]> git.sur5r.net Git - openldap/blobdiff - contrib/slapd-modules/allowed/allowed.c
projects / openldap / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Merge remote-tracking branch 'origin/mdb.master'
[openldap] / contrib / slapd-modules / allowed / allowed.c
diff --git a/contrib/slapd-modules/allowed/allowed.c b/contrib/slapd-modules/allowed/allowed.c
index 85b1334bc85fac72ecb9c7a88ea9c6d403d1fc11..7da0650604e87234590a3d32e383327e1f50c381 100644 (file)
--- a/contrib/slapd-modules/allowed/allowed.c
+++ b/contrib/slapd-modules/allowed/allowed.c
@@ -2,7 +2,7 @@
 /* $OpenLDAP$ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2006-2009 The OpenLDAP Foundation.
+ * Copyright 2006-2014 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -47,11 +47,23 @@
 #include "slap.h"
 
 /*
- * Schema from
+ * NOTE: part of the schema definition reported below is taken
+ * from Microsoft schema definitions (OID, NAME, SYNTAX);
  *
+ * EQUALITY is taken from
  * <http://www.redhat.com/archives/fedora-directory-devel/2006-August/msg00007.html>
+ * (posted by Andrew Bartlett)
  *
- * posted by Andrew Bartlett
+ * The rest is guessed.  Specifically
+ *
+ * DESC briefly describes the purpose
+ *
+ * NO-USER-MODIFICATION is added to make attributes operational
+ *
+ * USAGE is set to "dSAOperation" as per ITS#7493,
+ * to prevent replication, since this information
+ * is generated (based on ACL and identity of request)
+ * and not stored.
  */
 
 #define AA_SCHEMA_AT "1.2.840.113556.1.4"
@@ -73,7 +85,7 @@ static struct {
                /* added by me :) */
                "DESC 'Child classes allowed for a given object' "
                "NO-USER-MODIFICATION "
-               "USAGE directoryOperation )", &ad_allowedChildClasses },
+               "USAGE dSAOperation )", &ad_allowedChildClasses },
        { "( " AA_SCHEMA_AT ".912 "
                "NAME 'allowedChildClassesEffective' "
                "EQUALITY objectIdentifierMatch "
@@ -81,7 +93,7 @@ static struct {
                /* added by me :) */
                "DESC 'Child classes allowed for a given object according to ACLs' "
                "NO-USER-MODIFICATION "
-               "USAGE directoryOperation )", &ad_allowedChildClassesEffective },
+               "USAGE dSAOperation )", &ad_allowedChildClassesEffective },
        { "( " AA_SCHEMA_AT ".913 "
                "NAME 'allowedAttributes' "
                "EQUALITY objectIdentifierMatch "
@@ -89,7 +101,7 @@ static struct {
                /* added by me :) */
                "DESC 'Attributes allowed for a given object' "
                "NO-USER-MODIFICATION "
-               "USAGE directoryOperation )", &ad_allowedAttributes },
+               "USAGE dSAOperation )", &ad_allowedAttributes },
        { "( " AA_SCHEMA_AT ".914 "
                "NAME 'allowedAttributesEffective' "
                "EQUALITY objectIdentifierMatch "
@@ -97,7 +109,7 @@ static struct {
                /* added by me :) */
                "DESC 'Attributes allowed for a given object according to ACLs' "
                "NO-USER-MODIFICATION "
-               "USAGE directoryOperation )", &ad_allowedAttributesEffective },
+               "USAGE dSAOperation )", &ad_allowedAttributesEffective },
 
        /* TODO: add objectClass stuff? */
 
@@ -214,14 +226,6 @@ aa_operational( Operation *op, SlapReply *rs )
        /* shouldn't be called without an entry; please check */
        assert( rs->sr_entry != NULL );
 
-       /* if client has no access to objectClass attribute; don't compute */
-       if ( ( got & GOT_CE ) &&
-               !access_allowed( op, rs->sr_entry, slap_schema.si_ad_children,
-                               NULL, ACL_WRITE, &acl_state ) )
-       {
-               got &= ~GOT_CE;
-       }
-
        for ( ap = &rs->sr_operational_attrs; *ap != NULL; ap = &(*ap)->a_next )
                /* go to last */ ;
 
@@ -330,13 +334,13 @@ do_oc:;
        if ( ( got & GOT_C ) || ( got & GOT_CE ) ) {
                BerVarray       bv_allowed = NULL,
                                bv_effective = NULL;
-               int             i, na, ne, ja = 0, je = 0;
+               int             i, ja = 0, je = 0;
 
                ObjectClass     *oc;
 
                for ( oc_start( &oc ); oc != NULL; oc_next( &oc ) ) {
-                       /* we can only add STRCUCTURAL objectClasses */
-                       if ( oc->soc_kind != LDAP_SCHEMA_STRUCTURAL ) {
+                       /* we can only add AUXILIARY objectClasses */
+                       if ( oc->soc_kind != LDAP_SCHEMA_AUXILIARY ) {
                                continue;
                        }
 
@@ -344,31 +348,53 @@ do_oc:;
                }
 
                if ( got & GOT_C ) {
-                       na = i;
-                       bv_allowed = ber_memalloc( sizeof( struct berval ) * ( na + 1 ) );
+                       bv_allowed = ber_memalloc( sizeof( struct berval ) * ( i + 1 ) );
                }
                if ( got & GOT_CE ) {
-                       ne = i;
-                       bv_effective = ber_memalloc( sizeof( struct berval ) * ( ne + 1 ) );
+                       bv_effective = ber_memalloc( sizeof( struct berval ) * ( i + 1 ) );
                }
 
                for ( oc_start( &oc ); oc != NULL; oc_next( &oc ) ) {
-                       /* we can only add STRCUCTURAL objectClasses */
-                       if ( oc->soc_kind != LDAP_SCHEMA_STRUCTURAL ) {
+                       /* we can only add AUXILIARY objectClasses */
+                       if ( oc->soc_kind != LDAP_SCHEMA_AUXILIARY ) {
                                continue;
                        }
 
                        if ( got & GOT_C ) {
                                ber_dupbv( &bv_allowed[ ja ], &oc->soc_cname );
-                               assert( ja < na );
                                ja++;
                        }
 
                        if ( got & GOT_CE ) {
+                               if ( !access_allowed( op, rs->sr_entry,
+                                       slap_schema.si_ad_objectClass,
+                                       &oc->soc_cname, ACL_WRITE, NULL ) )
+                               {
+                                       goto done_ce;
+                               }
+
+                               if ( oc->soc_required ) {
+                                       for ( i = 0; oc->soc_required[ i ] != NULL; i++ ) {
+                                               AttributeDescription    *ad = NULL;
+                                               const char              *text = NULL;
+       
+                                               if ( slap_bv2ad( &oc->soc_required[ i ]->sat_cname, &ad, &text ) ) {
+                                                       /* log? */
+                                                       continue;
+                                               }
+
+                                               if ( !access_allowed( op, rs->sr_entry,
+                                                       ad, NULL, ACL_WRITE, NULL ) )
+                                               {
+                                                       goto done_ce;
+                                               }
+                                       }
+                               }
+
                                ber_dupbv( &bv_effective[ je ], &oc->soc_cname );
-                               assert( je < ne );
                                je++;
                        }
+done_ce:;
                }
 
                if ( ( got & GOT_C ) && ja > 0 ) {
Cloned from git://git.openldap.org/openldap.git