a_group_pat ) ) {
 			struct berval bv;
 			struct berval ndn = BER_BVNULL;
@@ -2878,6 +2799,11 @@ aci_mask(
 }
 
 #ifdef SLAP_DYNACL
+/*
+ * FIXME: there is a silly dependence that makes it difficult
+ * to move ACIs in a run-time loadable module under the "dynacl" 
+ * umbrella, because sets share some helpers with ACIs.
+ */
 static int
 dynacl_aci_parse( const char *fname, int lineno, slap_style_t sty, const char *right, void **privp )
 {

servers/slapd/slap.h

@@ -191,7 +191,7 @@ LDAP_BEGIN_DECL
 
 #ifdef SLAPD_ACI_ENABLED
 #define SLAPD_ACI_SYNTAX		"1.3.6.1.4.1.4203.666.2.1"
-#endif
+#endif /* SLAPD_ACI_ENABLED */
 
 /* change this to "OpenLDAPset" */
 #define SLAPD_ACI_SET_ATTR		"template"
@@ -862,7 +862,7 @@ struct slap_internal_schema {
 	AttributeDescription *si_ad_saslAuthzFrom;
 #ifdef SLAPD_ACI_ENABLED
 	AttributeDescription *si_ad_aci;
-#endif
+#endif /* SLAPD_ACI_ENABLED */
 
 	/* dynamic entries */
 	AttributeDescription *si_ad_entryTtl;
@@ -1232,6 +1232,7 @@ typedef struct slap_dynacl_t {
 typedef struct slap_dn_access {
 	/* DN pattern */
 	AuthorizationInformation	a_dnauthz;
+#define	a_pat			a_dnauthz.sai_dn
 
 	slap_style_t		a_style;
 	int			a_level;
@@ -1315,25 +1316,18 @@ typedef struct slap_access {
 	/* DN pattern */
 	slap_dn_access		a_dn;
 #define a_dn_pat		a_dn.a_dnauthz.sai_dn
-#define	a_dn_style		a_dn.a_style
-#define	a_dn_level		a_dn.a_level
-#define	a_dn_self_level		a_dn.a_self_level
 #define	a_dn_at			a_dn.a_at
 #define	a_dn_self		a_dn.a_self
-#define	a_dn_expand		a_dn.a_expand
 
 	/* real DN pattern */
 	slap_dn_access		a_realdn;
 #define a_realdn_pat		a_realdn.a_dnauthz.sai_dn
-#define	a_realdn_style		a_realdn.a_style
-#define	a_realdn_level		a_realdn.a_level
-#define	a_realdn_self_level	a_realdn.a_self_level
 #define	a_realdn_at		a_realdn.a_at
 #define	a_realdn_self		a_realdn.a_self
-#define	a_realdn_expand		a_realdn.a_expand
 
+	/* used for ssf stuff
+	 * NOTE: the ssf stuff in a_realdn is ignored */
 #define	a_authz			a_dn.a_dnauthz
-#define	a_pat			a_dnauthz.sai_dn
 
 	/* connection related stuff */
 	slap_style_t a_peername_style;
@@ -1358,8 +1352,14 @@ typedef struct slap_access {
 	slap_dynacl_t		*a_dynacl;
 #else /* ! SLAP_DYNACL */
 #ifdef SLAPD_ACI_ENABLED
+	/* NOTE: ACIs have been moved under the "dynacl" interface,
+	 * which is currently built only when LDAP_DEVEL is defined.
+	 *
+	 * In any case, SLAPD_ACI_ENABLED, set by --enable-aci,
+	 * is required to enable ACI support.
+	 */
 	AttributeDescription	*a_aci_at;
-#endif
+#endif /* SLAPD_ACI_ENABLED */
 #endif /* SLAP_DYNACL */
 
 	/* ACL Groups */