Add "entry" ACL checks for add/delete/rename ops

[openldap] / servers / slapd / saslauthz.c

diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
index 7a4f5903a327d5e90cf94e14e73ee71196f505bf..24ccf062b496ce9bded6320abf307d3999edd821 100644 (file)
--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -98,7 +98,7 @@ static int slap_parseURI( struct berval *uri,
                bv.bv_val = uri->bv_val + sizeof("dn:")-1;
                bv.bv_val += strspn( bv.bv_val, " " );
 
-is_dn:         bv.bv_len = uri->bv_len - (bv.bv_val - uri->bv_val);
+is_dn: bv.bv_len = uri->bv_len - (bv.bv_val - uri->bv_val);
 
                rc = dnNormalize2( NULL, &bv, searchbase );
                if( rc == LDAP_SUCCESS ) {
@@ -326,7 +326,7 @@ static int slap_sasl_regexp( struct berval *in, struct berval *out )
                out->bv_len ? out->bv_val : "", 0, 0 );
 #else
        Debug( LDAP_DEBUG_TRACE,
-          "slap_sasl_regexp: converted SASL name to ldap:///%s??%s?%s\n",
+               "slap_sasl_regexp: converted SASL name to %s\n",
                out->bv_len ? out->bv_val : "", 0, 0 );
 #endif
 
@@ -334,14 +334,14 @@ static int slap_sasl_regexp( struct berval *in, struct berval *out )
 }
 
 /* Two empty callback functions to avoid sending results */
-static void sasl_sc_r( Connection *conn, Operation *o, ber_tag_t tag,
+void slap_cb_null_response( Connection *conn, Operation *o, ber_tag_t tag,
        ber_int_t msgid, ber_int_t err, const char *matched,
        const char *text, BerVarray ref, const char *resoid,
        struct berval *resdata, struct berval *sasldata, LDAPControl **c)
 {
 }
 
-static void sasl_sc_s( Connection *conn, Operation *o, ber_int_t err,
+void slap_cb_null_sresult( Connection *conn, Operation *o, ber_int_t err,
        const char *matched, const char *text, BerVarray refs, LDAPControl **c,
        int nentries)
 {
@@ -389,7 +389,7 @@ void slap_sasl2dn( Connection *conn,
        struct berval dn = { 0, NULL };
        int scope = LDAP_SCOPE_BASE;
        Filter *filter = NULL;
-       slap_callback cb = {sasl_sc_r, sasl_sc_s, sasl_sc_sasl2dn, NULL};
+       slap_callback cb = {slap_cb_null_response, slap_cb_null_sresult, sasl_sc_sasl2dn, NULL};
        Operation op = {0};
        struct berval regout = { 0, NULL };
 
@@ -449,6 +449,7 @@ void slap_sasl2dn( Connection *conn,
        op.o_callback = &cb;
        op.o_time = slap_get_time();
        op.o_do_not_cache = 1;
+       op.o_threadctx = conn->c_sasl_bindop->o_threadctx;
 
        (*be->be_search)( be, conn, &op, NULL, &dn,
                scope, LDAP_DEREF_NEVER, 1, 0,
@@ -509,7 +510,7 @@ int slap_sasl_match(Connection *conn, struct berval *rule, struct berval *assert
        Filter *filter=NULL;
        regex_t reg;
        smatch_info sm;
-       slap_callback cb = { sasl_sc_r, sasl_sc_s, sasl_sc_smatch, NULL };
+       slap_callback cb = { slap_cb_null_response, slap_cb_null_sresult, sasl_sc_smatch, NULL };
        Operation op = {0};
 
 #ifdef NEW_LOGGING
@@ -569,6 +570,7 @@ int slap_sasl_match(Connection *conn, struct berval *rule, struct berval *assert
        op.o_callback = &cb;
        op.o_time = slap_get_time();
        op.o_do_not_cache = 1;
+       op.o_threadctx = conn->c_sasl_bindop->o_threadctx;
 
        (*be->be_search)( be, conn, &op, /*base=*/NULL, &searchbase,
           scope, /*deref=*/1, /*sizelimit=*/0, /*time=*/0, filter, /*fstr=*/NULL,
@@ -614,15 +616,16 @@ slap_sasl_check_authz( Connection *conn,
 
 #ifdef NEW_LOGGING
        LDAP_LOG( TRANSPORT, ENTRY, 
-                  "slap_sasl_check_authz: does %s match %s rule in %s?\n",
-              assertDN->bv_val, ad->ad_cname.bv_val, searchDN->bv_val);
+               "slap_sasl_check_authz: does %s match %s rule in %s?\n",
+           assertDN->bv_val, ad->ad_cname.bv_val, searchDN->bv_val);
 #else
        Debug( LDAP_DEBUG_TRACE,
           "==>slap_sasl_check_authz: does %s match %s rule in %s?\n",
           assertDN->bv_val, ad->ad_cname.bv_val, searchDN->bv_val);
 #endif
 
-       rc = backend_attribute( NULL, NULL, NULL, NULL, searchDN, ad, &vals );
+       rc = backend_attribute( NULL, NULL, conn->c_sasl_bindop, NULL,
+               searchDN, ad, &vals );
        if( rc != LDAP_SUCCESS )
                goto COMPLETE;
 
@@ -639,11 +642,12 @@ COMPLETE:
 
 #ifdef NEW_LOGGING
        LDAP_LOG( TRANSPORT, RESULTS, 
-                  "slap_sasl_check_authz: %s check returning %s\n", 
-                  ad->ad_cname.bv_val, rc, 0 );
+               "slap_sasl_check_authz: %s check returning %s\n", 
+               ad->ad_cname.bv_val, rc, 0 );
 #else
        Debug( LDAP_DEBUG_TRACE,
-          "<==slap_sasl_check_authz: %s check returning %d\n", ad->ad_cname.bv_val, rc, 0);
+          "<==slap_sasl_check_authz: %s check returning %d\n",
+               ad->ad_cname.bv_val, rc, 0);
 #endif
 
        return( rc );