goto done;
}
+#ifdef LDAP_SLAPI
+ ret = slapi_x_access_allowed( op, e, desc, val, access, state );
+ if ( ret == 0 ) {
+ /* ACL plugin denied access */
+ goto done;
+ }
+#endif /* LDAP_SLAPI */
+
be = op->o_bd;
if ( be == NULL ) {
be = &backends[0];
extern int slapi_x_compute_output_ber(computed_attr_context *c, Slapi_Attr *a, Slapi_Entry *e);
extern int slapi_x_compute_get_pblock(computed_attr_context *c, Slapi_PBlock **pb);
+extern int slapi_x_access_allowed(Operation *op, Entry *entry, AttributeDescription *desc, struct berval *val, slap_access_t access, AccessControlState *state);
+
extern ldap_pvt_thread_mutex_t slapi_hn_mutex;
extern ldap_pvt_thread_mutex_t slapi_time_mutex;
extern ldap_pvt_thread_mutex_t slapi_printmessage_mutex;
#define SLAPI_PLUGIN_SYNTAX_FLAGS 707
#define SLAPI_PLUGIN_SYNTAX_COMPARE 708
+#define SLAPI_PLUGIN_ACL_INIT 730
+#define SLAPI_PLUGIN_ACL_SYNTAX_CHECK 731
+#define SLAPI_PLUGIN_ACL_ALLOW_ACCESS 732
+#define SLAPI_PLUGIN_ACL_MODS_ALLOWED 733
+#define SLAPI_PLUGIN_ACL_MODS_UPDATE 734
+
#define SLAPI_OPERATION_AUTHTYPE 741
#define SLAPI_OPERATION_ID 742
#define SLAPI_CONN_CERT 743
case SLAPI_RESULT_MATCHED:
case SLAPI_PLUGIN_COMPUTE_EVALUATOR_FN:
case SLAPI_PLUGIN_COMPUTE_SEARCH_REWRITER_FN:
+ case SLAPI_PLUGIN_ACL_ALLOW_ACCESS:
return LDAP_SUCCESS;
default:
return INVALID_PARAM;
#endif
}
+int slapi_x_access_allowed( Operation *op,
+ Entry *entry,
+ AttributeDescription *desc,
+ struct berval *val,
+ slap_access_t access,
+ AccessControlState *state )
+{
+#ifdef LDAP_SLAPI
+ int rc, slap_access = 0;
+ slapi_acl_callback_t *pGetPlugin, *tmpPlugin;
+
+ if ( op->o_pb == NULL ) {
+ /* internal operation */
+ return 1;
+ }
+
+ slapi_x_pblock_set_operation( op->o_pb, op );
+
+ switch ( access ) {
+ case ACL_WRITE:
+ slap_access |= SLAPI_ACL_ADD | SLAPI_ACL_DELETE | SLAPI_ACL_WRITE;
+ break;
+ case ACL_READ:
+ slap_access |= SLAPI_ACL_READ;
+ break;
+ case ACL_SEARCH:
+ slap_access |= SLAPI_ACL_SEARCH;
+ break;
+ case ACL_COMPARE:
+ slap_access = ACL_COMPARE;
+ break;
+ default:
+ break;
+ }
+
+ rc = getAllPluginFuncs( NULL, SLAPI_PLUGIN_ACL_ALLOW_ACCESS, (SLAPI_FUNC **)&tmpPlugin );
+ if ( rc != LDAP_SUCCESS || tmpPlugin == NULL ) {
+ /* nothing to do; allowed access */
+ return 1;
+ }
+
+ rc = 1; /* default allow policy */
+
+ for ( pGetPlugin = tmpPlugin; *pGetPlugin != NULL; pGetPlugin++ ) {
+ /*
+ * 0 access denied
+ * 1 access granted
+ */
+ rc = (*pGetPlugin)( op->o_pb, entry, desc->ad_cname.bv_val,
+ val, slap_access, (void *)state );
+ if ( rc == 0 ) {
+ break;
+ }
+ }
+
+ slapi_ch_free( (void **)&tmpPlugin );
+
+ return rc;
+#else
+ return 1;
+#endif /* LDAP_SLAPI */
+}
+
projects / openldap / commitdiff