X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fbackend.c;h=124ec7c42274eea6f3849fb79cd1eb35bde903c9;hb=886f60f8223d51e6a3b5fe0bf199e335b6eae86e;hp=b5405dd3513fa8abc60b74372d3563ff58765a2b;hpb=bbbf2f4ca7aa50bea416340d00cb9d2dd695b94a;p=openldap

diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c
index b5405dd351..124ec7c422 100644
--- a/servers/slapd/backend.c
+++ b/servers/slapd/backend.c
@@ -866,6 +866,15 @@ backend_check_restrictions(
 			return LDAP_CONFIDENTIALITY_REQUIRED;
 		}
 
+
+		if( op->o_tag == LDAP_REQ_BIND && opdata == NULL ) {
+			/* simple bind specific check */
+			if( op->o_ssf < ssf->sss_simple_bind ) {
+				*text = "confidentiality required";
+				return LDAP_CONFIDENTIALITY_REQUIRED;
+			}
+		}
+
 		if( op->o_tag != LDAP_REQ_BIND || opdata == NULL ) {
 			/* these checks don't apply to SASL bind */
 
@@ -901,10 +910,20 @@ backend_check_restrictions(
 				return LDAP_CONFIDENTIALITY_REQUIRED;
 			}
 
-			if( op->o_ndn.bv_len == 0 ) {
+			if( !( global_allows & SLAP_ALLOW_UPDATE_ANON ) &&
+				op->o_ndn.bv_len == 0 )
+			{
 				*text = "modifications require authentication";
 				return LDAP_STRONG_AUTH_REQUIRED;
 			}
+
+#ifdef SLAP_X_LISTENER_MOD
+			if ( ! ( conn->c_listener->sl_perms & S_IWUSR ) ) {
+				/* no "w" mode means readonly */
+				*text = "modifications not allowed on this listener";
+				return LDAP_UNWILLING_TO_PERFORM;
+			}
+#endif /* SLAP_X_LISTENER_MOD */
 		}
 	}
 
@@ -955,6 +974,25 @@ backend_check_restrictions(
 				return LDAP_OPERATIONS_ERROR;
 			}
 		}
+
+#ifdef SLAP_X_LISTENER_MOD
+		if ( !starttls && op->o_dn.bv_len == 0 ) {
+			if ( ! ( conn->c_listener->sl_perms & S_IXUSR ) ) {
+				/* no "x" mode means bind required */
+				*text = "bind required on this listener";
+				return LDAP_STRONG_AUTH_REQUIRED;
+			}
+		}
+
+		if ( !starttls && !updateop ) {
+			if ( ! ( conn->c_listener->sl_perms & S_IRUSR ) ) {
+				/* no "r" mode means no read */
+				*text = "read not allowed on this listener";
+				return LDAP_UNWILLING_TO_PERFORM;
+			}
+		}
+#endif /* SLAP_X_LISTENER_MOD */
+
 	}
 
 	if( restrictops & opflag ) {
@@ -1104,13 +1142,12 @@ Attribute *backend_operational(
 	 * and the backend supports specific operational attributes, 
 	 * add them to the attribute list
 	 */
-#ifdef SLAPD_SCHEMA_DN
 	if ( opattrs || ( attrs &&
 		ad_inlist( slap_schema.si_ad_subschemaSubentry, attrs )) ) {
 		*ap = slap_operational_subschemaSubentry( be );
 		ap = &(*ap)->a_next;
 	}
-#endif
+
 	if ( ( opattrs || attrs ) && be && be->be_operational != NULL ) {
 		( void )be->be_operational( be, conn, op, e, attrs, opattrs, ap );
 	}