Fix ITS#3424

[openldap] / servers / slapd / compare.c

diff --git a/servers/slapd/compare.c b/servers/slapd/compare.c
index 8524d1aee39e7e26458cc550315f99da7b698b5d..506e34736b544fe232de94023956b90d182bdfc8 100644 (file)
--- a/servers/slapd/compare.c
+++ b/servers/slapd/compare.c
@@ -29,7 +29,6 @@
 #include <ac/socket.h>
 #include <ac/string.h>
 
-#include "ldap_pvt.h"
 #include "slap.h"
 #ifdef LDAP_SLAPI
 #include "slapi/slapi.h"
@@ -141,9 +140,9 @@ fe_op_compare( Operation *op, SlapReply *rs )
                        ava.aa_desc->ad_cname.bv_val, ava.aa_value.bv_val );
 
                Statslog( LDAP_DEBUG_STATS,
-                       "conn=%lu op=%lu CMP dn=\"%s\" attr=\"%s\"\n",
-                       op->o_connid, op->o_opid, op->o_req_dn.bv_val,
-                       ava.aa_desc->ad_cname.bv_val, 0 );
+                       "%s CMP dn=\"%s\" attr=\"%s\"\n",
+                       op->o_log_prefix, op->o_req_dn.bv_val,
+                       ava.aa_desc->ad_cname.bv_val, 0, 0 );
 
                if( backend_check_restrictions( op, rs, NULL ) != LDAP_SUCCESS ) {
                        send_ldap_result( op, rs );
@@ -162,9 +161,9 @@ fe_op_compare( Operation *op, SlapReply *rs )
                        ava.aa_desc->ad_cname.bv_val, ava.aa_value.bv_val );
 
                Statslog( LDAP_DEBUG_STATS,
-                       "conn=%lu op=%lu CMP dn=\"%s\" attr=\"%s\"\n",
-                       op->o_connid, op->o_opid, op->o_req_dn.bv_val,
-                       ava.aa_desc->ad_cname.bv_val, 0 );
+                       "%s CMP dn=\"%s\" attr=\"%s\"\n",
+                       op->o_log_prefix, op->o_req_dn.bv_val,
+                       ava.aa_desc->ad_cname.bv_val, 0, 0 );
 
                if( backend_check_restrictions( op, rs, NULL ) != LDAP_SUCCESS ) {
                        send_ldap_result( op, rs );
@@ -231,9 +230,9 @@ fe_op_compare( Operation *op, SlapReply *rs )
            op->o_req_dn.bv_val,
                ava.aa_desc->ad_cname.bv_val, ava.aa_value.bv_val );
 
-       Statslog( LDAP_DEBUG_STATS, "conn=%lu op=%lu CMP dn=\"%s\" attr=\"%s\"\n",
-           op->o_connid, op->o_opid, op->o_req_dn.bv_val,
-               ava.aa_desc->ad_cname.bv_val, 0 );
+       Statslog( LDAP_DEBUG_STATS, "%s CMP dn=\"%s\" attr=\"%s\"\n",
+               op->o_log_prefix, op->o_req_dn.bv_val,
+               ava.aa_desc->ad_cname.bv_val, 0, 0 );
 
 #if defined( LDAP_SLAPI )
 #define        pb      op->o_pb
@@ -326,7 +325,7 @@ static int compare_entry(
        Entry *e,
        AttributeAssertion *ava )
 {
-       int rc = LDAP_NO_SUCH_ATTRIBUTE;
+       int rc;
        Attribute *a;
 
        if ( ! access_allowed( op, e,
@@ -335,11 +334,20 @@ static int compare_entry(
                return LDAP_INSUFFICIENT_ACCESS;
        }
 
+       a = attrs_find( e->e_attrs, ava->aa_desc );
+       if( a == NULL ) return LDAP_NO_SUCH_ATTRIBUTE;
+
+       rc = LDAP_COMPARE_FALSE;
        for(a = attrs_find( e->e_attrs, ava->aa_desc );
                a != NULL;
                a = attrs_find( a->a_next, ava->aa_desc ))
        {
-               rc = LDAP_COMPARE_FALSE;
+               if (( ava->aa_desc != a->a_desc ) && ! access_allowed( op,
+                       e, a->a_desc, &ava->aa_value, ACL_COMPARE, NULL ) )
+               {       
+                       rc = LDAP_INSUFFICIENT_ACCESS;
+                       break;
+               }
 
                if ( value_find_ex( ava->aa_desc,
                        SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |