X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fbackend.c;h=3048dd41bb26e3f411aa4fda2d3676fb0f1b91f7;hb=ed471a4d53b9bcd2cc89410743ffb4bd58b5fc05;hp=987eb8832c67d62f7126888403fc0df32a47f4b0;hpb=857d08ea21b82cbbd83399c5498be8a8fd998851;p=openldap

diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c
index 987eb8832c..3048dd41bb 100644
--- a/servers/slapd/backend.c
+++ b/servers/slapd/backend.c
@@ -7,6 +7,7 @@
 
 
 #include "portable.h"
+#include "slapi_common.h"
 
 #include <stdio.h>
 
@@ -16,6 +17,7 @@
 #include <sys/stat.h>
 
 #include "slap.h"
+#include "slapi.h"
 #include "lutil.h"
 #include "lber_pvt.h"
 
@@ -686,12 +688,60 @@ backend_unbind(
 	Operation    *op
 )
 {
-	int	i;
+	int		i;
+	int     rc;
+	Slapi_PBlock *pb = op->o_pb;
+
+#if defined( LDAP_SLAPI )
+	slapi_pblock_set( pb, SLAPI_CONNECTION, (void *)conn );
+	slapi_pblock_set( pb, SLAPI_OPERATION, (void *)op );
+#endif /* defined( LDAP_SLAPI ) */
 
 	for ( i = 0; i < nbackends; i++ ) {
+#if defined( LDAP_SLAPI )
+		slapi_pblock_set( pb, SLAPI_BACKEND, (void *)&backends[i] );
+		rc = doPluginFNs( &backends[i], SLAPI_PLUGIN_PRE_UNBIND_FN,
+				(Slapi_PBlock *)pb );
+		if ( rc != 0 && rc != LDAP_OTHER ) {
+			/*
+			 * either there is no preOp (unbind) plugins
+			 * or a plugin failed. Just log it.
+			 *
+			 * FIXME: is this correct?
+			 */
+#ifdef NEW_LOGGING
+			LDAP_LOG( OPERATION, INFO, "do_bind: Unbind preOps "
+					"failed\n", 0, 0, 0);
+#else
+			Debug(LDAP_DEBUG_TRACE, "do_bind: Unbind preOps "
+					"failed.\n", 0, 0, 0);
+#endif
+		}
+#endif /* defined( LDAP_SLAPI ) */
+
 		if ( backends[i].be_unbind ) {
 			(*backends[i].be_unbind)( &backends[i], conn, op );
 		}
+
+#if defined( LDAP_SLAPI )
+		rc = doPluginFNs( &backends[i], SLAPI_PLUGIN_POST_UNBIND_FN,
+				(Slapi_PBlock *)pb );
+		if ( rc != 0 && rc != LDAP_OTHER ) {
+			/*
+			 * either there is no postOp (unbind) plugins
+			 * or a plugin failed. Just log it.
+			 *
+			 * FIXME: is this correct?
+			 */
+#ifdef NEW_LOGGING
+			LDAP_LOG( OPERATION, INFO, "do_unbind: Unbind postOps "
+					"failed\n", 0, 0, 0);
+#else
+			Debug(LDAP_DEBUG_TRACE, "do_unbind: Unbind postOps "
+					"failed.\n", 0, 0, 0);
+#endif
+		}
+#endif /* defined( LDAP_SLAPI ) */
 	}
 
 	return 0;
@@ -736,16 +786,9 @@ backend_check_controls(
 	Operation *op,
 	const char **text )
 {
-	LDAPControl **ctrls;
-	ctrls = op->o_ctrls;
-	if( ctrls == NULL ) {
-		return LDAP_SUCCESS;
-	}
+	LDAPControl **ctrls = op->o_ctrls;
 
-	if ( be->be_controls == NULL ) {
-		*text = "control unavailable in context";
-		return LDAP_UNAVAILABLE_CRITICAL_EXTENSION;
-	}
+	if( ctrls == NULL ) return LDAP_SUCCESS;
 
 	for( ; *ctrls != NULL ; ctrls++ ) {
 		if( (*ctrls)->ldctl_iscritical &&
@@ -873,6 +916,15 @@ backend_check_restrictions(
 			return LDAP_CONFIDENTIALITY_REQUIRED;
 		}
 
+
+		if( op->o_tag == LDAP_REQ_BIND && opdata == NULL ) {
+			/* simple bind specific check */
+			if( op->o_ssf < ssf->sss_simple_bind ) {
+				*text = "confidentiality required";
+				return LDAP_CONFIDENTIALITY_REQUIRED;
+			}
+		}
+
 		if( op->o_tag != LDAP_REQ_BIND || opdata == NULL ) {
 			/* these checks don't apply to SASL bind */
 
@@ -908,10 +960,20 @@ backend_check_restrictions(
 				return LDAP_CONFIDENTIALITY_REQUIRED;
 			}
 
-			if( op->o_ndn.bv_len == 0 ) {
+			if( !( global_allows & SLAP_ALLOW_UPDATE_ANON ) &&
+				op->o_ndn.bv_len == 0 )
+			{
 				*text = "modifications require authentication";
 				return LDAP_STRONG_AUTH_REQUIRED;
 			}
+
+#ifdef SLAP_X_LISTENER_MOD
+			if ( ! ( conn->c_listener->sl_perms & S_IWUSR ) ) {
+				/* no "w" mode means readonly */
+				*text = "modifications not allowed on this listener";
+				return LDAP_UNWILLING_TO_PERFORM;
+			}
+#endif /* SLAP_X_LISTENER_MOD */
 		}
 	}
 
@@ -962,6 +1024,25 @@ backend_check_restrictions(
 				return LDAP_OPERATIONS_ERROR;
 			}
 		}
+
+#ifdef SLAP_X_LISTENER_MOD
+		if ( !starttls && op->o_dn.bv_len == 0 ) {
+			if ( ! ( conn->c_listener->sl_perms & S_IXUSR ) ) {
+				/* no "x" mode means bind required */
+				*text = "bind required on this listener";
+				return LDAP_STRONG_AUTH_REQUIRED;
+			}
+		}
+
+		if ( !starttls && !updateop ) {
+			if ( ! ( conn->c_listener->sl_perms & S_IRUSR ) ) {
+				/* no "r" mode means no read */
+				*text = "read not allowed on this listener";
+				return LDAP_UNWILLING_TO_PERFORM;
+			}
+		}
+#endif /* SLAP_X_LISTENER_MOD */
+
 	}
 
 	if( restrictops & opflag ) {
@@ -1111,13 +1192,12 @@ Attribute *backend_operational(
 	 * and the backend supports specific operational attributes, 
 	 * add them to the attribute list
 	 */
-#ifdef SLAPD_SCHEMA_DN
 	if ( opattrs || ( attrs &&
 		ad_inlist( slap_schema.si_ad_subschemaSubentry, attrs )) ) {
 		*ap = slap_operational_subschemaSubentry( be );
 		ap = &(*ap)->a_next;
 	}
-#endif
+
 	if ( ( opattrs || attrs ) && be && be->be_operational != NULL ) {
 		( void )be->be_operational( be, conn, op, e, attrs, opattrs, ap );
 	}