X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Facl.c;h=7b5d30bff6dbeab941499291d6a038abff3e9232;hb=ba37cbc233a791cde63b4e9e08b8fb5e95963ba4;hp=b61b1570c18a92b00aa0f69570d213fcfc134606;hpb=8484d2c757168ce021a240a02f138a8d4788377a;p=openldap diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c index b61b1570c1..7b5d30bff6 100644 --- a/servers/slapd/acl.c +++ b/servers/slapd/acl.c @@ -24,7 +24,7 @@ static AccessControl * acl_get( int nmatches, regmatch_t *matches ); static slap_control_t acl_mask( - AccessControl *ac, slap_access_mask_t *mask, + AccessControl *ac, slap_mask_t *mask, Backend *be, Connection *conn, Operation *op, Entry *e, AttributeDescription *desc, @@ -85,7 +85,7 @@ access_allowed( #ifdef LDAP_DEBUG char accessmaskbuf[ACCESSMASK_MAXLEN]; #endif - slap_access_mask_t mask; + slap_mask_t mask; slap_control_t control; const char *attr = desc ? desc->ad_cname->bv_val : NULL; @@ -115,7 +115,9 @@ access_allowed( * by ACL_WRITE checking as any found here are not provided * by the user */ - if ( access >= ACL_WRITE && is_at_no_user_mod( desc->ad_type ) ) + if ( access >= ACL_WRITE && is_at_no_user_mod( desc->ad_type ) + && desc != slap_schema.si_ad_entry + && desc != slap_schema.si_ad_children ) { Debug( LDAP_DEBUG_ACL, "NoUserMod Operational attribute:" " %s access granted\n", @@ -152,7 +154,7 @@ access_allowed( a = NULL; count = 0; - while( a = acl_get( a, &count, be, op, e, desc, MAXREMATCHES, matches ) ) + while((a = acl_get( a, &count, be, op, e, desc, MAXREMATCHES, matches )) != NULL) { int i; @@ -339,7 +341,7 @@ acl_get( static slap_control_t acl_mask( AccessControl *a, - slap_access_mask_t *mask, + slap_mask_t *mask, Backend *be, Connection *conn, Operation *op, @@ -364,13 +366,13 @@ acl_mask( e->e_dn, attr, 0 ); Debug( LDAP_DEBUG_ACL, - "=> acl_mask: to value \"%s\" by \"%s\", (%s) \n", - val ? val->bv_val : "*", + "=> acl_mask: to %s by \"%s\", (%s) \n", + val ? "value" : "all values", op->o_ndn ? op->o_ndn : "", accessmask2str( *mask, accessmaskbuf ) ); for ( i = 1, b = a->acl_access; b != NULL; b = b->a_next, i++ ) { - slap_access_mask_t oldmask, modmask; + slap_mask_t oldmask, modmask; ACL_INVALIDATE( modmask ); @@ -617,7 +619,7 @@ acl_mask( buf[sizeof(buf) - 1] = 0; } - if (backend_group(be, e, buf, op->o_ndn, + if (backend_group(be, conn, op, e, buf, op->o_ndn, b->a_group_oc, b->a_group_at) != 0) { continue; @@ -634,6 +636,45 @@ acl_mask( } } + if ( b->a_authz.sai_ssf ) { + Debug( LDAP_DEBUG_ACL, "<= check a_authz.sai_ssf: ACL %u > OP %u\n", + b->a_authz.sai_ssf, op->o_ssf, 0 ); + + if ( b->a_authz.sai_ssf > op->o_ssf ) { + continue; + } + } + + if ( b->a_authz.sai_transport_ssf ) { + Debug( LDAP_DEBUG_ACL, + "<= check a_authz.sai_transport_ssf: ACL %u > OP %u\n", + b->a_authz.sai_transport_ssf, op->o_transport_ssf, 0 ); + + if ( b->a_authz.sai_transport_ssf > op->o_transport_ssf ) { + continue; + } + } + + if ( b->a_authz.sai_tls_ssf ) { + Debug( LDAP_DEBUG_ACL, + "<= check a_authz.sai_tls_ssf: ACL %u > OP %u\n", + b->a_authz.sai_tls_ssf, op->o_tls_ssf, 0 ); + + if ( b->a_authz.sai_tls_ssf > op->o_tls_ssf ) { + continue; + } + } + + if ( b->a_authz.sai_sasl_ssf ) { + Debug( LDAP_DEBUG_ACL, + "<= check a_authz.sai_sasl_ssf: ACL %u > OP %u\n", + b->a_authz.sai_sasl_ssf, op->o_sasl_ssf, 0 ); + + if ( b->a_authz.sai_sasl_ssf > op->o_sasl_ssf ) { + continue; + } + } + #ifdef SLAPD_ACI_ENABLED if ( b->a_aci_at != NULL ) { Attribute *at; @@ -641,7 +682,7 @@ acl_mask( /* this case works different from the others above. * since aci's themselves give permissions, we need - * to first check b->a_mask, the ACL's access level. + * to first check b->a_access_mask, the ACL's access level. */ if( op->o_ndn == NULL || op->o_ndn[0] == '\0' ) { @@ -655,7 +696,7 @@ acl_mask( /* first check if the right being requested * is allowed by the ACL clause. */ - if ( ! ACL_GRANT( b->a_mask, *mask ) ) { + if ( ! ACL_GRANT( b->a_access_mask, *mask ) ) { continue; } @@ -684,7 +725,7 @@ acl_mask( } /* remove anything that the ACL clause does not allow */ - tgrant &= b->a_mask & ACL_PRIV_MASK; + tgrant &= b->a_access_mask & ACL_PRIV_MASK; tdeny &= ACL_PRIV_MASK; /* see if we have anything to contribute */ @@ -713,7 +754,7 @@ acl_mask( } else #endif { - modmask = b->a_mask; + modmask = b->a_access_mask; } @@ -877,7 +918,7 @@ aci_bvstrdup( struct berval *bv ) s = (char *)ch_malloc(bv->bv_len + 1); if (s != NULL) { - memcpy(s, bv->bv_val, bv->bv_len); + AC_MEMCPY(s, bv->bv_val, bv->bv_len); s[bv->bv_len] = 0; } return(s); @@ -1221,6 +1262,7 @@ aci_group_member ( const char *defgrpat, Backend *be, Entry *e, + Connection *conn, Operation *op, regmatch_t *matches ) @@ -1269,7 +1311,7 @@ aci_group_member ( if (grp_oc != NULL && grp_ad != NULL && grpdn != NULL) { string_expand(grpdn, 1024, subjdn, e->e_ndn, matches); if ( dn_normalize(grpdn) != NULL ) { - rc = (backend_group(be, e, grpdn, op->o_ndn, grp_oc, grp_ad) == 0); + rc = (backend_group(be, conn, op, e, grpdn, op->o_ndn, grp_oc, grp_ad) == 0); } } @@ -1389,11 +1431,11 @@ aci_mask( } else if (aci_strbvcmp( "group", &bv ) == 0) { - if (aci_group_member(&sdn, SLAPD_GROUP_CLASS, SLAPD_GROUP_ATTR, be, e, op, matches)) + if (aci_group_member(&sdn, SLAPD_GROUP_CLASS, SLAPD_GROUP_ATTR, be, e, conn, op, matches)) return(1); } else if (aci_strbvcmp( "role", &bv ) == 0) { - if (aci_group_member(&sdn, SLAPD_ROLE_CLASS, SLAPD_ROLE_ATTR, be, e, op, matches)) + if (aci_group_member(&sdn, SLAPD_ROLE_CLASS, SLAPD_ROLE_ATTR, be, e, conn, op, matches)) return(1); } else if (aci_strbvcmp( "set", &bv ) == 0) {