From cdbf344be3db4c423f924e0e17e22285a72a1ea8 Mon Sep 17 00:00:00 2001
From: dugan <dugan@localhost>
Date: Thu, 24 May 2007 14:37:11 +0000
Subject: [PATCH] Fix global ACI target evaluation to support root DSE. Issue 1623.

---
 opends/src/server/org/opends/server/authorization/dseecompat/Aci.java    |    5 +++++
 opends/src/server/org/opends/server/authorization/dseecompat/Target.java |    4 +++-
 opends/resource/config/config.ldif                                       |    2 +-
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/opends/resource/config/config.ldif b/opends/resource/config/config.ldif
index 5c20c55..9362b9c 100644
--- a/opends/resource/config/config.ldif
+++ b/opends/resource/config/config.ldif
@@ -54,7 +54,7 @@
 ds-cfg-global-aci: (targetattr!="userPassword||authPassword")(version 3.0; acl "Anonymous read access"; allow (read,search,compare) userdn="ldap:///anyone";)
 ds-cfg-global-aci: (targetattr="*")(version 3.0; acl "Self entry modification"; allow (write) userdn="ldap:///self";)
 ds-cfg-global-aci: (target="ldap:///cn=schema")(targetscope="base")(targetattr="attributeTypes||dITContentRules||dITStructureRules||ldapSyntaxes||matchingRules||matchingRuleUse||nameForms||objectClasses")(version 3.0; acl "User-Visible Schema Operational Attributes"; allow (read,search,compare) userdn="ldap:///anyone";)
-ds-cfg-global-aci: (targetattr="namingContexts||supportedAuthPasswordSchemes||supportedControl||supportedExtension||supportedFeatures||supportedSASLMechanisms||vendorName||vendorVersion")(version 3.0; acl "User-Visible Root DSE Operational Attributes"; allow (read,search,compare) userdn="ldap:///anyone";)
+ds-cfg-global-aci: (target="ldap:///")(targetscope="base")(targetattr="namingContexts||supportedAuthPasswordSchemes||supportedControl||supportedExtension||supportedFeatures||supportedSASLMechanisms||vendorName||vendorVersion")(version 3.0; acl "User-Visible Root DSE Operational Attributes"; allow (read,search,compare) userdn="ldap:///anyone";)
 ds-cfg-global-aci: (targetattr="createTimestamp||creatorsName||modifiersName||modifyTimestamp||entryDN||subschemaSubentry")(version 3.0; acl "User-Visible Operational Attributes"; allow (read,search,compare) userdn="ldap:///anyone";)
 cn: Access Control Handler
 ds-cfg-acl-handler-class: org.opends.server.authorization.dseecompat.AciProvider
diff --git a/opends/src/server/org/opends/server/authorization/dseecompat/Aci.java b/opends/src/server/org/opends/server/authorization/dseecompat/Aci.java
index bb665b4..834092f 100644
--- a/opends/src/server/org/opends/server/authorization/dseecompat/Aci.java
+++ b/opends/src/server/org/opends/server/authorization/dseecompat/Aci.java
@@ -123,6 +123,11 @@
                                                  "(ldap:///[^\\|]+)";
 
     /**
+     *  String used to check for NULL ldap URL.
+     */
+     public static final String NULL_LDAP_URL = "ldap:///";
+
+    /**
      * Regular expression used to match token that joins expressions (||).
      */
     public static final String LOGICAL_OR = "\\|\\|";
diff --git a/opends/src/server/org/opends/server/authorization/dseecompat/Target.java b/opends/src/server/org/opends/server/authorization/dseecompat/Target.java
index 444e52e..660d26a 100644
--- a/opends/src/server/org/opends/server/authorization/dseecompat/Target.java
+++ b/opends/src/server/org/opends/server/authorization/dseecompat/Target.java
@@ -81,7 +81,9 @@
             throws AciException {
         this.operator = operator;
         try {
-          if (!Pattern.matches(LDAP_URL, target)) {
+          //The NULL_LDAP_URL corresponds to the root DSE.
+          if((!target.equals(NULL_LDAP_URL)) &&
+             (!Pattern.matches(LDAP_URL, target))) {
               int msgID = MSGID_ACI_SYNTAX_INVALID_TARGETKEYWORD_EXPRESSION;
               String message = getMessage(msgID, target);
               throw new AciException(msgID, message);

--
Gitblit v1.10.0