Added op->o_is_auth_check; use ACL_AUTH instead of ACL_SEARCH/ACL_READ

author Howard Chu <hyc@openldap.org>

Mon, 10 Mar 2003 22:07:21 +0000 (22:07 +0000)

committer Howard Chu <hyc@openldap.org>

Mon, 10 Mar 2003 22:07:21 +0000 (22:07 +0000)
author Howard Chu <hyc@openldap.org>
Mon, 10 Mar 2003 22:07:21 +0000 (22:07 +0000)
committer Howard Chu <hyc@openldap.org>
Mon, 10 Mar 2003 22:07:21 +0000 (22:07 +0000)
diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c

index 404842ad1490a38d181bdb4ca22e2f609593a9cd..f276270fbcc2a6b8f49c43e1d37384617953289d 100644 (file)
--- a/servers/slapd/acl.c
+++ b/servers/slapd/acl.c
@@ -142,6 +142,9 @@ access_allowed(
  
         assert( attr != NULL );
  
+       if( op && op->o_is_auth_check && (access == ACL_SEARCH || access == ACL_READ)) {
+               access = ACL_AUTH;
+       }
         if( state && state->as_recorded && state->as_vd_ad==desc) { 
                 if( state->as_recorded & ACL_STATE_RECORDED_NV &&
                         val == NULL )
diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c

index e763dae5a242857084672a163b103fa0bb21beb0..518db4ec92b08b6362daedab1ade8d101d323956 100644 (file)
--- a/servers/slapd/sasl.c
+++ b/servers/slapd/sasl.c
@@ -438,6 +438,7 @@ slap_auxprop_lookup(
                         op.o_callback = &cb;
                         op.o_time = slap_get_time();
                         op.o_do_not_cache = 1;
+                       op.o_is_auth_check = 1;
                         op.o_threadctx = conn->c_sasl_bindop->o_threadctx;
  
                         (*be->be_search)( be, conn, &op, NULL, &dn,
@@ -563,6 +564,7 @@ slap_sasl_checkpass(
                 op.o_callback = &cb;
                 op.o_time = slap_get_time();
                 op.o_do_not_cache = 1;
+               op.o_is_auth_check = 1;
                 op.o_threadctx = conn->c_sasl_bindop->o_threadctx;
  
                 (*be->be_search)( be, conn, &op, NULL, &dn,
diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c

index 3dc0158afc8e950f7ecd1ed5f8deca70bf8de592..775979bf1dc0914d952d2e16b375d8cb069de927 100644 (file)
--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -474,6 +474,7 @@ int slap_sasl_match(Connection *conn, struct berval *rule, struct berval *assert
         op.o_callback = &cb;
         op.o_time = slap_get_time();
         op.o_do_not_cache = 1;
+       op.o_is_auth_check = 1;
         op.o_threadctx = conn->c_sasl_bindop->o_threadctx;
  
         (*be->be_search)( be, conn, &op, /*base=*/NULL, &searchbase,
@@ -634,6 +635,7 @@ void slap_sasl2dn( Connection *conn,
         op.o_callback = &cb;
         op.o_time = slap_get_time();
         op.o_do_not_cache = 1;
+       op.o_is_auth_check = 1;
         op.o_threadctx = conn->c_sasl_bindop ? conn->c_sasl_bindop->o_threadctx:
                 ldap_pvt_thread_pool_context( &connection_pool );
  
diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h

index 2c712bb977b93f710b12056b851063f634fbe10c..8efac644f537cd085b5c092173485bc946687aad 100644 (file)
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@@ -1749,6 +1749,7 @@ typedef struct slap_op {
  #define SLAP_CANCEL_DONE                               0x03
  
         char o_do_not_cache;    /* don't cache from this op */
+       char o_is_auth_check;   /* authorization in progress */
  
  #define SLAP_NO_CONTROL 0
  #define SLAP_NONCRITICAL_CONTROL 1
author	Howard Chu <hyc@openldap.org>
	Mon, 10 Mar 2003 22:07:21 +0000 (22:07 +0000)
committer	Howard Chu <hyc@openldap.org>
	Mon, 10 Mar 2003 22:07:21 +0000 (22:07 +0000)
servers/slapd/acl.c		patch \| blob \| history
servers/slapd/sasl.c		patch \| blob \| history
servers/slapd/saslauthz.c		patch \| blob \| history
servers/slapd/slap.h		patch \| blob \| history