+int
+backend_check_restrictions(
+ Backend *be,
+ Connection *conn,
+ Operation *op,
+ struct berval *opdata,
+ const char **text )
+{
+ int rc;
+ slap_mask_t restrictops;
+ slap_mask_t requires;
+ slap_mask_t opflag;
+ slap_ssf_set_t *ssf;
+ int updateop = 0;
+ int starttls = 0;
+ int session = 0;
+
+ if( be ) {
+ rc = backend_check_controls( be, conn, op, text );
+
+ if( rc != LDAP_SUCCESS ) {
+ return rc;
+ }
+
+ restrictops = be->be_restrictops;
+ requires = be->be_requires;
+ ssf = &be->be_ssf_set;
+
+ } else {
+ restrictops = global_restrictops;
+ requires = global_requires;
+ ssf = &global_ssf_set;
+ }
+
+ switch( op->o_tag ) {
+ case LDAP_REQ_ADD:
+ opflag = SLAP_RESTRICT_OP_ADD;
+ updateop++;
+ break;
+ case LDAP_REQ_BIND:
+ opflag = SLAP_RESTRICT_OP_BIND;
+ session++;
+ break;
+ case LDAP_REQ_COMPARE:
+ opflag = SLAP_RESTRICT_OP_COMPARE;
+ break;
+ case LDAP_REQ_DELETE:
+ updateop++;
+ opflag = SLAP_RESTRICT_OP_DELETE;
+ break;
+ case LDAP_REQ_EXTENDED:
+ opflag = SLAP_RESTRICT_OP_EXTENDED;
+
+ if( !opdata ) {
+ /* treat unspecified as a modify */
+ opflag = SLAP_RESTRICT_OP_MODIFY;
+ updateop++;
+ break;
+ }
+
+ {
+ struct berval bv = BER_BVC( LDAP_EXOP_START_TLS );
+ if( bvmatch( opdata, &bv ) ) {
+ session++;
+ starttls++;
+ break;
+ }
+ }
+
+ {
+ struct berval bv = BER_BVC( LDAP_EXOP_X_WHO_AM_I );
+ if( bvmatch( opdata, &bv ) ) {
+ break;
+ }
+ }
+
+ /* treat everything else as a modify */
+ opflag = SLAP_RESTRICT_OP_MODIFY;
+ updateop++;
+ break;
+
+ case LDAP_REQ_MODIFY:
+ updateop++;
+ opflag = SLAP_RESTRICT_OP_MODIFY;
+ break;
+ case LDAP_REQ_RENAME:
+ updateop++;
+ opflag = SLAP_RESTRICT_OP_RENAME;
+ break;
+ case LDAP_REQ_SEARCH:
+ opflag = SLAP_RESTRICT_OP_SEARCH;
+ break;
+ case LDAP_REQ_UNBIND:
+ session++;
+ opflag = 0;
+ break;
+ default:
+ *text = "restrict operations internal error";
+ return LDAP_OTHER;
+ }
+
+ if ( !starttls ) {
+ /* these checks don't apply to StartTLS */
+
+ if( op->o_transport_ssf < ssf->sss_transport ) {
+ *text = "transport confidentiality required";
+ return LDAP_CONFIDENTIALITY_REQUIRED;
+ }
+
+ if( op->o_tls_ssf < ssf->sss_tls ) {
+ *text = "TLS confidentiality required";
+ return LDAP_CONFIDENTIALITY_REQUIRED;
+ }
+
+
+ if( op->o_tag == LDAP_REQ_BIND && opdata == NULL ) {
+ /* simple bind specific check */
+ if( op->o_ssf < ssf->sss_simple_bind ) {
+ *text = "confidentiality required";
+ return LDAP_CONFIDENTIALITY_REQUIRED;
+ }
+ }
+
+ if( op->o_tag != LDAP_REQ_BIND || opdata == NULL ) {
+ /* these checks don't apply to SASL bind */
+
+ if( op->o_sasl_ssf < ssf->sss_sasl ) {
+ *text = "SASL confidentiality required";
+ return LDAP_CONFIDENTIALITY_REQUIRED;
+ }
+
+ if( op->o_ssf < ssf->sss_ssf ) {
+ *text = "confidentiality required";
+ return LDAP_CONFIDENTIALITY_REQUIRED;
+ }
+ }
+
+ if( updateop ) {
+ if( op->o_transport_ssf < ssf->sss_update_transport ) {
+ *text = "transport update confidentiality required";
+ return LDAP_CONFIDENTIALITY_REQUIRED;
+ }
+
+ if( op->o_tls_ssf < ssf->sss_update_tls ) {
+ *text = "TLS update confidentiality required";
+ return LDAP_CONFIDENTIALITY_REQUIRED;
+ }
+
+ if( op->o_sasl_ssf < ssf->sss_update_sasl ) {
+ *text = "SASL update confidentiality required";
+ return LDAP_CONFIDENTIALITY_REQUIRED;
+ }
+
+ if( op->o_ssf < ssf->sss_update_ssf ) {
+ *text = "update confidentiality required";
+ return LDAP_CONFIDENTIALITY_REQUIRED;
+ }
+
+ if( !( global_allows & SLAP_ALLOW_UPDATE_ANON ) &&
+ op->o_ndn.bv_len == 0 )
+ {
+ *text = "modifications require authentication";
+ return LDAP_STRONG_AUTH_REQUIRED;
+ }
+
+#ifdef SLAP_X_LISTENER_MOD
+ if ( ! ( conn->c_listener->sl_perms & S_IWUSR ) ) {
+ /* no "w" mode means readonly */
+ *text = "modifications not allowed on this listener";
+ return LDAP_UNWILLING_TO_PERFORM;
+ }
+#endif /* SLAP_X_LISTENER_MOD */
+ }
+ }
+
+ if ( !session ) {
+ /* these checks don't apply to Bind, StartTLS, or Unbind */
+
+ if( requires & SLAP_REQUIRE_STRONG ) {
+ /* should check mechanism */
+ if( ( op->o_transport_ssf < ssf->sss_transport
+ && op->o_authmech.bv_len == 0 ) || op->o_dn.bv_len == 0 )
+ {
+ *text = "strong authentication required";
+ return LDAP_STRONG_AUTH_REQUIRED;
+ }
+ }
+
+ if( requires & SLAP_REQUIRE_SASL ) {
+ if( op->o_authmech.bv_len == 0 || op->o_dn.bv_len == 0 ) {
+ *text = "SASL authentication required";
+ return LDAP_STRONG_AUTH_REQUIRED;
+ }
+ }
+
+ if( requires & SLAP_REQUIRE_AUTHC ) {
+ if( op->o_dn.bv_len == 0 ) {
+ *text = "authentication required";
+ return LDAP_UNWILLING_TO_PERFORM;
+ }
+ }
+
+ if( requires & SLAP_REQUIRE_BIND ) {
+ int version;
+ ldap_pvt_thread_mutex_lock( &conn->c_mutex );
+ version = conn->c_protocol;
+ ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
+
+ if( !version ) {
+ /* no bind has occurred */
+ *text = "BIND required";
+ return LDAP_OPERATIONS_ERROR;
+ }
+ }
+
+ if( requires & SLAP_REQUIRE_LDAP_V3 ) {
+ if( op->o_protocol < LDAP_VERSION3 ) {
+ /* no bind has occurred */
+ *text = "operation restricted to LDAPv3 clients";
+ return LDAP_OPERATIONS_ERROR;
+ }
+ }
+
+#ifdef SLAP_X_LISTENER_MOD
+ if ( !starttls && op->o_dn.bv_len == 0 ) {
+ if ( ! ( conn->c_listener->sl_perms & S_IXUSR ) ) {
+ /* no "x" mode means bind required */
+ *text = "bind required on this listener";
+ return LDAP_STRONG_AUTH_REQUIRED;
+ }
+ }
+
+ if ( !starttls && !updateop ) {
+ if ( ! ( conn->c_listener->sl_perms & S_IRUSR ) ) {
+ /* no "r" mode means no read */
+ *text = "read not allowed on this listener";
+ return LDAP_UNWILLING_TO_PERFORM;
+ }
+ }
+#endif /* SLAP_X_LISTENER_MOD */
+
+ }
+
+ if( restrictops & opflag ) {
+ if( restrictops == SLAP_RESTRICT_OP_READS ) {
+ *text = "read operations restricted";
+ } else {
+ *text = "operation restricted";
+ }
+ return LDAP_UNWILLING_TO_PERFORM;
+ }
+
+ return LDAP_SUCCESS;
+}
+