value-independent access controls.
Entry *e,
AttributeDescription *desc,
struct berval *val,
- regmatch_t *matches );
+ regmatch_t *matches,
+ int count,
+ AccessControlState *state );
#ifdef SLAPD_ACI_ENABLED
static int aci_mask(
Entry *e,
AttributeDescription *desc,
struct berval *val,
- slap_access_t access )
+ slap_access_t access,
+ AccessControlState *state )
{
+ int ret = 1;
int count;
AccessControl *a;
#ifdef LDAP_DEBUG
assert( attr != NULL );
+ if( state && state->as_recorded ) {
+ if( state->as_recorded & ACL_STATE_RECORDED_NV &&
+ val == NULL )
+ {
+ return state->as_result;
+
+ } else if ( state->as_recorded & ACL_STATE_RECORDED_VD &&
+ val != NULL && state->as_vd_acl == NULL )
+ {
+ return state->as_result;
+ }
+ }
+
#ifdef NEW_LOGGING
LDAP_LOG(( "acl", LDAP_LEVEL_ENTRY,
"access_allowed: conn %d %s access to \"%s\" \"%s\" requested\n",
if ( op == NULL ) {
/* no-op call */
- return 1;
+ goto done;
}
if ( be == NULL ) be = &backends[0];
"<= root access granted\n",
0, 0, 0 );
#endif
- return 1;
+ goto done;
}
/*
" %s access granted\n",
attr, 0, 0 );
#endif
- return 1;
+ goto done;
}
/* use backend default access if no backend acls */
access2str( access ),
be->be_dfltaccess >= access ? "granted" : "denied", op->o_dn.bv_val );
#endif
- return be->be_dfltaccess >= access;
+ ret = be->be_dfltaccess >= access;
+ goto done;
#ifdef notdef
/* be is always non-NULL */
access2str( access ),
global_default_access >= access ? "granted" : "denied", op->o_dn.bv_val );
#endif
- return global_default_access >= access;
+ ret = global_default_access >= access;
+ goto done;
#endif
}
- ACL_INIT(mask);
- memset(matches, '\0', sizeof(matches));
-
+ ret = 0;
control = ACL_BREAK;
- a = NULL;
- count = 0;
- while((a = acl_get( a, &count, be, op, e, desc, MAXREMATCHES, matches )) != NULL)
+ if( state && ( state->as_recorded & ACL_STATE_RECORDED_VD )) {
+ assert( state->as_vd_acl != NULL );
+
+ a = state->as_vd_acl;
+ mask = state->as_vd_acl_mask;
+ count = state->as_vd_acl_count;
+ AC_MEMCPY( matches, state->as_vd_acl_matches,
+ sizeof(matches) );
+ goto vd_access;
+
+ } else {
+ a = NULL;
+ ACL_INIT(mask);
+ count = 0;
+ memset(matches, '\0', sizeof(matches));
+ }
+
+ while((a = acl_get( a, &count, be, op, e, desc,
+ MAXREMATCHES, matches )) != NULL)
{
int i;
for (i = 0; i < MAXREMATCHES && matches[i].rm_so > 0; i++) {
#ifdef NEW_LOGGING
LDAP_LOG(( "acl", LDAP_LEVEL_DETAIL1,
- "access_allowed: conn %d match[%d]: %d %d ",
- conn->c_connid, i, (int)matches[i].rm_so, (int)matches[i].rm_eo ));
+ "access_allowed: conn %d match[%d]: %d %d ",
+ conn->c_connid, i,
+ (int)matches[i].rm_so, (int)matches[i].rm_eo ));
#else
Debug( LDAP_DEBUG_ACL, "=> match[%d]: %d %d ", i,
- (int)matches[i].rm_so, (int)matches[i].rm_eo );
+ (int)matches[i].rm_so, (int)matches[i].rm_eo );
#endif
if( matches[i].rm_so <= matches[0].rm_eo ) {
int n;
#endif
}
+vd_access:
control = acl_mask( a, &mask, be, conn, op,
- e, desc, val, matches );
+ e, desc, val, matches, count, state );
if ( control != ACL_BREAK ) {
break;
if ( ACL_IS_INVALID( mask ) ) {
#ifdef NEW_LOGGING
LDAP_LOG(( "acl", LDAP_LEVEL_DETAIL1,
- "access_allowed: conn %d \"%s\" (%s) invalid!\n",
- conn->c_connid, e->e_dn, attr ));
+ "access_allowed: conn %d \"%s\" (%s) invalid!\n",
+ conn->c_connid, e->e_dn, attr ));
#else
Debug( LDAP_DEBUG_ACL,
"=> access_allowed: \"%s\" (%s) invalid!\n",
e->e_dn, attr, 0 );
#endif
- ACL_INIT( mask );
+ ACL_INIT(mask);
} else if ( control == ACL_BREAK ) {
#ifdef NEW_LOGGING
Debug( LDAP_DEBUG_ACL,
"=> access_allowed: no more rules\n", 0, 0, 0);
#endif
- ACL_INIT( mask );
+
+ goto done;
}
#ifdef NEW_LOGGING
LDAP_LOG(( "acl", LDAP_LEVEL_ENTRY,
- "access_allowed: conn %d %s access %s by %s\n",
- conn->c_connid,
- access2str( access ),
- ACL_GRANT( mask, access ) ? "granted" : "denied",
- accessmask2str( mask, accessmaskbuf ) ));
+ "access_allowed: conn %d %s access %s by %s\n",
+ conn->c_connid,
+ access2str( access ),
+ ACL_GRANT( mask, access ) ? "granted" : "denied",
+ accessmask2str( mask, accessmaskbuf ) ));
#else
Debug( LDAP_DEBUG_ACL,
"=> access_allowed: %s access %s by %s\n",
ACL_GRANT(mask, access) ? "granted" : "denied",
accessmask2str( mask, accessmaskbuf ) );
#endif
- return ACL_GRANT(mask, access);
+
+ ret = ACL_GRANT(mask, access);
+
+done:
+ if( state != NULL ) {
+ state->as_recorded |= ACL_STATE_RECORDED;
+ state->as_result = ret;
+ }
+ return ret;
}
/*
return( NULL );
}
+/*
+ * Record value-dependent access control state
+ */
+#define ACL_RECORD_VALUE_STATE do { \
+ if( state && !( state->as_recorded & ACL_STATE_RECORDED_VD )) { \
+ state->as_recorded |= ACL_STATE_RECORDED_VD; \
+ state->as_vd_acl = a; \
+ AC_MEMCPY( state->as_vd_acl_matches, matches, \
+ sizeof( state->as_vd_acl_matches )) ; \
+ state->as_vd_acl_count = count; \
+ state->as_vd_access = b; \
+ state->as_vd_access_count = i; \
+ } \
+ } while( 0 )
/*
* acl_mask - modifies mask based upon the given acl and the
Entry *e,
AttributeDescription *desc,
struct berval *val,
- regmatch_t *matches
-)
+ regmatch_t *matches,
+ int count,
+ AccessControlState *state )
{
int i, odnlen, patlen;
+ int vd_recorded = 0;
Access *b;
#ifdef LDAP_DEBUG
char accessmaskbuf[ACCESSMASK_MAXLEN];
accessmask2str( *mask, accessmaskbuf ) );
#endif
- for ( i = 1, b = a->acl_access; b != NULL; b = b->a_next, i++ ) {
+ if( state && ( state->as_recorded & ACL_STATE_RECORDED_VD )
+ && state->as_vd_acl == a )
+ {
+ b = state->as_vd_access;
+ i = state->as_vd_access_count;
+
+ } else {
+ b = a->acl_access;
+ i = 1;
+ }
+
+ for ( ; b != NULL; b = b->a_next, i++ ) {
slap_mask_t oldmask, modmask;
ACL_INVALIDATE( modmask );
/* no dnattr match, check if this is a self clause */
if ( ! b->a_dn_self )
continue;
+
+ ACL_RECORD_VALUE_STATE;
+
/* this is a self clause, check if the target is an
* attribute.
*/
if ( val == NULL )
continue;
+
/* target is attribute, check if the attribute value
* is the op dn.
*/
continue;
}
+ ACL_RECORD_VALUE_STATE;
+
/* start out with nothing granted, nothing denied */
ACL_INIT(tgrant);
ACL_INIT(tdeny);
}
for ( ; mlist != NULL; mlist = mlist->sml_next ) {
+ static AccessControlState state_init = ACL_STATE_INIT;
+ AccessControlState state;
+
/*
* no-user-modification operational attributes are ignored
* by ACL_WRITE checking as any found here are not provided
continue;
}
+ state = state_init;
+
switch ( mlist->sml_op ) {
case LDAP_MOD_REPLACE:
/*
* This prevents abuse from selfwriters.
*/
if ( ! access_allowed( be, conn, op, e,
- mlist->sml_desc, NULL, ACL_WRITE ) )
+ mlist->sml_desc, NULL, ACL_WRITE, &state ) )
{
return( 0 );
}
for ( bv = mlist->sml_bvalues; bv->bv_val != NULL; bv++ ) {
if ( ! access_allowed( be, conn, op, e,
- mlist->sml_desc, bv, ACL_WRITE ) )
+ mlist->sml_desc, bv, ACL_WRITE, &state ) )
{
return( 0 );
}
case LDAP_MOD_DELETE:
if ( mlist->sml_bvalues == NULL ) {
if ( ! access_allowed( be, conn, op, e,
- mlist->sml_desc, NULL, ACL_WRITE ) )
+ mlist->sml_desc, NULL, ACL_WRITE, NULL ) )
{
return( 0 );
}
}
for ( bv = mlist->sml_bvalues; bv->bv_val != NULL; bv++ ) {
if ( ! access_allowed( be, conn, op, e,
- mlist->sml_desc, bv, ACL_WRITE ) )
+ mlist->sml_desc, bv, ACL_WRITE, &state ) )
{
return( 0 );
}
}
rc = access_allowed( be, conn, op, p,
- children, NULL, ACL_WRITE );
+ children, NULL, ACL_WRITE, NULL );
switch( opinfo.boi_err ) {
case DB_LOCK_DEADLOCK:
/* check parent for "children" acl */
rc = access_allowed( be, conn, op, p,
- children, NULL, ACL_WRITE );
+ children, NULL, ACL_WRITE, NULL );
p = NULL;
switch( opinfo.boi_err ) {
Attribute *attr;
BerVarray v;
const char *entry_at_name = entry_at->ad_cname.bv_val;
+ AccessControlState acl_state = ACL_STATE_INIT;
#ifdef NEW_LOGGING
LDAP_LOG(( "backend", LDAP_LEVEL_ARGS,
}
if (conn != NULL && op != NULL
- && access_allowed(be, conn, op, e, slap_schema.si_ad_entry,
- NULL, ACL_READ) == 0)
+ && access_allowed( be, conn, op, e, slap_schema.si_ad_entry,
+ NULL, ACL_READ, &acl_state ) == 0 )
{
rc = LDAP_INSUFFICIENT_ACCESS;
goto return_results;
}
if (conn != NULL && op != NULL
- && access_allowed(be, conn, op, e, entry_at, NULL, ACL_READ) == 0)
+ && access_allowed( be, conn, op, e, entry_at, NULL, ACL_READ,
+ &acl_state ) == 0 )
{
rc = LDAP_INSUFFICIENT_ACCESS;
goto return_results;
if( conn != NULL
&& op != NULL
&& access_allowed(be, conn, op, e, entry_at,
- &attr->a_vals[i], ACL_READ) == 0)
+ &attr->a_vals[i], ACL_READ, &acl_state ) == 0)
{
continue;
}
}
if ( ! access_allowed( be, conn, op, e,
- password, NULL, ACL_AUTH ) )
+ password, NULL, ACL_AUTH, NULL ) )
{
send_ldap_result( conn, op, rc = LDAP_INSUFFICIENT_ACCESS,
NULL, NULL, NULL, NULL );
}
if ( ! access_allowed( be, conn, op, e,
- krbattr, NULL, ACL_AUTH ) )
+ krbattr, NULL, ACL_AUTH, NULL ) )
{
send_ldap_result( conn, op, rc = LDAP_INSUFFICIENT_ACCESS,
NULL, NULL, NULL, NULL );
}
if ( ! access_allowed( be, conn, op, e,
- ava->aa_desc, &ava->aa_value, ACL_COMPARE ) )
+ ava->aa_desc, &ava->aa_value, ACL_COMPARE, NULL ) )
{
rc = LDAP_INSUFFICIENT_ACCESS;
goto return_results;
/* check parent for "children" acl */
rc = access_allowed( be, conn, op, p,
- children, NULL, ACL_WRITE );
+ children, NULL, ACL_WRITE, NULL );
bdb_cache_return_entry_r(&bdb->bi_cache, p);
p = NULL;
/* check parent for "children" acl */
rc = access_allowed( be, conn, op, p,
- children, NULL, ACL_WRITE );
+ children, NULL, ACL_WRITE, NULL );
p = NULL;
switch( opinfo.boi_err ) {
/* check parent for "children" acl */
if ( ! access_allowed( be, conn, op, p,
- children, NULL, ACL_WRITE ) )
+ children, NULL, ACL_WRITE, NULL ) )
{
Debug( LDAP_DEBUG_TRACE, "no access to parent\n", 0,
0, 0 );
/* check parent for "children" acl */
rc = access_allowed( be, conn, op, p,
- children, NULL, ACL_WRITE );
+ children, NULL, ACL_WRITE, NULL );
p = NULL;
np, (long) np->e_id, 0 );
/* check newSuperior for "children" acl */
- if ( !access_allowed( be, conn, op, np, children, NULL, ACL_WRITE ) ) {
+ if ( !access_allowed( be, conn, op, np, children, NULL, ACL_WRITE, NULL ) ) {
Debug( LDAP_DEBUG_TRACE,
"bdb_modrdn: no wr to newSup children\n",
0, 0, 0 );
/* check parent for "children" acl */
rc = access_allowed( be, conn, op, np,
- children, NULL, ACL_WRITE );
+ children, NULL, ACL_WRITE, NULL );
np = NULL;
/* ACL check of newly added attrs */
if ( !access_allowed( be, conn, op, e, desc,
- &new_rdn[0][ a_cnt ]->la_value, ACL_WRITE ) ) {
+ &new_rdn[0][ a_cnt ]->la_value, ACL_WRITE, NULL ) ) {
Debug( LDAP_DEBUG_TRACE,
"bdb_modrdn: access to attr \"%s\" "
"(new) not allowed\n",
/* ACL check of newly added attrs */
if ( !access_allowed( be, conn, op, e, desc,
- &old_rdn[0][d_cnt]->la_value, ACL_WRITE ) ) {
+ &old_rdn[0][d_cnt]->la_value, ACL_WRITE, NULL ) ) {
Debug( LDAP_DEBUG_TRACE,
"bdb_modrdn: access to attr \"%s\" "
"(old) not allowed\n",
}
if ( ! access_allowed( be, conn, op, p,
- children, NULL, ACL_WRITE ) )
+ children, NULL, ACL_WRITE, NULL ) )
{
/* free parent and writer lock */
cache_return_entry_w( &li->li_cache, p );
p = (Entry *)&slap_entry_root;
rc = access_allowed( be, conn, op, p,
- children, NULL, ACL_WRITE );
+ children, NULL, ACL_WRITE, NULL );
p = NULL;
if ( ! rc ) {
BerVarray v;
const char *entry_at_name = entry_at->ad_cname.bv_val;
struct berval *iv, *jv;
+ AccessControlState acl_state = ACL_STATE_INIT;
#ifdef NEW_LOGGING
LDAP_LOG(( "backend", LDAP_LEVEL_ARGS,
}
/* find attribute values */
-
+
if( is_entry_alias( e ) ) {
#ifdef NEW_LOGGING
LDAP_LOG(( "backend", LDAP_LEVEL_INFO,
}
if (conn != NULL && op != NULL
- && access_allowed(be, conn, op, e, slap_schema.si_ad_entry,
- NULL, ACL_READ) == 0)
+ && access_allowed( be, conn, op, e, slap_schema.si_ad_entry,
+ NULL, ACL_READ, NULL ) == 0)
{
rc = LDAP_INSUFFICIENT_ACCESS;
goto return_results;
}
if (conn != NULL && op != NULL
- && access_allowed(be, conn, op, e, entry_at, NULL, ACL_READ) == 0)
+ && access_allowed( be, conn, op, e, entry_at, NULL,
+ ACL_READ, &acl_state ) == 0)
{
rc = LDAP_INSUFFICIENT_ACCESS;
goto return_results;
for ( iv=attr->a_vals, jv=v; iv->bv_val; iv++ ) {
if( conn != NULL
&& op != NULL
- && access_allowed(be, conn, op, e, entry_at,
- iv, ACL_READ) == 0)
+ && access_allowed( be, conn, op, e, entry_at,
+ iv, ACL_READ, &acl_state ) == 0)
{
continue;
}
}
if ( ! access_allowed( be, conn, op, e,
- password, NULL, ACL_AUTH ) )
+ password, NULL, ACL_AUTH, NULL ) )
{
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
NULL, NULL, NULL, NULL );
}
if ( ! access_allowed( be, conn, op, e,
- krbattr, NULL, ACL_AUTH ) )
+ krbattr, NULL, ACL_AUTH, NULL ) )
{
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
NULL, NULL, NULL, NULL );
}
if ( ! access_allowed( be, conn, op, e,
- ava->aa_desc, &ava->aa_value, ACL_COMPARE ) )
+ ava->aa_desc, &ava->aa_value, ACL_COMPARE, NULL ) )
{
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
NULL, NULL, NULL, NULL );
rc = LDAP_COMPARE_TRUE;
break;
}
-
}
send_ldap_result( conn, op, rc,
/* check parent for "children" acl */
if ( ! access_allowed( be, conn, op, p,
- children, NULL, ACL_WRITE ) )
+ children, NULL, ACL_WRITE, NULL ) )
{
#ifdef NEW_LOGGING
LDAP_LOG(( "backend", LDAP_LEVEL_ERR,
p = (Entry *)&slap_entry_root;
rc = access_allowed( be, conn, op, p,
- children, NULL, ACL_WRITE );
+ children, NULL, ACL_WRITE, NULL );
p = NULL;
/* check parent for "children" acl */
/* check parent for "children" acl */
if ( ! access_allowed( be, conn, op, p,
- children, NULL, ACL_WRITE ) )
+ children, NULL, ACL_WRITE, NULL ) )
{
#ifdef NEW_LOGGING
LDAP_LOG(( "backend", LDAP_LEVEL_INFO,
p = (Entry *)&slap_entry_root;
rc = access_allowed( be, conn, op, p,
- children, NULL, ACL_WRITE );
+ children, NULL, ACL_WRITE, NULL );
p = NULL;
/* check parent for "children" acl */
/* check newSuperior for "children" acl */
if ( !access_allowed( be, conn, op, np, children, NULL,
- ACL_WRITE ) )
+ ACL_WRITE, NULL ) )
{
#ifdef NEW_LOGGING
LDAP_LOG(( "backend", LDAP_LEVEL_INFO,
np = (Entry *)&slap_entry_root;
rc = access_allowed( be, conn, op, np,
- children, NULL, ACL_WRITE );
+ children, NULL, ACL_WRITE, NULL );
np = NULL;
/* check parent for "children" acl */
}
if ( ! access_allowed( be, conn, op, e,
- desc, &new_rdn[0][a_cnt]->la_value, ACL_WRITE ) ) {
+ desc, &new_rdn[0][a_cnt]->la_value, ACL_WRITE, NULL ) ) {
#ifdef NEW_LOGGING
LDAP_LOG(( "backend", LDAP_LEVEL_INFO,
"ldbm_back_modrdn: access "
}
if ( ! access_allowed( be, conn, op, e,
- desc, &old_rdn[0][d_cnt]->la_value, ACL_WRITE ) ) {
+ desc, &old_rdn[0][d_cnt]->la_value, ACL_WRITE, NULL ) ) {
#ifdef NEW_LOGGING
LDAP_LOG(( "backend", LDAP_LEVEL_INFO,
"ldbm_back_modrdn: access "
Attribute *a;
if ( ! access_allowed( NULL, conn, op, e,
- ava->aa_desc, &ava->aa_value, ACL_COMPARE ) )
+ ava->aa_desc, &ava->aa_value, ACL_COMPARE, NULL ) )
{
return LDAP_INSUFFICIENT_ACCESS;
}
}
/* file from which to read additional rootdse attrs */
- } else if ( strcasecmp( cargv[0], "rootdse" ) == 0) {
+ } else if ( strcasecmp( cargv[0], "rootDSE" ) == 0) {
if ( cargc < 2 ) {
#ifdef NEW_LOGGING
LDAP_LOG(( "config", LDAP_LEVEL_CRIT, "%s: line %d: "
Attribute *a;
if( !access_allowed( be, conn, op, e,
- mra->ma_desc, &mra->ma_value, ACL_SEARCH ) )
+ mra->ma_desc, &mra->ma_value, ACL_SEARCH, NULL ) )
{
return LDAP_INSUFFICIENT_ACCESS;
}
Attribute *a;
if ( !access_allowed( be, conn, op, e,
- ava->aa_desc, &ava->aa_value, ACL_SEARCH ) )
+ ava->aa_desc, &ava->aa_value, ACL_SEARCH, NULL ) )
{
return LDAP_INSUFFICIENT_ACCESS;
}
AttributeDescription *desc
)
{
- if ( !access_allowed( be, conn, op, e, desc, NULL, ACL_SEARCH ) )
+ if ( !access_allowed( be, conn, op, e, desc, NULL, ACL_SEARCH, NULL ) )
{
return LDAP_INSUFFICIENT_ACCESS;
}
if ( !access_allowed( be, conn, op, e,
- f->f_sub_desc, NULL, ACL_SEARCH ) )
+ f->f_sub_desc, NULL, ACL_SEARCH, NULL ) )
{
return LDAP_INSUFFICIENT_ACCESS;
}
LDAP_SLAPD_F (int) access_allowed LDAP_P((
Backend *be, Connection *conn, Operation *op,
Entry *e, AttributeDescription *desc, struct berval *val,
- slap_access_t access ));
+ slap_access_t access,
+ AccessControlState *state ));
LDAP_SLAPD_F (int) acl_check_modlist LDAP_P((
Backend *be, Connection *conn, Operation *op,
Entry *e, Modifications *ml ));
char *edn;
int userattrs;
int opattrs;
+ static AccessControlState acl_state_init = ACL_STATE_INIT;
+ AccessControlState acl_state;
AttributeDescription *ad_entry = slap_schema.si_ad_entry;
e->e_dn, attrsonly ? " (attrsOnly)" : "", 0 );
#endif
-
if ( ! access_allowed( be, conn, op, e,
- ad_entry, NULL, ACL_READ ) )
+ ad_entry, NULL, ACL_READ, NULL ) )
{
#ifdef NEW_LOGGING
LDAP_LOG(( "acl", LDAP_LEVEL_INFO,
}
}
- if ( ! access_allowed( be, conn, op, e, desc, NULL, ACL_READ ) ) {
+ acl_state = acl_state_init;
+
+ if ( ! access_allowed( be, conn, op, e, desc, NULL,
+ ACL_READ, &acl_state ) )
+ {
#ifdef NEW_LOGGING
LDAP_LOG(( "acl", LDAP_LEVEL_INFO, "send_search_entry: "
"conn %d access to attribute %s not allowed\n",
"access to attribute %s not allowed\n",
desc->ad_cname.bv_val, 0, 0 );
#endif
-
continue;
}
if ( ! attrsonly ) {
for ( i = 0; a->a_vals[i].bv_val != NULL; i++ ) {
if ( ! access_allowed( be, conn, op, e,
- desc, &a->a_vals[i], ACL_READ ) )
+ desc, &a->a_vals[i], ACL_READ, &acl_state ) )
{
#ifdef NEW_LOGGING
LDAP_LOG(( "acl", LDAP_LEVEL_INFO,
- "send_search_entry: conn %d access to attribute %s, value %d not allowed\n",
- op->o_connid, desc->ad_cname.bv_val, i ));
+ "send_search_entry: conn %d "
+ "access to attribute %s, value %d not allowed\n",
+ op->o_connid, desc->ad_cname.bv_val, i ));
#else
Debug( LDAP_DEBUG_ACL,
"acl: access to attribute %s, value %d not allowed\n",
if (( rc = ber_printf( ber, "O", &a->a_vals[i] )) == -1 ) {
#ifdef NEW_LOGGING
LDAP_LOG(( "operation", LDAP_LEVEL_ERR,
- "send_search_entry: conn %d ber_printf failed.\n",
- op->o_connid ));
+ "send_search_entry: conn %d ber_printf failed.\n",
+ op->o_connid ));
#else
Debug( LDAP_DEBUG_ANY,
"ber_printf failed\n", 0, 0, 0 );
if (( rc = ber_printf( ber, /*{[*/ "]N}" )) == -1 ) {
#ifdef NEW_LOGGING
LDAP_LOG(( "operation", LDAP_LEVEL_ERR,
- "send_search_entry: conn %d ber_printf failed\n",
- op->o_connid ));
+ "send_search_entry: conn %d ber_printf failed\n",
+ op->o_connid ));
#else
Debug( LDAP_DEBUG_ANY, "ber_printf failed\n", 0, 0, 0 );
#endif
}
}
- if ( ! access_allowed( be, conn, op, e, desc, NULL, ACL_READ ) ) {
+ acl_state = acl_state_init;
+
+ if ( ! access_allowed( be, conn, op, e, desc, NULL,
+ ACL_READ, &acl_state ) )
+ {
#ifdef NEW_LOGGING
LDAP_LOG(( "acl", LDAP_LEVEL_INFO,
- "send_search_entry: conn %s access to attribute %s not allowed\n",
- op->o_connid, desc->ad_cname.bv_val ));
+ "send_search_entry: conn %s "
+ "access to attribute %s not allowed\n",
+ op->o_connid, desc->ad_cname.bv_val ));
#else
Debug( LDAP_DEBUG_ACL, "acl: access to attribute %s not allowed\n",
desc->ad_cname.bv_val, 0, 0 );
if ( rc == -1 ) {
#ifdef NEW_LOGGING
LDAP_LOG(( "operation", LDAP_LEVEL_ERR,
- "send_search_entry: conn %d ber_printf failed\n",
- op->o_connid ));
+ "send_search_entry: conn %d ber_printf failed\n",
+ op->o_connid ));
#else
Debug( LDAP_DEBUG_ANY, "ber_printf failed\n", 0, 0, 0 );
#endif
if ( ! attrsonly ) {
for ( i = 0; a->a_vals[i].bv_val != NULL; i++ ) {
if ( ! access_allowed( be, conn, op, e,
- desc, &a->a_vals[i], ACL_READ ) )
+ desc, &a->a_vals[i], ACL_READ, &acl_state ) )
{
#ifdef NEW_LOGGING
LDAP_LOG(( "acl", LDAP_LEVEL_INFO,
- "send_search_entry: conn %d access to %s, value %d not allowed\n",
- op->o_connid, desc->ad_cname.bv_val, i ));
+ "send_search_entry: conn %d "
+ "access to %s, value %d not allowed\n",
+ op->o_connid, desc->ad_cname.bv_val, i ));
#else
Debug( LDAP_DEBUG_ACL,
"acl: access to attribute %s, value %d not allowed\n",
continue;
}
-
if (( rc = ber_printf( ber, "O", &a->a_vals[i] )) == -1 ) {
#ifdef NEW_LOGGING
LDAP_LOG(( "operation", LDAP_LEVEL_ERR,
Debug( LDAP_DEBUG_TRACE, "<= send_search_entry\n", 0, 0, 0 );
#endif
-
rc = 0;
error_return:;
if ( ! access_allowed( be, conn, op, e,
- ad_entry, NULL, ACL_READ ) )
+ ad_entry, NULL, ACL_READ, NULL ) )
{
#ifdef NEW_LOGGING
LDAP_LOG(( "acl", LDAP_LEVEL_INFO,
}
if ( ! access_allowed( be, conn, op, e,
- ad_ref, NULL, ACL_READ ) )
+ ad_ref, NULL, ACL_READ, NULL ) )
{
#ifdef NEW_LOGGING
LDAP_LOG(( "acl", LDAP_LEVEL_INFO,
struct slap_acl *acl_next;
} AccessControl;
+typedef struct slap_acl_state {
+ unsigned as_recorded;
+#define ACL_STATE_NOT_RECORDED 0x0
+#define ACL_STATE_RECORDED_VD 0x1
+#define ACL_STATE_RECORDED_NV 0x2
+#define ACL_STATE_RECORDED 0x3
+
+ /* Access state */
+ AccessControl *as_vd_acl;
+ slap_mask_t as_vd_acl_mask;
+ regmatch_t as_vd_acl_matches[MAXREMATCHES];
+ int as_vd_acl_count;
+
+ Access *as_vd_access;
+ int as_vd_access_count;
+
+ int as_result;
+} AccessControlState;
+#define ACL_STATE_INIT { ACL_STATE_NOT_RECORDED, NULL, 0UL, { 0 }, 0, NULL, 0 }
+
/*
* replog moddn param structure
*/
struct berval be_update_ndn; /* allowed to make changes (in replicas) */
BerVarray be_update_refs; /* where to refer modifying clients to */
char *be_realm;
-
void *be_private; /* anything the backend database needs */
};
projects / openldap / commitdiff