X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fcompare.c;h=d43af1c0164130907484859a7659e3c39a5e40a7;hb=4a107089d82ecdaca788fc6ecdef34d3d4fc19df;hp=66d0d85c146b9adfc16ec7796c6a553139b97b07;hpb=fda3d6260e25f1d0b9c035b0d520b2c9d0f22e49;p=openldap

diff --git a/servers/slapd/compare.c b/servers/slapd/compare.c
index 66d0d85c14..d43af1c016 100644
--- a/servers/slapd/compare.c
+++ b/servers/slapd/compare.c
@@ -1,7 +1,7 @@
 /* $OpenLDAP$ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2004 The OpenLDAP Foundation.
+ * Copyright 1998-2005 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -47,7 +47,11 @@ do_compare(
 	struct berval dn = BER_BVNULL;
 	struct berval desc = BER_BVNULL;
 	struct berval value = BER_BVNULL;
+#ifdef LDAP_COMP_MATCH
+	AttributeAssertion ava = { NULL, BER_BVNULL, NULL };
+#else
 	AttributeAssertion ava = { NULL, BER_BVNULL };
+#endif
 
 	ava.aa_desc = NULL;
 
@@ -203,14 +207,16 @@ fe_op_compare( Operation *op, SlapReply *rs )
 	 */
 	op->o_bd = select_backend( &op->o_req_ndn, manageDSAit, 0 );
 	if ( op->o_bd == NULL ) {
-		rs->sr_ref = referral_rewrite( SLAPD_GLOBAL(default_referral),
+		rs->sr_ref = referral_rewrite( default_referral,
 			NULL, &op->o_req_dn, LDAP_SCOPE_DEFAULT );
 
 		rs->sr_err = LDAP_REFERRAL;
-		if (!rs->sr_ref) rs->sr_ref = SLAPD_GLOBAL(default_referral);
+		if (!rs->sr_ref) rs->sr_ref = default_referral;
+		op->o_bd = frontendDB;
 		send_ldap_result( op, rs );
+		op->o_bd = NULL;
 
-		if (rs->sr_ref != SLAPD_GLOBAL(default_referral)) ber_bvarray_free( rs->sr_ref );
+		if (rs->sr_ref != default_referral) ber_bvarray_free( rs->sr_ref );
 		rs->sr_err = 0;
 		goto cleanup;
 	}
@@ -272,6 +278,7 @@ fe_op_compare( Operation *op, SlapReply *rs )
 		send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
 			"subschemaSubentry compare not supported" );
 
+#ifndef SLAP_COMPARE_IN_FRONTEND
 	} else if ( ava.aa_desc == slap_schema.si_ad_hasSubordinates
 		&& op->o_bd->be_has_subordinates )
 	{
@@ -279,9 +286,16 @@ fe_op_compare( Operation *op, SlapReply *rs )
 
 		rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &entry );
 		if ( rc == 0 && entry ) {
-			rc = op->o_bd->be_has_subordinates( op, entry,
-				&hasSubordinates );
-			be_entry_release_r( op, entry );
+			if ( ! access_allowed( op, entry,
+				ava.aa_desc, &ava.aa_value, ACL_COMPARE, NULL ) )
+			{	
+				rc = rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
+				
+			} else {
+				rc = rs->sr_err = op->o_bd->be_has_subordinates( op,
+						entry, &hasSubordinates );
+				be_entry_release_r( op, entry );
+			}
 		}
 
 		if ( rc == 0 ) {
@@ -291,20 +305,94 @@ fe_op_compare( Operation *op, SlapReply *rs )
 				? LDAP_COMPARE_TRUE : LDAP_COMPARE_FALSE;
 			if ( hasSubordinates == asserted ) {
 				rs->sr_err = LDAP_COMPARE_TRUE;
+
 			} else {
 				rs->sr_err = LDAP_COMPARE_FALSE;
 			}
+
+		} else {
+#ifdef SLAP_ACL_HONOR_DISCLOSE
+			/* return error only if "disclose"
+			 * is granted on the object */
+			if ( backend_access( op, NULL, &op->o_req_ndn,
+					slap_schema.si_ad_entry,
+					NULL, ACL_DISCLOSE, NULL ) == LDAP_INSUFFICIENT_ACCESS )
+			{
+				rs->sr_err = LDAP_NO_SUCH_OBJECT;
+			}
+#endif /* SLAP_ACL_HONOR_DISCLOSE */
 		}
+
 		send_ldap_result( op, rs );
 
-		if( rc == 0 ) rs->sr_err = LDAP_SUCCESS;
+		if ( rc == 0 ) {
+			rs->sr_err = LDAP_SUCCESS;
+		}
 
 	} else if ( op->o_bd->be_compare ) {
-		op->o_bd->be_compare( op, rs );
+		rs->sr_err = op->o_bd->be_compare( op, rs );
 
+#endif /* ! SLAP_COMPARE_IN_FRONTEND */
 	} else {
-		send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
-			"operation not supported within namingContext" );
+		rs->sr_err = SLAP_CB_CONTINUE;
+	}
+
+	if ( rs->sr_err == SLAP_CB_CONTINUE ) {
+		/* do our best to compare that AVA
+		 * 
+		 * NOTE: this code is used only
+		 * if SLAP_COMPARE_IN_FRONTEND 
+		 * is #define'd (it's not by default)
+		 * or if op->o_bd->be_compare is NULL.
+		 * 
+		 * FIXME: one potential issue is that
+		 * if SLAP_COMPARE_IN_FRONTEND overlays
+		 * are not executed for compare. */
+		BerVarray	vals = NULL;
+		int		rc = LDAP_OTHER;
+
+		rs->sr_err = backend_attribute( op, NULL, &op->o_req_ndn,
+				ava.aa_desc, &vals, ACL_COMPARE );
+		switch ( rs->sr_err ) {
+		default:
+#ifdef SLAP_ACL_HONOR_DISCLOSE
+			/* return error only if "disclose"
+			 * is granted on the object */
+			if ( backend_access( op, NULL, &op->o_req_ndn,
+					slap_schema.si_ad_entry,
+					NULL, ACL_DISCLOSE, NULL )
+					== LDAP_INSUFFICIENT_ACCESS )
+			{
+				rs->sr_err = LDAP_NO_SUCH_OBJECT;
+			}
+#endif /* SLAP_ACL_HONOR_DISCLOSE */
+			break;
+
+		case LDAP_SUCCESS:
+			if ( value_find_ex( op->oq_compare.rs_ava->aa_desc,
+				SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
+					SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
+				vals, &ava.aa_value, op->o_tmpmemctx ) == 0 )
+			{
+				rs->sr_err = LDAP_COMPARE_TRUE;
+				break;
+
+			} else {
+				rs->sr_err = LDAP_COMPARE_FALSE;
+			}
+			rc = LDAP_SUCCESS;
+			break;
+		}
+
+		send_ldap_result( op, rs );
+
+		if ( rc == 0 ) {
+			rs->sr_err = LDAP_SUCCESS;
+		}
+		
+		if ( vals ) {
+			ber_bvarray_free_x( vals, op->o_tmpmemctx );
+		}
 	}
 
 #if defined( LDAP_SLAPI )
@@ -325,19 +413,22 @@ static int compare_entry(
 	Entry *e,
 	AttributeAssertion *ava )
 {
-	int rc;
+	int rc = LDAP_COMPARE_FALSE;
 	Attribute *a;
 
 	if ( ! access_allowed( op, e,
 		ava->aa_desc, &ava->aa_value, ACL_COMPARE, NULL ) )
 	{	
-		return LDAP_INSUFFICIENT_ACCESS;
+		rc = LDAP_INSUFFICIENT_ACCESS;
+		goto done;
 	}
 
 	a = attrs_find( e->e_attrs, ava->aa_desc );
-	if( a == NULL ) return LDAP_NO_SUCH_ATTRIBUTE;
+	if( a == NULL ) {
+		rc = LDAP_NO_SUCH_ATTRIBUTE;
+		goto done;
+	}
 
-	rc = LDAP_COMPARE_FALSE;
 	for(a = attrs_find( e->e_attrs, ava->aa_desc );
 		a != NULL;
 		a = attrs_find( a->a_next, ava->aa_desc ))
@@ -352,13 +443,23 @@ static int compare_entry(
 		if ( value_find_ex( ava->aa_desc,
 			SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
 				SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
-			a->a_nvals,
-			&ava->aa_value, op->o_tmpmemctx ) == 0 )
+			a->a_nvals, &ava->aa_value, op->o_tmpmemctx ) == 0 )
 		{
 			rc = LDAP_COMPARE_TRUE;
 			break;
 		}
 	}
 
+done:
+#ifdef LDAP_ACL_HONOR_DISCLOSE
+	if( rc != LDAP_COMPARE_TRUE && rc != LDAP_COMPARE_FALSE ) {
+		if ( ! access_allowed( op, e,
+			slap_schema.si_ad_entry, NULL, ACL_DISCLOSE, NULL ) )
+		{
+			rc = LDAP_NO_SUCH_OBJECT;
+		}
+	}
+#endif
+
 	return rc;
 }