X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fbconfig.c;h=7979dc57f5ce4da084ed99b0b7008cf752bd1ce3;hb=9767c87531d193a4bef19286b77623aff18590fb;hp=f50fb6d75a64cb75b8bc889fa66fbce01e6fadbc;hpb=1421d522ad0d6c866d3b785e2b2030c8a682bb50;p=openldap diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c index f50fb6d75a..7979dc57f5 100644 --- a/servers/slapd/bconfig.c +++ b/servers/slapd/bconfig.c @@ -2,7 +2,7 @@ /* $OpenLDAP$ */ /* This work is part of OpenLDAP Software . * - * Copyright 2005-2008 The OpenLDAP Foundation. + * Copyright 2005-2009 The OpenLDAP Foundation. * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -145,6 +145,7 @@ enum { CFG_DATABASE, CFG_TLS_RAND, CFG_TLS_CIPHER, + CFG_TLS_PROTOCOL_MIN, CFG_TLS_CERT_FILE, CFG_TLS_CERT_KEY, CFG_TLS_CA_PATH, @@ -184,6 +185,7 @@ enum { CFG_SORTVALS, CFG_IX_INTLEN, CFG_SYNTAX, + CFG_ACL_ADD, CFG_LAST }; @@ -280,6 +282,10 @@ static ConfigTable config_back_cf_table[] = { "DESC 'Access Control List' " "EQUALITY caseIgnoreMatch " "SYNTAX OMsDirectoryString X-ORDERED 'VALUES' )", NULL, NULL }, + { "add_content_acl", NULL, 0, 0, 0, ARG_MAY_DB|ARG_ON_OFF|ARG_MAGIC|CFG_ACL_ADD, + &config_generic, "( OLcfgGlAt:86 NAME 'olcAddContentAcl' " + "DESC 'Check ACLs against content of Add ops' " + "SYNTAX OMsBoolean SINGLE-VALUE )", NULL, NULL }, { "allows", "features", 2, 0, 5, ARG_PRE_DB|ARG_MAGIC, &config_allows, "( OLcfgGlAt:2 NAME 'olcAllows' " "DESC 'Allowed set of deprecated features' " @@ -680,6 +686,14 @@ static ConfigTable config_back_cf_table[] = { #endif "( OLcfgGlAt:77 NAME 'olcTLSDHParamFile' " "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL }, + { "TLSProtocolMin", NULL, 0, 0, 0, +#ifdef HAVE_TLS + CFG_TLS_PROTOCOL_MIN|ARG_STRING|ARG_MAGIC, &config_tls_config, +#else + ARG_IGNORED, NULL, +#endif + "( OLcfgGlAt:87 NAME 'olcTLSProtocolMin' " + "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL }, { "tool-threads", "count", 2, 2, 0, ARG_INT|ARG_MAGIC|CFG_TTHREADS, &config_generic, "( OLcfgGlAt:80 NAME 'olcToolThreads' " "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL }, @@ -692,6 +706,9 @@ static ConfigTable config_back_cf_table[] = { &config_updateref, "( OLcfgDbAt:0.13 NAME 'olcUpdateRef' " "EQUALITY caseIgnoreMatch " "SUP labeledURI )", NULL, NULL }, + { "writetimeout", "timeout", 2, 2, 0, ARG_INT, + &global_writetimeout, "( OLcfgGlAt:88 NAME 'olcWriteTimeout' " + "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL }, { NULL, NULL, 0, 0, 0, ARG_IGNORED, NULL, NULL, NULL, NULL } }; @@ -738,7 +755,7 @@ static ConfigOCs cf_ocs[] = { "olcDisallows $ olcGentleHUP $ olcIdleTimeout $ " "olcIndexSubstrIfMaxLen $ olcIndexSubstrIfMinLen $ " "olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $ " - "olcLocalSSF $ olcLogLevel $ " + "olcLocalSSF $ olcLogFile $ olcLogLevel $ " "olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ " "olcPluginLogFile $ olcReadOnly $ olcReferral $ " "olcReplogFile $ olcRequires $ olcRestrict $ olcReverseLookup $ " @@ -750,7 +767,7 @@ static ConfigOCs cf_ocs[] = { "olcTLSCACertificatePath $ olcTLSCertificateFile $ " "olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ " "olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ " - "olcTLSCRLFile $ olcToolThreads $ " + "olcTLSCRLFile $ olcToolThreads $ olcWriteTimeout $ " "olcObjectIdentifier $ olcAttributeTypes $ olcObjectClasses $ " "olcDitContentRules $ olcLdapSyntaxes ) )", Cft_Global }, { "( OLcfgGlOc:2 " @@ -771,7 +788,7 @@ static ConfigOCs cf_ocs[] = { "SUP olcConfig STRUCTURAL " "MUST olcDatabase " "MAY ( olcHidden $ olcSuffix $ olcSubordinate $ olcAccess $ " - "olcLastMod $ olcLimits $ " + "olcAddContentAcl $ olcLastMod $ olcLimits $ " "olcMaxDerefDepth $ olcPlugin $ olcReadOnly $ olcReplica $ " "olcReplicaArgsFile $ olcReplicaPidFile $ olcReplicationInterval $ " "olcReplogFile $ olcRequires $ olcRestrict $ olcRootDN $ olcRootPW $ " @@ -974,12 +991,7 @@ config_generic(ConfigArgs *c) { AccessControl *a; char *src, *dst, ibuf[11]; struct berval bv, abv; - AccessControl *end; - if ( c->be == frontendDB ) - end = NULL; - else - end = frontendDB->be_acl; - for (i=0, a=c->be->be_acl; a && a != end; i++,a=a->acl_next) { + for (i=0, a=c->be->be_acl; a; i++,a=a->acl_next) { abv.bv_len = snprintf( ibuf, sizeof( ibuf ), SLAP_X_ORDERED_FMT, i ); if ( abv.bv_len >= sizeof( ibuf ) ) { ber_bvarray_free_x( c->rvalue_vals, NULL ); @@ -1006,6 +1018,9 @@ config_generic(ConfigArgs *c) { rc = (!i); break; } + case CFG_ACL_ADD: + c->value_int = (SLAP_DBACL_ADD(c->be) != 0); + break; case CFG_ROOTDSE: { ConfigFile *cf = c->ca_private; if ( cf->c_dseFiles ) { @@ -1025,7 +1040,7 @@ config_generic(ConfigArgs *c) { if ( !BER_BVISEMPTY( &si->si_url )) { bv.bv_len = si->si_url.bv_len + 6; bv.bv_val = ch_malloc( bv.bv_len ); - sprintf( bv.bv_val, "%d %s", si->si_num, + bv.bv_len = sprintf( bv.bv_val, "%d %s", si->si_num, si->si_url.bv_val ); ber_bvarray_add( &c->rvalue_vals, &bv ); } else { @@ -1159,6 +1174,7 @@ config_generic(ConfigArgs *c) { case CFG_SASLSECP: case CFG_SSTR_IF_MAX: case CFG_SSTR_IF_MIN: + case CFG_ACL_ADD: break; /* no-ops, requires slapd restart */ @@ -1211,13 +1227,8 @@ config_generic(ConfigArgs *c) { case CFG_ACL: if ( c->valx < 0 ) { - AccessControl *end; - if ( c->be == frontendDB ) - end = NULL; - else - end = frontendDB->be_acl; - acl_destroy( c->be->be_acl, end ); - c->be->be_acl = end; + acl_destroy( c->be->be_acl ); + c->be->be_acl = NULL; } else { AccessControl **prev, *a; @@ -1682,11 +1693,10 @@ sortval_reject: case CFG_ACL: /* Don't append to the global ACL if we're on a specific DB */ i = c->valx; - if ( c->be != frontendDB && frontendDB->be_acl && c->valx == -1 ) { + if ( c->valx == -1 ) { AccessControl *a; i = 0; - for ( a=c->be->be_acl; a && a != frontendDB->be_acl; - a = a->acl_next ) + for ( a=c->be->be_acl; a; a = a->acl_next ) i++; } if ( parse_acl(c->be, c->fname, c->lineno, c->argc, c->argv, i ) ) { @@ -1694,6 +1704,13 @@ sortval_reject: } break; + case CFG_ACL_ADD: + if(c->value_int) + SLAP_DBFLAGS(c->be) |= SLAP_DBFLAG_ACL_ADD; + else + SLAP_DBFLAGS(c->be) &= ~SLAP_DBFLAG_ACL_ADD; + break; + case CFG_ROOTDSE: if(root_dse_read_file(c->argv[1])) { snprintf( c->cr_msg, sizeof( c->cr_msg ), "<%s> could not read file", c->argv[0] ); @@ -1769,20 +1786,28 @@ sortval_reject: *sip = si; if (( slapMode & SLAP_SERVER_MODE ) && c->argc > 2 ) { + Listener **l = slapd_get_listeners(); + int i, isMe = 0; + + /* Try a straight compare with Listener strings */ + for ( i=0; l && l[i]; i++ ) { + if ( !strcasecmp( c->argv[2], l[i]->sl_url.bv_val )) { + isMe = 1; + break; + } + } + /* If hostname is empty, or is localhost, or matches * our hostname, this serverID refers to this host. * Compare it against listeners and ports. */ - if ( !lud->lud_host || !lud->lud_host[0] || + if ( !isMe && ( !lud->lud_host || !lud->lud_host[0] || !strncasecmp("localhost", lud->lud_host, STRLENOF("localhost")) || - !strcasecmp( global_host, lud->lud_host )) { - Listener **l = slapd_get_listeners(); - int i; + !strcasecmp( global_host, lud->lud_host ))) { for ( i=0; l && l[i]; i++ ) { LDAPURLDesc *lu2; - int isMe = 0; ldap_url_parse( l[i]->sl_url.bv_val, &lu2 ); do { if ( strcasecmp( lud->lud_scheme, @@ -1811,15 +1836,17 @@ sortval_reject: } while(0); ldap_free_urldesc( lu2 ); if ( isMe ) { - slap_serverID = si->si_num; - Debug( LDAP_DEBUG_CONFIG, - "%s: SID=%d (listener=%s)\n", - c->log, slap_serverID, - l[i]->sl_url.bv_val ); break; } } } + if ( isMe ) { + slap_serverID = si->si_num; + Debug( LDAP_DEBUG_CONFIG, + "%s: SID=%d (listener=%s)\n", + c->log, slap_serverID, + l[i]->sl_url.bv_val ); + } } if ( c->argc > 2 ) ldap_free_urldesc( lud ); @@ -2587,6 +2614,8 @@ config_disallows(ConfigArgs *c) { { BER_BVC("bind_simple"), SLAP_DISALLOW_BIND_SIMPLE }, { BER_BVC("tls_2_anon"), SLAP_DISALLOW_TLS_2_ANON }, { BER_BVC("tls_authc"), SLAP_DISALLOW_TLS_AUTHC }, + { BER_BVC("proxy_authz_non_critical"), SLAP_DISALLOW_PROXY_AUTHZ_N_CRIT }, + { BER_BVC("dontusecopy_non_critical"), SLAP_DISALLOW_DONTUSECOPY_N_CRIT }, { BER_BVNULL, 0 } }; if (c->op == SLAP_CONFIG_EMIT) { @@ -3062,7 +3091,16 @@ config_shadow( ConfigArgs *c, int flag ) return 1; } - SLAP_DBFLAGS(c->be) |= (SLAP_DBFLAG_SHADOW | SLAP_DBFLAG_SINGLE_SHADOW | flag); + if ( SLAP_SHADOW(c->be) ) { + /* if already shadow, only check consistency */ + if ( ( SLAP_DBFLAGS(c->be) & flag ) != flag ) { + Debug( LDAP_DEBUG_ANY, "%s: inconsistent shadow flag 0x%x.\n", c->log, flag, 0 ); + return 1; + } + + } else { + SLAP_DBFLAGS(c->be) |= (SLAP_DBFLAG_SHADOW | SLAP_DBFLAG_SINGLE_SHADOW | flag); + } return 0; } @@ -3191,6 +3229,7 @@ config_tls_config(ConfigArgs *c) { switch(c->type) { case CFG_TLS_CRLCHECK: flag = LDAP_OPT_X_TLS_CRLCHECK; break; case CFG_TLS_VERIFY: flag = LDAP_OPT_X_TLS_REQUIRE_CERT; break; + case CFG_TLS_PROTOCOL_MIN: flag = LDAP_OPT_X_TLS_PROTOCOL_MIN; break; default: Debug(LDAP_DEBUG_ANY, "%s: " "unknown tls_option <0x%x>\n", @@ -3213,7 +3252,7 @@ config_tls_config(ConfigArgs *c) { } return(ldap_pvt_tls_set_option(slap_tls_ld, flag, &i)); } else { - return(ldap_int_tls_config(slap_tls_ld, flag, c->argv[1])); + return(ldap_pvt_tls_config(slap_tls_ld, flag, c->argv[1])); } } #endif @@ -3618,6 +3657,9 @@ config_send( Operation *op, SlapReply *rs, CfEntryInfo *ce, int depth ) rs->sr_entry = ce->ce_entry; rs->sr_flags = 0; rc = send_search_entry( op, rs ); + if ( rc != LDAP_SUCCESS ) { + return rc; + } } if ( op->ors_scope == LDAP_SCOPE_SUBTREE ) { if ( ce->ce_kids ) { @@ -3780,14 +3822,15 @@ config_rename_kids( CfEntryInfo *ce ) struct berval rdn, nrdn; for (ce2 = ce->ce_kids; ce2; ce2 = ce2->ce_sibs) { + struct berval newdn, newndn; dnRdn ( &ce2->ce_entry->e_name, &rdn ); dnRdn ( &ce2->ce_entry->e_nname, &nrdn ); + build_new_dn( &newdn, &ce->ce_entry->e_name, &rdn, NULL ); + build_new_dn( &newndn, &ce->ce_entry->e_nname, &nrdn, NULL ); free( ce2->ce_entry->e_name.bv_val ); free( ce2->ce_entry->e_nname.bv_val ); - build_new_dn( &ce2->ce_entry->e_name, &ce->ce_entry->e_name, - &rdn, NULL ); - build_new_dn( &ce2->ce_entry->e_nname, &ce->ce_entry->e_nname, - &nrdn, NULL ); + ce2->ce_entry->e_name = newdn; + ce2->ce_entry->e_nname = newndn; config_rename_kids( ce2 ); } } @@ -3948,10 +3991,10 @@ check_name_index( CfEntryInfo *parent, ConfigType ce_type, Entry *e, isconfig = 1; } ptr1 = ber_bvchr( &e->e_name, '{' ); - if ( ptr1 && ptr1 - e->e_name.bv_val < rdn.bv_len ) { + if ( ptr1 && ptr1 < &e->e_name.bv_val[ rdn.bv_len ] ) { char *next; ptr2 = strchr( ptr1, '}' ); - if (!ptr2 || ptr2 - e->e_name.bv_val > rdn.bv_len) + if ( !ptr2 || ptr2 > &e->e_name.bv_val[ rdn.bv_len ] ) return LDAP_NAMING_VIOLATION; if ( ptr2-ptr1 == 1) return LDAP_NAMING_VIOLATION; @@ -4448,6 +4491,7 @@ config_add_internal( CfBackInfo *cfb, Entry *e, ConfigArgs *ca, SlapReply *rs, if ( !ct ) continue; /* user data? */ for (i=0; a->a_vals[i].bv_val; i++) { char *iptr = NULL; + ca->valx = -1; ca->line = a->a_vals[i].bv_val; if ( a->a_desc->ad_type->sat_flags & SLAP_AT_ORDERED ) { ptr = strchr( ca->line, '}' ); @@ -4459,8 +4503,6 @@ config_add_internal( CfBackInfo *cfb, Entry *e, ConfigArgs *ca, SlapReply *rs, if ( a->a_desc->ad_type->sat_flags & SLAP_AT_ORDERED_SIB ) { if ( iptr ) { ca->valx = strtol( iptr+1, NULL, 0 ); - } else { - ca->valx = -1; } } else { ca->valx = i; @@ -4666,7 +4708,7 @@ config_back_add( Operation *op, SlapReply *rs ) { char textbuf[SLAP_TEXT_BUFLEN]; size_t textlen = sizeof textbuf; - rs->sr_err = entry_schema_check(op, op->ora_e, NULL, 0, 1, + rs->sr_err = entry_schema_check(op, op->ora_e, NULL, 0, 1, NULL, &rs->sr_text, textbuf, sizeof( textbuf ) ); if ( rs->sr_err != LDAP_SUCCESS ) goto out; @@ -4749,6 +4791,7 @@ config_modify_add( ConfigTable *ct, ConfigArgs *ca, AttributeDescription *ad, { int rc; + ca->valx = -1; if (ad->ad_type->sat_flags & SLAP_AT_ORDERED && ca->line[0] == '{' ) { @@ -4912,7 +4955,7 @@ config_modify_internal( CfEntryInfo *ce, Operation *op, SlapReply *rs, if ( rc == LDAP_SUCCESS) { /* check that the entry still obeys the schema */ - rc = entry_schema_check(op, e, NULL, 0, 0, + rc = entry_schema_check(op, e, NULL, 0, 0, NULL, &rs->sr_text, ca->cr_msg, sizeof(ca->cr_msg) ); } if ( rc ) goto out_noop; @@ -5487,20 +5530,22 @@ config_back_search( Operation *op, SlapReply *rs ) switch ( op->ors_scope ) { case LDAP_SCOPE_BASE: case LDAP_SCOPE_SUBTREE: - config_send( op, rs, ce, 0 ); + rs->sr_err = config_send( op, rs, ce, 0 ); break; case LDAP_SCOPE_ONELEVEL: for (ce = ce->ce_kids; ce; ce=ce->ce_sibs) { - config_send( op, rs, ce, 1 ); + rs->sr_err = config_send( op, rs, ce, 1 ); + if ( rs->sr_err ) { + break; + } } break; } - - rs->sr_err = LDAP_SUCCESS; + out: send_ldap_result( op, rs ); - return 0; + return rs->sr_err; } /* no-op, we never free entries */ @@ -5546,7 +5591,7 @@ int config_back_entry_get( return rc; } -static void +static int config_build_attrs( Entry *e, AttributeType **at, AttributeDescription *ad, ConfigTable *ct, ConfigArgs *c ) { @@ -5563,18 +5608,42 @@ config_build_attrs( Entry *e, AttributeType **at, AttributeDescription *ad, * returns success with no values */ if (rc == LDAP_SUCCESS && c->rvalue_vals != NULL ) { if ( c->rvalue_nvals ) - attr_merge(e, ct[i].ad, c->rvalue_vals, + rc = attr_merge(e, ct[i].ad, c->rvalue_vals, c->rvalue_nvals); - else - attr_merge_normalize(e, ct[i].ad, + else { + slap_syntax_validate_func *validate = + ct[i].ad->ad_type->sat_syntax->ssyn_validate; + if ( validate ) { + int j; + for ( j=0; c->rvalue_vals[j].bv_val; j++ ) { + rc = ordered_value_validate( ct[i].ad, + &c->rvalue_vals[j], LDAP_MOD_ADD ); + if ( rc ) { + Debug( LDAP_DEBUG_ANY, + "config_build_attrs: error %d on %s value #%d\n", + rc, ct[i].ad->ad_cname.bv_val, j ); + return rc; + } + } + } + + rc = attr_merge_normalize(e, ct[i].ad, c->rvalue_vals, NULL); + } ber_bvarray_free( c->rvalue_nvals ); ber_bvarray_free( c->rvalue_vals ); + if ( rc ) { + Debug( LDAP_DEBUG_ANY, + "config_build_attrs: error %d on %s\n", + rc, ct[i].ad->ad_cname.bv_val, 0 ); + return rc; + } } break; } } } + return 0; } Entry * @@ -5588,7 +5657,7 @@ config_build_entry( Operation *op, SlapReply *rs, CfEntryInfo *parent, AttributeDescription *ad = NULL; int rc; char *ptr; - const char *text; + const char *text = ""; Attribute *oc_at; struct berval pdn; ObjectClass *oc; @@ -5626,7 +5695,7 @@ config_build_entry( Operation *op, SlapReply *rs, CfEntryInfo *parent, ad_name.bv_len = ptr - rdn->bv_val; rc = slap_bv2ad( &ad_name, &ad, &text ); if ( rc ) { - return NULL; + goto fail; } val.bv_val = ptr+1; val.bv_len = rdn->bv_len - (val.bv_val - rdn->bv_val); @@ -5634,26 +5703,35 @@ config_build_entry( Operation *op, SlapReply *rs, CfEntryInfo *parent, oc = main->co_oc; c->table = main->co_type; - if ( oc->soc_required ) - config_build_attrs( e, oc->soc_required, ad, main->co_table, c ); + if ( oc->soc_required ) { + rc = config_build_attrs( e, oc->soc_required, ad, main->co_table, c ); + if ( rc ) goto fail; + } - if ( oc->soc_allowed ) - config_build_attrs( e, oc->soc_allowed, ad, main->co_table, c ); + if ( oc->soc_allowed ) { + rc = config_build_attrs( e, oc->soc_allowed, ad, main->co_table, c ); + if ( rc ) goto fail; + } if ( extra ) { oc = extra->co_oc; c->table = extra->co_type; - if ( oc->soc_required ) - config_build_attrs( e, oc->soc_required, ad, extra->co_table, c ); + if ( oc->soc_required ) { + rc = config_build_attrs( e, oc->soc_required, ad, extra->co_table, c ); + if ( rc ) goto fail; + } - if ( oc->soc_allowed ) - config_build_attrs( e, oc->soc_allowed, ad, extra->co_table, c ); + if ( oc->soc_allowed ) { + rc = config_build_attrs( e, oc->soc_allowed, ad, extra->co_table, c ); + if ( rc ) goto fail; + } } oc_at = attr_find( e->e_attrs, slap_schema.si_ad_objectClass ); rc = structural_class(oc_at->a_vals, &oc, NULL, &text, c->cr_msg, sizeof(c->cr_msg), op ? op->o_tmpmemctx : NULL ); if ( rc != LDAP_SUCCESS ) { +fail: Debug( LDAP_DEBUG_ANY, "config_build_entry: build \"%s\" failed: \"%s\"\n", rdn->bv_val, text, 0); @@ -5668,7 +5746,7 @@ config_build_entry( Operation *op, SlapReply *rs, CfEntryInfo *parent, op->o_bd->be_add( op, rs ); if ( ( rs->sr_err != LDAP_SUCCESS ) && (rs->sr_err != LDAP_ALREADY_EXISTS) ) { - return NULL; + goto fail; } } } @@ -5690,7 +5768,7 @@ config_build_schema_inc( ConfigArgs *c, CfEntryInfo *ceparent, Entry *e; ConfigFile *cf = c->ca_private; char *ptr; - struct berval bv; + struct berval bv, rdn; for (; cf; cf=cf->c_sibs, c->depth++) { if ( !cf->c_at_head && !cf->c_cr_head && !cf->c_oc_head && @@ -5716,9 +5794,10 @@ config_build_schema_inc( ConfigArgs *c, CfEntryInfo *ceparent, bv.bv_len ); c->value_dn.bv_len += bv.bv_len; c->value_dn.bv_val[c->value_dn.bv_len] ='\0'; + rdn = c->value_dn; c->ca_private = cf; - e = config_build_entry( op, rs, ceparent, c, &c->value_dn, + e = config_build_entry( op, rs, ceparent, c, &rdn, &CFOC_SCHEMA, NULL ); if ( !e ) { return -1; @@ -5882,7 +5961,7 @@ config_back_db_open( BackendDB *be, ConfigReply *cr ) /* If we have no explicitly configured ACLs, don't just use * the global ACLs. Explicitly deny access to everything. */ - if ( frontendDB->be_acl && be->be_acl == frontendDB->be_acl ) { + if ( !be->be_acl ) { parse_acl(be, "config_back_db_open", 0, 6, (char **)defacl, 0 ); } @@ -6171,6 +6250,9 @@ config_back_db_init( BackendDB *be, ConfigReply* cr ) /* Hide from namingContexts */ SLAP_BFLAGS(be) |= SLAP_BFLAG_CONFIG; + /* Check ACLs on content of Adds by default */ + SLAP_DBFLAGS(be) |= SLAP_DBFLAG_ACL_ADD; + return 0; }