#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <ldap.h>
#include <ldap_ds_constants.h>
#if defined(N_PLAT_NLM) && defined(LIBC)
#include <screen.h>
#endif
int findACLValues( LDAP* , char* );
void printACLValue( char* );
static char usage[] =
"\n Usage: modifyACL <host name> <port number> <login dn> <password>"
"\n <entry dn> <trustee dn>"
"\n Example: modifyACL Acme.com 389 cn=Admin,o=Acme secret"
"\n cn=test,ou=Sales,o=Acme cn=trustee,o=Acme\n";
int main( int argc, char **argv)
{
int version, ldapPort, rc, privileges;
char *ldapHost, *loginDN, *password, *entryDN, *trusteeDN;
char *modValues[2], aclValue[128];
LDAPMod modACL, *modify[2];
LDAP *ld;
struct timeval timeOut = {10,0};
#if defined(N_PLAT_NLM) && defined(LIBC)
setscreenmode(SCR_NO_MODE);
#endif
if (argc != 7) {
printf("%s", usage);
return(1);
}
ldapHost = argv[1];
ldapPort = atoi(argv[2]);
loginDN = argv[3];
password = argv[4];
entryDN = argv[5];
trusteeDN = argv[6];
version = LDAP_VERSION3;
ldap_set_option( NULL, LDAP_OPT_PROTOCOL_VERSION, &version);
ldap_set_option( NULL, LDAP_OPT_NETWORK_TIMEOUT, &timeOut);
if (( ld = ldap_init( ldapHost, ldapPort )) == NULL) {
printf ( "\n LDAP session initialization failed\n");
return( 1 );
}
printf ( "\n LDAP session initialized\n");
rc = ldap_simple_bind_s( ld, loginDN, password );
if (rc != LDAP_SUCCESS ) {
printf("\n ldap_simple_bind_s: %s\n", ldap_err2string( rc ));
ldap_unbind_s ( ld );
return( 1 );
}
printf("\n Bind successful\n");
privileges = LDAP_DS_ENTRY_BROWSE;
privileges |= LDAP_DS_ENTRY_ADD;
privileges |= LDAP_DS_ENTRY_DELETE;
sprintf(aclValue,"%d", privileges);
strcat(aclValue, "#entry#");
strcat(aclValue, trusteeDN);
strcat(aclValue, "#[Entry Rights]");
modACL.mod_op = LDAP_MOD_ADD;
modACL.mod_type = "acl";
modValues[0] = aclValue;
modValues[1] = NULL;
modACL.mod_values = modValues;
modify[0] = &modACL;
modify[1] = NULL;
printf( "\n Entry DN: %s", entryDN );
printf( "\n Trustee DN: %s\n", trusteeDN );
printf( "\n Modifying entry's ACL values ..." );
rc = ldap_modify_ext_s( ld,
entryDN,
modify,
NULL,
NULL);
if ( rc != LDAP_SUCCESS ) {
printf("\n ldap_modify_ext_s: %s\n", ldap_err2string( rc ));
ldap_unbind_s( ld );
return(1);
}
printf("\n Modified entry's ACL values to grant the trustee the 'read', "
"\n 'write', and 'delete' entry rights.\n");
rc = findACLValues( ld, entryDN);
if ( rc != LDAP_SUCCESS ) {
printf("\n Failed to read the entry: %s\n", ldap_err2string( rc ));
ldap_unbind_s( ld );
return(1);
}
printf( "\n\n Removing entry's modified ACL value ...\n" );
modify[0]->mod_op = LDAP_MOD_DELETE;
rc= ldap_modify_ext_s( ld,
entryDN,
modify,
NULL,
NULL);
if ( rc != LDAP_SUCCESS ) {
printf("\n ldap_modify_ext_s: %s\n", ldap_err2string( rc ));
ldap_unbind_s( ld );
return(1);
}
printf( " Removed entry's modified ACL value.\n" );
ldap_unbind_s( ld );
return( 0 );
}
int findACLValues( LDAP *ld, char *entryDN)
{
int rc, i;
char **values, *attribute, *attrs[] = { "acl", NULL };
BerElement *ber;
LDAPMessage *searchResult, *entry;
struct timeval timeOut = {10,0};
rc = ldap_search_ext_s(
ld,
entryDN,
LDAP_SCOPE_BASE,
"(objectclass=*)",
attrs,
0,
NULL,
NULL,
&timeOut,
LDAP_NO_LIMIT,
&searchResult );
if ( rc != LDAP_SUCCESS ){
ldap_msgfree( searchResult );
return rc;
}
entry = ldap_first_entry( ld, searchResult );
attribute = ldap_first_attribute( ld, entry, &ber );
printf("\n ===========================================================");
printf("\n entry's ACL values after modification: " );
printf("\n ===========================================================");
if (( values = ldap_get_values( ld, entry, attribute)) != NULL )
for ( i = 0; values[ i ] != NULL; i++ )
printACLValue( values[i] );
ldap_value_free( values );
ldap_memfree( attribute );
ber_free(ber, 0);
ldap_msgfree( searchResult );
return rc;
}
void printACLValue( char* aclValue )
{
int privileges;
char *scope, *trusteeDN, *protectedAttrName, privs[128];
protectedAttrName = strrchr(aclValue, '#') + 1;
aclValue[protectedAttrName-aclValue-1] = '\0';
trusteeDN = strrchr(aclValue, '#') + 1;
aclValue[trusteeDN-aclValue-1] = '\0';
scope = strrchr(aclValue, '#') + 1;
aclValue[scope-aclValue-1] = '\0';
sscanf(aclValue, "%d", &privileges);
if (strcmp( protectedAttrName, "[Entry Rights]") == 0) {
strcpy(privs,"");
if ( privileges & LDAP_DS_ENTRY_BROWSE )
strcat(privs, "BrowseEntry ");
if ( privileges & LDAP_DS_ENTRY_ADD )
strcat(privs, "AddEntry ");
if ( privileges & LDAP_DS_ENTRY_DELETE )
strcat(privs, "DeleteEntry ");
if ( privileges & LDAP_DS_ENTRY_RENAME )
strcat(privs, "RenameEntry ");
if ( privileges & LDAP_DS_ENTRY_SUPERVISOR )
strcat(privs, "Supervisor");
}
else {
strcpy(privs,"");
if ( privileges & LDAP_DS_ATTR_COMPARE )
strcat(privs, "CompareAttributes ");
if ( privileges & LDAP_DS_ATTR_READ )
strcat(privs, "ReadAttributes ");
if ( privileges & LDAP_DS_ATTR_WRITE )
strcat(privs, "Write/Add/DeleteAttributes ");
if ( privileges & LDAP_DS_ATTR_SELF )
strcat(privs, "Add/DeleteSelf ");
if ( privileges & LDAP_DS_ATTR_SUPERVISOR )
strcat(privs, "Supervisor");
}
printf("\n Trustee DN: %s", trusteeDN);
printf("\n Scope: %s", scope);
printf("\n Protected attribute name: %s", protectedAttrName);
printf("\n Privileges: %s", &privs);
printf("\n ------------------------------------------------------");
}