]> git.sur5r.net Git - openldap/blobdiff - servers/slapd/backend.c
projects / openldap / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Preliminary checkin for new access_allowed() signature. Still need
[openldap] / servers / slapd / backend.c
diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c
index 7e0dbce7d99f9a6648ecc5c486afdb40fd6ea947..4953724f4df08d570866cd4d06d5b3f98e306d40 100644 (file)
--- a/servers/slapd/backend.c
+++ b/servers/slapd/backend.c
@@ -226,9 +226,22 @@ int backend_startup_one(Backend *be, ConfigReply *cr)
                        (void)backend_set_controls( be );
 
                } else {
+                       char *type = be->bd_info->bi_type;
+                       char *suffix = "(null)";
+
+                       if ( overlay_is_over( be ) ) {
+                               slap_overinfo   *oi = (slap_overinfo *)be->bd_info->bi_private;
+                               type = oi->oi_orig->bi_type;
+                       }
+
+                       if ( be->be_suffix != NULL && !BER_BVISNULL( &be->be_suffix[0] ) ) {
+                               suffix = be->be_suffix[0].bv_val;
+                       }
+
                        Debug( LDAP_DEBUG_ANY,
-                               "backend_startup_one: bi_db_open failed! (%d)\n",
-                               rc, 0, 0 );
+                               "backend_startup_one (type=%s, suffix=\"%s\"): "
+                               "bi_db_open failed! (%d)\n",
+                               type, suffix, rc );
                }
        }
 
@@ -746,10 +759,10 @@ be_slurp_update( Operation *op )
 int
 be_shadow_update( Operation *op )
 {
-       /* This assumes that all internal ops (connid == -1) on a syncrepl
+       /* This assumes that all internal ops (connid <= -1000) on a syncrepl
         * database are syncrepl operations.
         */
-       return (( SLAP_SYNC_SHADOW( op->o_bd ) && op->o_connid == -1 ) ||
+       return ( ( SLAP_SYNC_SHADOW( op->o_bd ) && SLAPD_SYNC_IS_SYNCCONN( op->o_connid ) ) ||
                ( SLAP_SHADOW( op->o_bd ) && be_isupdate_dn( op->o_bd, &op->o_ndn ) ) );
 }
 
@@ -1296,7 +1309,8 @@ backend_check_restrictions(
        }
 
        if( ( restrictops & opflag )
-                       || ( exopflag && ( restrictops & exopflag ) ) ) {
+                       || ( exopflag && ( restrictops & exopflag ) )
+                       || (( restrictops & SLAP_RESTRICT_READONLY ) && updateop )) {
                if( ( restrictops & SLAP_RESTRICT_OP_MASK) == SLAP_RESTRICT_OP_READS ) {
                        rs->sr_text = "read operations restricted";
                } else if ( restrictops & exopflag ) {
@@ -1611,11 +1625,11 @@ fe_acl_attribute(
        BerVarray *vals,
        slap_access_t access )
 {
-       Entry                   *e = NULL;
        void                    *o_priv = op->o_private, *e_priv = NULL;
        Attribute               *a = NULL;
        int                     freeattr = 0, i, j, rc = LDAP_SUCCESS;
        AccessControlState      acl_state = ACL_STATE_INIT;
+       AclCheck                ak;
        Backend                 *be = op->o_bd;
        OpExtra         *oex;
 
@@ -1631,30 +1645,34 @@ fe_acl_attribute(
                op->o_bd = select_backend( edn, 0 );
 
        if ( target && dn_match( &target->e_nname, edn ) ) {
-               e = target;
+               ak.ak_e = target;
 
        } else {
                op->o_private = NULL;
-               rc = be_entry_get_rw( op, edn, NULL, entry_at, 0, &e );
+               ak.ak_e = NULL;
+               rc = be_entry_get_rw( op, edn, NULL, entry_at, 0, &ak.ak_e );
                e_priv = op->o_private;
                op->o_private = o_priv;
        } 
 
-       if ( e ) {
+       if ( ak.ak_e ) {
+               ak.ak_state = &acl_state;
+               ak.ak_desc = entry_at;
+               ak.ak_access = access;
                if ( entry_at == slap_schema.si_ad_entry || entry_at == slap_schema.si_ad_children ) {
                        assert( vals == NULL );
 
+                       ak.ak_val = NULL;
                        rc = LDAP_SUCCESS;
                        if ( op->o_conn && access > ACL_NONE &&
-                               access_allowed( op, e, entry_at, NULL,
-                                               access, &acl_state ) == 0 )
+                               access_allowed( op, &ak ) == 0 )
                        {
                                rc = LDAP_INSUFFICIENT_ACCESS;
                        }
                        goto freeit;
                }
 
-               a = attr_find( e->e_attrs, entry_at );
+               a = attr_find( ak.ak_e->e_attrs, entry_at );
                if ( a == NULL ) {
                        SlapReply       rs = { 0 };
                        AttributeName   anlist[ 2 ];
@@ -1667,7 +1685,7 @@ fe_acl_attribute(
                        /* NOTE: backend_operational() is also called
                         * when returning results, so it's supposed
                         * to do no harm to entries */
-                       rs.sr_entry = e;
+                       rs.sr_entry = ak.ak_e;
                        rc = backend_operational( op, &rs );
                        rs.sr_entry = NULL;
  
@@ -1686,8 +1704,7 @@ fe_acl_attribute(
                        BerVarray v;
 
                        if ( op->o_conn && access > ACL_NONE &&
-                               access_allowed( op, e, entry_at, NULL,
-                                               access, &acl_state ) == 0 )
+                               access_allowed( op, &ak ) == 0 )
                        {
                                rc = LDAP_INSUFFICIENT_ACCESS;
                                goto freeit;
@@ -1698,11 +1715,9 @@ fe_acl_attribute(
                                op->o_tmpmemctx );
                        for ( i = 0, j = 0; !BER_BVISNULL( &a->a_vals[i] ); i++ )
                        {
+                               ak.ak_val = &a->a_nvals[i];
                                if ( op->o_conn && access > ACL_NONE && 
-                                       access_allowed( op, e, entry_at,
-                                                       &a->a_nvals[i],
-                                                       access,
-                                                       &acl_state ) == 0 )
+                                       access_allowed( op, &ak ) == 0 )
                                {
                                        continue;
                                }
@@ -1723,9 +1738,9 @@ fe_acl_attribute(
                                rc = LDAP_SUCCESS;
                        }
                }
-freeit:                if ( e != target ) {
+freeit:                if ( ak.ak_e != target ) {
                        op->o_private = e_priv;
-                       be_entry_release_r( op, e );
+                       be_entry_release_r( op, ak.ak_e );
                        op->o_private = o_priv;
                }
                if ( freeattr ) {
@@ -1767,50 +1782,43 @@ backend_attribute(
 int 
 backend_access(
        Operation               *op,
-       Entry                   *target,
-       struct berval           *edn,
-       AttributeDescription    *entry_at,
-       struct berval           *nval,
-       slap_access_t           access,
-       slap_mask_t             *mask )
+       AclCheck                *ak,
+       struct berval           *edn )
 {
-       Entry           *e = NULL;
        void            *o_priv = op->o_private, *e_priv = NULL;
        int             rc = LDAP_INSUFFICIENT_ACCESS;
        Backend         *be = op->o_bd;
+       int freeent = 0;
 
        /* pedantic */
        assert( op != NULL );
        assert( op->o_conn != NULL );
        assert( edn != NULL );
-       assert( access > ACL_NONE );
+       assert( ak->ak_access > ACL_NONE );
 
        if ( !op->o_bd ) {
                op->o_bd = select_backend( edn, 0 );
        }
 
-       if ( target && dn_match( &target->e_nname, edn ) ) {
-               e = target;
-
-       } else {
+       if ( !ak->ak_e || !dn_match( &ak->ak_e->e_nname, edn ) ) {
                op->o_private = NULL;
-               rc = be_entry_get_rw( op, edn, NULL, entry_at, 0, &e );
+               rc = be_entry_get_rw( op, edn, NULL, ak->ak_desc, 0, &ak->ak_e );
+               freeent = 1;
                e_priv = op->o_private;
                op->o_private = o_priv;
        } 
 
-       if ( e ) {
+       if ( ak->ak_e ) {
                Attribute       *a = NULL;
                int             freeattr = 0;
 
-               if ( entry_at == NULL ) {
-                       entry_at = slap_schema.si_ad_entry;
+               if ( ak->ak_desc == NULL ) {
+                       ak->ak_desc = slap_schema.si_ad_entry;
                }
 
-               if ( entry_at == slap_schema.si_ad_entry || entry_at == slap_schema.si_ad_children )
+               if ( ak->ak_desc == slap_schema.si_ad_entry || ak->ak_desc == slap_schema.si_ad_children )
                {
-                       if ( access_allowed_mask( op, e, entry_at,
-                                       NULL, access, NULL, mask ) == 0 )
+                       if ( access_allowed( op, ak ) == 0 )
                        {
                                rc = LDAP_INSUFFICIENT_ACCESS;
 
@@ -1819,13 +1827,13 @@ backend_access(
                        }
 
                } else {
-                       a = attr_find( e->e_attrs, entry_at );
+                       a = attr_find( ak->ak_e->e_attrs, ak->ak_desc );
                        if ( a == NULL ) {
                                SlapReply       rs = { 0 };
                                AttributeName   anlist[ 2 ];
 
-                               anlist[ 0 ].an_name = entry_at->ad_cname;
-                               anlist[ 0 ].an_desc = entry_at;
+                               anlist[ 0 ].an_name = ak->ak_desc->ad_cname;
+                               anlist[ 0 ].an_desc = ak->ak_desc;
                                BER_BVZERO( &anlist[ 1 ].an_name );
                                rs.sr_attrs = anlist;
                        
@@ -1834,7 +1842,7 @@ backend_access(
                                /* NOTE: backend_operational() is also called
                                 * when returning results, so it's supposed
                                 * to do no harm to entries */
-                               rs.sr_entry = e;
+                               rs.sr_entry = ak->ak_e;
                                rc = backend_operational( op, &rs );
                                rs.sr_entry = NULL;
 
@@ -1850,8 +1858,7 @@ backend_access(
                        }
 
                        if ( a ) {
-                               if ( access_allowed_mask( op, e, entry_at,
-                                               nval, access, NULL, mask ) == 0 )
+                               if ( access_allowed( op, ak ) == 0 )
                                {
                                        rc = LDAP_INSUFFICIENT_ACCESS;
                                        goto freeit;
@@ -1859,9 +1866,9 @@ backend_access(
                                rc = LDAP_SUCCESS;
                        }
                }
-freeit:                if ( e != target ) {
+freeit:                if ( freeent ) {
                        op->o_private = e_priv;
-                       be_entry_release_r( op, e );
+                       be_entry_release_r( op, ak->ak_e );
                        op->o_private = o_priv;
                }
                if ( freeattr ) {
Cloned from git://git.openldap.org/openldap.git