]> git.sur5r.net Git - openldap/blobdiff - servers/slapd/bconfig.c
projects / openldap / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Preliminary checkin for new access_allowed() signature. Still need
[openldap] / servers / slapd / bconfig.c
diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
index 191a497ae40406fc5e95cd7fd6d27561fd1def7b..6a67f3851d82cb6a696d8a8f606485fb6ce3ff89 100644 (file)
--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@@ -190,6 +190,7 @@ enum {
        CFG_IX_INTLEN,
        CFG_SYNTAX,
        CFG_ACL_ADD,
+       CFG_SYNC_SUBENTRY,
 
        CFG_LAST
 };
@@ -604,6 +605,10 @@ static ConfigTable config_back_cf_table[] = {
                &config_suffix, "( OLcfgDbAt:0.10 NAME 'olcSuffix' "
                        "EQUALITY distinguishedNameMatch "
                        "SYNTAX OMsDN )", NULL, NULL },
+       { "sync_use_subentry", NULL, 0, 0, 0, ARG_ON_OFF|ARG_DB|ARG_MAGIC|CFG_SYNC_SUBENTRY,
+               &config_generic, "( OLcfgDbAt:0.19 NAME 'olcSyncUseSubentry' "
+                       "DESC 'Store sync context in a subentry' "
+                       "SYNTAX OMsBoolean SINGLE-VALUE )", NULL, NULL },
        { "syncrepl", NULL, 0, 0, 0, ARG_DB|ARG_MAGIC,
                &syncrepl_config, "( OLcfgDbAt:0.11 NAME 'olcSyncrepl' "
                        "EQUALITY caseIgnoreMatch "
@@ -815,7 +820,7 @@ static ConfigOCs cf_ocs[] = {
                 "olcMaxDerefDepth $ olcPlugin $ olcReadOnly $ olcReplica $ "
                 "olcReplicaArgsFile $ olcReplicaPidFile $ olcReplicationInterval $ "
                 "olcReplogFile $ olcRequires $ olcRestrict $ olcRootDN $ olcRootPW $ "
-                "olcSchemaDN $ olcSecurity $ olcSizeLimit $ olcSyncrepl $ "
+                "olcSchemaDN $ olcSecurity $ olcSizeLimit $ olcSyncUseSubentry $ olcSyncrepl $ "
                 "olcTimeLimit $ olcUpdateDN $ olcUpdateRef $ olcMirrorMode $ "
                 "olcMonitoring ) )",
                        Cft_Database, NULL, cfAddDatabase },
@@ -1085,6 +1090,9 @@ config_generic(ConfigArgs *c) {
                case CFG_LASTMOD:
                        c->value_int = (SLAP_NOLASTMOD(c->be) == 0);
                        break;
+               case CFG_SYNC_SUBENTRY:
+                       c->value_int = (SLAP_SYNC_SUBENTRY(c->be) != 0);
+                       break;
                case CFG_MIRRORMODE:
                        if ( SLAP_SHADOW(c->be))
                                c->value_int = (SLAP_SINGLE_SHADOW(c->be) == 0);
@@ -1197,6 +1205,7 @@ config_generic(ConfigArgs *c) {
                case CFG_SSTR_IF_MAX:
                case CFG_SSTR_IF_MIN:
                case CFG_ACL_ADD:
+               case CFG_SYNC_SUBENTRY:
                        break;
 
                /* no-ops, requires slapd restart */
@@ -1901,6 +1910,13 @@ sortval_reject:
                                SLAP_DBFLAGS(c->be) &= ~SLAP_DBFLAG_HIDDEN;
                        break;
 
+               case CFG_SYNC_SUBENTRY:
+                       if (c->value_int)
+                               SLAP_DBFLAGS(c->be) |= SLAP_DBFLAG_SYNC_SUBENTRY;
+                       else
+                               SLAP_DBFLAGS(c->be) &= ~SLAP_DBFLAG_SYNC_SUBENTRY;
+                       break;
+
                case CFG_SSTR_IF_MAX:
                        if (c->value_uint < index_substr_if_minlen) {
                                snprintf( c->cr_msg, sizeof( c->cr_msg ), "<%s> invalid value", c->argv[0] );
@@ -1994,29 +2010,40 @@ sortval_reject:
                case CFG_REWRITE: {
                        struct berval bv;
                        char *line;
-                       
+                       int rc = 0;
+
+                       if ( c->op == LDAP_MOD_ADD ) {
+                               c->argv++;
+                               c->argc--;
+                       }
                        if(slap_sasl_rewrite_config(c->fname, c->lineno, c->argc, c->argv))
-                               return(1);
+                               rc = 1;
+                       if ( rc == 0 ) {
 
-                       if ( c->argc > 1 ) {
-                               char    *s;
+                               if ( c->argc > 1 ) {
+                                       char    *s;
 
-                               /* quote all args but the first */
-                               line = ldap_charray2str( c->argv, "\" \"" );
-                               ber_str2bv( line, 0, 0, &bv );
-                               s = ber_bvchr( &bv, '"' );
-                               assert( s != NULL );
-                               /* move the trailing quote of argv[0] to the end */
-                               AC_MEMCPY( s, s + 1, bv.bv_len - ( s - bv.bv_val ) );
-                               bv.bv_val[ bv.bv_len - 1 ] = '"';
+                                       /* quote all args but the first */
+                                       line = ldap_charray2str( c->argv, "\" \"" );
+                                       ber_str2bv( line, 0, 0, &bv );
+                                       s = ber_bvchr( &bv, '"' );
+                                       assert( s != NULL );
+                                       /* move the trailing quote of argv[0] to the end */
+                                       AC_MEMCPY( s, s + 1, bv.bv_len - ( s - bv.bv_val ) );
+                                       bv.bv_val[ bv.bv_len - 1 ] = '"';
 
-                       } else {
-                               ber_str2bv( c->argv[ 0 ], 0, 1, &bv );
+                               } else {
+                                       ber_str2bv( c->argv[ 0 ], 0, 1, &bv );
+                               }
+
+                               ber_bvarray_add( &authz_rewrites, &bv );
                        }
-                       
-                       ber_bvarray_add( &authz_rewrites, &bv );
+                       if ( c->op == LDAP_MOD_ADD ) {
+                               c->argv--;
+                               c->argc++;
+                       }
+                       return rc;
                        }
-                       break;
 #endif
 
 
@@ -2181,14 +2208,23 @@ config_sizelimit(ConfigArgs *c) {
                        rc = 1;
                return rc;
        } else if ( c->op == LDAP_MOD_DELETE ) {
-               /* Reset to defaults */
-               lim->lms_s_soft = SLAPD_DEFAULT_SIZELIMIT;
-               lim->lms_s_hard = 0;
-               lim->lms_s_unchecked = -1;
-               lim->lms_s_pr = 0;
-               lim->lms_s_pr_hide = 0;
-               lim->lms_s_pr_total = 0;
-               return 0;
+               /* Reset to defaults or values from frontend */
+               if ( c->be == frontendDB ) {
+                       lim->lms_s_soft = SLAPD_DEFAULT_SIZELIMIT;
+                       lim->lms_s_hard = 0;
+                       lim->lms_s_unchecked = -1;
+                       lim->lms_s_pr = 0;
+                       lim->lms_s_pr_hide = 0;
+                       lim->lms_s_pr_total = 0;
+               } else {
+                       lim->lms_s_soft = frontendDB->be_def_limit.lms_s_soft;
+                       lim->lms_s_hard = frontendDB->be_def_limit.lms_s_hard;
+                       lim->lms_s_unchecked = frontendDB->be_def_limit.lms_s_unchecked;
+                       lim->lms_s_pr = frontendDB->be_def_limit.lms_s_pr;
+                       lim->lms_s_pr_hide = frontendDB->be_def_limit.lms_s_pr_hide;
+                       lim->lms_s_pr_total = frontendDB->be_def_limit.lms_s_pr_total;
+               }
+               goto ok;
        }
        for(i = 1; i < c->argc; i++) {
                if(!strncasecmp(c->argv[i], "size", 4)) {
@@ -2213,6 +2249,35 @@ config_sizelimit(ConfigArgs *c) {
                        lim->lms_s_hard = 0;
                }
        }
+
+ok:
+       if ( ( c->be == frontendDB ) && ( c->ca_entry ) ) {
+               /* This is a modification to the global limits apply it to
+                * the other databases as needed */
+               AttributeDescription *ad=NULL;
+               const char *text = NULL;
+               CfEntryInfo *ce = c->ca_entry->e_private;
+
+               slap_str2ad(c->argv[0], &ad, &text);
+               /* if we got here... */
+               assert( ad != NULL );
+
+               if ( ce->ce_type == Cft_Global ){
+                       ce = ce->ce_kids;
+               }
+               for (; ce; ce=ce->ce_sibs) {
+                       Entry *dbe = ce->ce_entry;
+                       if ( (ce->ce_type == Cft_Database) && (ce->ce_be != frontendDB)
+                                       && (!attr_find(dbe->e_attrs, ad)) ) {
+                               ce->ce_be->be_def_limit.lms_s_soft = lim->lms_s_soft;
+                               ce->ce_be->be_def_limit.lms_s_hard = lim->lms_s_hard;
+                               ce->ce_be->be_def_limit.lms_s_unchecked =lim->lms_s_unchecked;
+                               ce->ce_be->be_def_limit.lms_s_pr =lim->lms_s_pr;
+                               ce->ce_be->be_def_limit.lms_s_pr_hide =lim->lms_s_pr_hide;
+                               ce->ce_be->be_def_limit.lms_s_pr_total =lim->lms_s_pr_total;
+                       }
+               }
+       }
        return(0);
 }
 
@@ -2232,10 +2297,15 @@ config_timelimit(ConfigArgs *c) {
                        rc = 1;
                return rc;
        } else if ( c->op == LDAP_MOD_DELETE ) {
-               /* Reset to defaults */
-               lim->lms_t_soft = SLAPD_DEFAULT_TIMELIMIT;
-               lim->lms_t_hard = 0;
-               return 0;
+               /* Reset to defaults or values from frontend */
+               if ( c->be == frontendDB ) {
+                       lim->lms_t_soft = SLAPD_DEFAULT_TIMELIMIT;
+                       lim->lms_t_hard = 0;
+               } else {
+                       lim->lms_t_soft = frontendDB->be_def_limit.lms_t_soft;
+                       lim->lms_t_hard = frontendDB->be_def_limit.lms_t_hard;
+               }
+               goto ok;
        }
        for(i = 1; i < c->argc; i++) {
                if(!strncasecmp(c->argv[i], "time", 4)) {
@@ -2260,6 +2330,30 @@ config_timelimit(ConfigArgs *c) {
                        lim->lms_t_hard = 0;
                }
        }
+
+ok:
+       if ( ( c->be == frontendDB ) && ( c->ca_entry ) ) {
+               /* This is a modification to the global limits apply it to
+                * the other databases as needed */
+               AttributeDescription *ad=NULL;
+               const char *text = NULL;
+               slap_str2ad(c->argv[0], &ad, &text);
+               /* if we got here... */
+               assert( ad != NULL );
+
+               CfEntryInfo *ce = c->ca_entry->e_private;
+               if ( ce->ce_type == Cft_Global ){
+                       ce = ce->ce_kids;
+               }
+               for (; ce; ce=ce->ce_sibs) {
+                       Entry *dbe = ce->ce_entry;
+                       if ( (ce->ce_type == Cft_Database) && (ce->ce_be != frontendDB)
+                                       && (!attr_find(dbe->e_attrs, ad)) ) {
+                               ce->ce_be->be_def_limit.lms_t_soft = lim->lms_t_soft;
+                               ce->ce_be->be_def_limit.lms_t_hard = lim->lms_t_hard;
+                       }
+               }
+       }
        return(0);
 }
 
@@ -2483,7 +2577,7 @@ tcp_buffer_delete( BerVarray vals )
 }
 
 static int
-tcp_buffer_unparse( int idx, int size, int rw, Listener *l, struct berval *val )
+tcp_buffer_unparse( int size, int rw, Listener *l, struct berval *val )
 {
        char buf[sizeof("2147483648")], *ptr;
 
@@ -2528,7 +2622,7 @@ tcp_buffer_unparse( int idx, int size, int rw, Listener *l, struct berval *val )
 }
 
 static int
-tcp_buffer_add_one( int argc, char **argv, int idx )
+tcp_buffer_add_one( int argc, char **argv )
 {
        int rc = 0;
        int size = -1, rw = 0;
@@ -2543,7 +2637,7 @@ tcp_buffer_add_one( int argc, char **argv, int idx )
        }
 
        /* unparse for later use */
-       rc = tcp_buffer_unparse( idx, size, rw, l, &val );
+       rc = tcp_buffer_unparse( size, rw, l, &val );
        if ( rc != LDAP_SUCCESS ) {
                return rc;
        }
@@ -2581,8 +2675,7 @@ tcp_buffer_add_one( int argc, char **argv, int idx )
 
        tcp_buffer = SLAP_REALLOC( tcp_buffer, sizeof( struct berval ) * ( tcp_buffer_num + 2 ) );
        /* append */
-       idx = tcp_buffer_num;
-       tcp_buffer[ idx ] = val;
+       tcp_buffer[ tcp_buffer_num ] = val;
 
        tcp_buffer_num++;
        BER_BVZERO( &tcp_buffer[ tcp_buffer_num ] );
@@ -2627,7 +2720,7 @@ config_tcp_buffer( ConfigArgs *c )
                        }
 
                        /* unparse for later use */
-                       rc = tcp_buffer_unparse( tcp_buffer_num, size, rw, l, &val );
+                       rc = tcp_buffer_unparse( size, rw, l, &val );
                        if ( rc != LDAP_SUCCESS ) {
                                return 1;
                        }
@@ -2660,13 +2753,12 @@ done:;
 
        } else {
                int rc;
-               int idx;
 
-               rc = tcp_buffer_add_one( c->argc - 1, &c->argv[ 1 ], idx );
+               rc = tcp_buffer_add_one( c->argc - 1, &c->argv[ 1 ] );
                if ( rc ) {
                        snprintf( c->cr_msg, sizeof( c->cr_msg ),
                                "<%s> unable to add value #%d",
-                               c->argv[0], idx );
+                               c->argv[0], tcp_buffer_num );
                        Debug( LDAP_DEBUG_ANY, "%s: %s\n",
                                c->log, c->cr_msg, 0 );
                        return 1;
@@ -3052,7 +3144,7 @@ static int
 loglevel_init( void )
 {
        slap_verbmasks  lo[] = {
-               { BER_BVC("Any"),       LDAP_DEBUG_ANY },
+               { BER_BVC("Any"),       (slap_mask_t) LDAP_DEBUG_ANY },
                { BER_BVC("Trace"),     LDAP_DEBUG_TRACE },
                { BER_BVC("Packets"),   LDAP_DEBUG_PACKETS },
                { BER_BVC("Args"),      LDAP_DEBUG_ARGS },
@@ -3204,10 +3296,11 @@ loglevel_print( FILE *out )
 
        fprintf( out, "Installed log subsystems:\n\n" );
        for ( i = 0; !BER_BVISNULL( &loglevel_ops[ i ].word ); i++ ) {
-               fprintf( out, "\t%-30s (%u, 0x%x)\n",
-                       loglevel_ops[ i ].word.bv_val,
-                       (unsigned) loglevel_ops[ i ].mask,
-                       (unsigned) loglevel_ops[ i ].mask );
+               unsigned mask = loglevel_ops[ i ].mask & 0xffffffffUL;
+               fprintf( out,
+                       (mask == ((slap_mask_t) -1 & 0xffffffffUL)
+                        ? "\t%-30s (-1, 0xffffffff)\n" : "\t%-30s (%u, 0x%x)\n"),
+                       loglevel_ops[ i ].word.bv_val, mask, mask );
        }
 
        fprintf( out, "\nNOTE: custom log subsystems may be later installed "
@@ -4579,6 +4672,7 @@ schema_destroy_one( ConfigArgs *ca, ConfigOCs **colst, int nocs,
 
        ca->valx = -1;
        ca->line = NULL;
+       ca->argc = 1;
        if ( cfn->c_cr_head ) {
                struct berval bv = BER_BVC("olcDitContentRules");
                ad = NULL;
@@ -4678,6 +4772,9 @@ config_add_internal( CfBackInfo *cfb, Entry *e, ConfigArgs *ca, SlapReply *rs,
                        Debug( LDAP_DEBUG_TRACE, "%s: config_add_internal: "
                                "DN=\"%s\" already exists\n",
                                log_prefix, e->e_name.bv_val, 0 );
+                       /* global schema ignores all writes */
+                       if ( ce->ce_type == Cft_Schema && ce->ce_parent->ce_type == Cft_Global )
+                               return LDAP_COMPARE_TRUE;
                        return LDAP_ALREADY_EXISTS;
                }
        }
@@ -4699,13 +4796,18 @@ config_add_internal( CfBackInfo *cfb, Entry *e, ConfigArgs *ca, SlapReply *rs,
        }
 
        if ( op ) {
+               AclCheck ak;
                /* No parent, must be root. This will never happen... */
                if ( !last && !be_isroot( op ) && !be_shadow_update( op ) ) {
                        return LDAP_NO_SUCH_OBJECT;
                }
 
-               if ( last && !access_allowed( op, last->ce_entry,
-                       slap_schema.si_ad_children, NULL, ACL_WADD, NULL ) )
+               ak.ak_e = last->ce_entry;
+               ak.ak_desc = slap_schema.si_ad_children;
+               ak.ak_val = NULL;
+               ak.ak_access = ACL_WADD;
+               ak.ak_state = NULL;
+               if ( last && !access_allowed( op, &ak ))
                {
                        Debug( LDAP_DEBUG_TRACE, "%s: config_add_internal: "
                                "DN=\"%s\" no write access to \"children\" of parent\n",
@@ -4902,10 +5004,10 @@ config_add_internal( CfBackInfo *cfb, Entry *e, ConfigArgs *ca, SlapReply *rs,
 ok:
        /* Newly added databases and overlays need to be started up */
        if ( CONFIG_ONLINE_ADD( ca )) {
-               if ( colst[0]->co_type == Cft_Database ) {
+               if ( coptr->co_type == Cft_Database ) {
                        rc = backend_startup_one( ca->be, &ca->reply );
 
-               } else if ( colst[0]->co_type == Cft_Overlay ) {
+               } else if ( coptr->co_type == Cft_Overlay ) {
                        if ( ca->bi->bi_db_open ) {
                                BackendInfo *bi_orig = ca->be->bd_info;
                                ca->be->bd_info = ca->bi;
@@ -4931,7 +5033,7 @@ ok:
        ce->ce_parent = last;
        ce->ce_entry = entry_dup( e );
        ce->ce_entry->e_private = ce;
-       ce->ce_type = colst[0]->co_type;
+       ce->ce_type = coptr->co_type;
        ce->ce_be = ca->be;
        ce->ce_bi = ca->bi;
        ce->ce_private = ca->ca_private;
@@ -4976,12 +5078,12 @@ ok:
 
 done:
        if ( rc ) {
-               if ( (colst[0]->co_type == Cft_Database) && ca->be ) {
+               if ( (coptr->co_type == Cft_Database) && ca->be ) {
                        if ( ca->be != frontendDB )
                                backend_destroy_one( ca->be, 1 );
-               } else if ( (colst[0]->co_type == Cft_Overlay) && ca->bi ) {
+               } else if ( (coptr->co_type == Cft_Overlay) && ca->bi ) {
                        overlay_destroy_one( ca->be, (slap_overinst *)ca->bi );
-               } else if ( colst[0]->co_type == Cft_Schema ) {
+               } else if ( coptr->co_type == Cft_Schema ) {
                        schema_destroy_one( ca, colst, nocs, last );
                }
        }
@@ -5071,9 +5173,10 @@ config_back_add( Operation *op, SlapReply *rs )
        CfBackInfo *cfb;
        int renumber;
        ConfigArgs ca;
+       AclCheck ak = { op->ora_e, slap_schema.si_ad_entry,
+               NULL, ACL_WADD, NULL };
 
-       if ( !access_allowed( op, op->ora_e, slap_schema.si_ad_entry,
-               NULL, ACL_WADD, NULL )) {
+       if ( !access_allowed( op, &ak )) {
                rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
                goto out;
        }
@@ -5163,7 +5266,14 @@ out2:;
        ldap_pvt_thread_pool_resume( &connection_pool );
 
 out:;
-       send_ldap_result( op, rs );
+       {       int repl = op->o_dont_replicate;
+               if ( rs->sr_err == LDAP_COMPARE_TRUE ) {
+                       rs->sr_err = LDAP_SUCCESS;
+                       op->o_dont_replicate = 1;
+               }
+               send_ldap_result( op, rs );
+               op->o_dont_replicate = repl;
+       }
        slap_graduate_commit_csn( op );
        return rs->sr_err;
 }
@@ -5394,6 +5504,7 @@ config_modify_internal( CfEntryInfo *ce, Operation *op, SlapReply *rs,
                                        }
                                        ca->line = bv.bv_val;
                                        ca->valx = d->idx[i];
+                                       config_parse_vals(ct, ca, d->idx[i] );
                                        rc = config_del_vals( ct, ca );
                                        if ( rc != LDAP_SUCCESS ) break;
                                        if ( s )
@@ -5405,6 +5516,7 @@ config_modify_internal( CfEntryInfo *ce, Operation *op, SlapReply *rs,
                        } else {
                                ca->valx = -1;
                                ca->line = NULL;
+                               ca->argc = 1;
                                rc = config_del_vals( ct, ca );
                                if ( rc ) rc = LDAP_OTHER;
                                if ( s )
@@ -5451,6 +5563,7 @@ out:
                                        a->a_flags &= ~(SLAP_ATTR_IXDEL|SLAP_ATTR_IXADD);
                                        ca->valx = -1;
                                        ca->line = NULL;
+                                       ca->argc = 1;
                                        config_del_vals( ct, ca );
                                }
                                for ( i=0; !BER_BVISNULL( &s->a_vals[i] ); i++ ) {
@@ -5465,6 +5578,7 @@ out:
                                ct = config_find_table( colst, nocs, a->a_desc, ca );
                                ca->valx = -1;
                                ca->line = NULL;
+                               ca->argc = 1;
                                config_del_vals( ct, ca );
                                s = attr_find( save_attrs, a->a_desc );
                                if ( s ) {
@@ -5603,6 +5717,7 @@ config_back_modrdn( Operation *op, SlapReply *rs )
        CfEntryInfo *ce, *last;
        struct berval rdn;
        int ixold, ixnew;
+       AclCheck ak;
 
        cfb = (CfBackInfo *)op->o_bd->be_private;
 
@@ -5613,18 +5728,22 @@ config_back_modrdn( Operation *op, SlapReply *rs )
                rs->sr_err = LDAP_NO_SUCH_OBJECT;
                goto out;
        }
-       if ( !access_allowed( op, ce->ce_entry, slap_schema.si_ad_entry,
-               NULL, ACL_WRITE, NULL )) {
+       ak.ak_e = ce->ce_entry;
+       ak.ak_desc = slap_schema.si_ad_entry;
+       ak.ak_val = NULL;
+       ak.ak_access = ACL_WRITE;
+       ak.ak_state = NULL;
+       if ( !access_allowed( op, &ak )) {
                rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
                goto out;
        }
-       { Entry *parent;
+       {
                if ( ce->ce_parent )
-                       parent = ce->ce_parent->ce_entry;
+                       ak.ak_e = ce->ce_parent->ce_entry;
                else
-                       parent = (Entry *)&slap_entry_root;
-               if ( !access_allowed( op, parent, slap_schema.si_ad_children,
-                       NULL, ACL_WRITE, NULL )) {
+                       ak.ak_e = (Entry *)&slap_entry_root;
+               ak.ak_desc = slap_schema.si_ad_children;
+               if ( !access_allowed( op, &ak )) {
                        rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
                        goto out;
                }
@@ -5906,7 +6025,7 @@ config_back_search( Operation *op, SlapReply *rs )
 {
        CfBackInfo *cfb;
        CfEntryInfo *ce, *last;
-       slap_mask_t mask;
+       AclCheck ak;
 
        cfb = (CfBackInfo *)op->o_bd->be_private;
 
@@ -5917,10 +6036,14 @@ config_back_search( Operation *op, SlapReply *rs )
                rs->sr_err = LDAP_NO_SUCH_OBJECT;
                goto out;
        }
-       if ( !access_allowed_mask( op, ce->ce_entry, slap_schema.si_ad_entry, NULL,
-               ACL_SEARCH, NULL, &mask ))
+       ak.ak_e = ce->ce_entry;
+       ak.ak_desc = slap_schema.si_ad_entry;
+       ak.ak_val = NULL;
+       ak.ak_access = ACL_SEARCH;
+       ak.ak_state = NULL;
+       if ( !access_allowed_mask( op, &ak ))
        {
-               if ( !ACL_GRANT( mask, ACL_DISCLOSE )) {
+               if ( !ACL_GRANT( ak.ak_mask, ACL_DISCLOSE )) {
                        rs->sr_err = LDAP_NO_SUCH_OBJECT;
                } else {
                        rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
Cloned from git://git.openldap.org/openldap.git