- setup framework for monitoring of back-bdb/back-hdb stuff in their

[openldap] / servers / slapd / acl.c

diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c
index 954714cf7778e649f808d42cacc1d8fed9bb92cb..7b1c4a0854556da8466b02fd5dc56ff02ec7528a 100644 (file)
--- a/servers/slapd/acl.c
+++ b/servers/slapd/acl.c
@@ -354,7 +354,7 @@ access_allowed_mask(
                {
                        access = ACL_AUTH;
 
-               } else if ( get_manageDIT( op ) && access_level == ACL_WRITE &&
+               } else if ( get_relax( op ) && access_level == ACL_WRITE &&
                        desc == slap_schema.si_ad_entry )
                {
                        access = ACL_MANAGE;
@@ -387,14 +387,12 @@ access_allowed_mask(
                op->o_bd = LDAP_STAILQ_FIRST( &backendDB );
                be_null = 1;
 
-#ifdef LDAP_DEVEL
-               /*
-                * FIXME: experimental; use first backend rules
-                * iff there is no global_acl (ITS#3100) */
+               /* FIXME: experimental; use first backend rules
+                * iff there is no global_acl (ITS#3100)
+                */
                if ( frontendDB->be_acl != NULL ) {
                        op->o_bd = frontendDB;
                }
-#endif /* LDAP_DEVEL */
        }
        assert( op->o_bd != NULL );
 
@@ -649,6 +647,17 @@ slap_acl_get(
        return( NULL );
 }
 
+/*
+ * Record value-dependent access control state
+ */
+#define ACL_RECORD_VALUE_STATE do { \
+               if( state && !( state->as_recorded & ACL_STATE_RECORDED_VD )) { \
+                       state->as_recorded |= ACL_STATE_RECORDED_VD; \
+                       state->as_vd_acl = a; \
+                       state->as_vd_acl_count = count; \
+               } \
+       } while( 0 )
+
 static int
 acl_mask_dn(
        Operation               *op,
@@ -670,7 +679,7 @@ acl_mask_dn(
         * NOTE: styles "anonymous", "users" and "self" 
         * have been moved to enum slap_style_t, whose 
         * value is set in a_dn_style; however, the string
-        * is maintaned in a_dn_pat.
+        * is maintained in a_dn_pat.
         */
 
        if ( bdn->a_style == ACL_STYLE_ANONYMOUS ) {
@@ -996,6 +1005,8 @@ acl_mask_dnattr(
                if ( ! bdn->a_self )
                        return 1;
 
+               ACL_RECORD_VALUE_STATE;
+
                /* this is a self clause, check if the target is an
                 * attribute.
                 */
@@ -1088,7 +1099,7 @@ slap_acl_mask(
                         * NOTE: styles "anonymous", "users" and "self" 
                         * have been moved to enum slap_style_t, whose 
                         * value is set in a_dn_style; however, the string
-                        * is maintaned in a_dn_pat.
+                        * is maintained in a_dn_pat.
                         */
 
                        if ( acl_mask_dn( op, e, desc, val, a, nmatch, matches,
@@ -1112,7 +1123,7 @@ slap_acl_mask(
                         * NOTE: styles "anonymous", "users" and "self" 
                         * have been moved to enum slap_style_t, whose 
                         * value is set in a_dn_style; however, the string
-                        * is maintaned in a_dn_pat.
+                        * is maintained in a_dn_pat.
                         */
 
                        if ( op->o_conn && !BER_BVISNULL( &op->o_conn->c_ndn ) )
@@ -1603,6 +1614,8 @@ slap_acl_mask(
                        const char *dummy;
                        int rc, match = 0;
 
+                       ACL_RECORD_VALUE_STATE;
+
                        /* must have DN syntax */
                        if ( desc->ad_type->sat_syntax != slap_schema.si_syn_distinguishedName &&
                                !is_at_syntax( desc->ad_type, SLAPD_NAMEUID_SYNTAX )) continue;