A space separated list of URLs is expected. The URLs should be of
LDAP (ldap://) or LDAP over TLS (ldaps://) or LDAP over IPC (ldapi://)
scheme without a DN or other optional parameters, except an experimental
-extension to indicate the permissions of the underlying socket, on those
-OSes that honor them. Support for the
-latter two schemes depends on selected configuration options. Hosts
-may be specified by name or IPv4 and IPv6 address formats.
+extension to indicate the permissions of the underlying listeners.
+Support for the latter two schemes depends on selected configuration
+options. Hosts may be specified by name or IPv4 and IPv6 address formats.
Ports, if specified, must be numeric. The default ldap:// port is 389
and the default ldaps:// port is 636.
The socket permissions for LDAP over IPC are indicated by
of the "rwx" can be "-" to suppress the related permission (note,
however, that sockets only honor the "w" permission), while any
of the "7" can be any legal octal digit, according to chmod(1).
-The usage is a bit awkward: since on some systems write permission
-("w") is required to be able to operate on the socket, it must always
-be set to allow operations on the socket. As a consequence,
-the meaning of the "r" field is to negate write access if present;
-e.g., "x-mod=--wx---rw-" means "owner" can access read/write even
-without binding (and subject to regular ACLs), while for "others"
-bind is required, and the listener is read-only. "Group" permissions
-are not considered at present.
+While LDAP over IPC requires write permissions on the socket to allow
+any operation, the other listeners can take advantage of the "x-mod"
+extension to apply rough limitations to users, e.g. allow read operations
+("r", which applies to search and compare), write operations ("w",
+which applies to add, delete, modify and modrdn), and execute operations
+("x", which means bind is required).
+"User" permissions apply to bound users, while "other" apply
+to anonymous users.
.TP
.BI \-r " directory"
Specifies a chroot "jail" directory. slapd will
}
#ifdef SLAP_X_LISTENER_MOD
- if ( op->o_conn->c_listener && ( op->o_conn->c_listener->sl_perms & S_IRUSR ) ) {
- /* "r" mode means readonly ( "w" is required
- * to operate on a socket ...) */
+ if ( op->o_conn->c_listener && ! ( op->o_conn->c_listener->sl_perms & ( op->o_ndn.bv_len > 0 ? S_IWUSR : S_IWOTH ) ) ) {
+ /* no "w" mode means readonly */
rs->sr_text = "modifications not allowed on this listener";
rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
return rs->sr_err;
#ifdef SLAP_X_LISTENER_MOD
if ( !starttls && op->o_dn.bv_len == 0 ) {
- if ( op->o_conn->c_listener && ! ( op->o_conn->c_listener->sl_perms & S_IXUSR ) ) {
+ if ( op->o_conn->c_listener && ! ( op->o_conn->c_listener->sl_perms & S_IXOTH ) ) {
/* no "x" mode means bind required */
rs->sr_text = "bind required on this listener";
rs->sr_err = LDAP_STRONG_AUTH_REQUIRED;
return rs->sr_err;
}
}
+
+ if ( !starttls && !updateop ) {
+ if ( op->o_conn->c_listener && ! ( op->o_conn->c_listener->sl_perms & ( op->o_dn.bv_len > 0 ? S_IRUSR : S_IROTH ) ) ) {
+ /* no "r" mode means no read */
+ rs->sr_text = "read not allowed on this listener";
+ rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
+ return rs->sr_err;
+ }
+ }
#endif /* SLAP_X_LISTENER_MOD */
}
{
Entry *e;
Attribute *a;
- int i, j, rc;
+ int rc;
GroupAssertion *g;
if ( op->o_abandon ) return SLAPD_ABANDON;
{
Entry *e;
Attribute *a;
- int i, j, rc;
+ int i, j, rc = LDAP_SUCCESS;
AccessControlState acl_state = ACL_STATE_INIT;
if ( target && dn_match( &target->e_nname, edn ) ) {
if ( lud->lud_exts ) {
err = get_url_perms( lud->lud_exts, &l.sl_perms, &crit );
} else {
- l.sl_perms = S_IWUSR | S_IXUSR; /* "r" means readonly ... */
+ l.sl_perms = S_IRWXU;
}
#endif /* LDAP_PF_LOCAL || SLAP_X_LISTENER_MOD */
#ifdef LDAP_PF_LOCAL
case AF_LOCAL: {
char *addr = ((struct sockaddr_un *)*sal)->sun_path;
+#if 0 /* don't muck with socket perms */
if ( chmod( addr, l.sl_perms ) < 0 && crit ) {
int err = sock_errno();
#ifdef NEW_LOGGING
slap_free_listener_addresses(psal);
return -1;
}
+#endif
l.sl_name.bv_len = strlen(addr) + sizeof("PATH=") - 1;
l.sl_name.bv_val = ber_memalloc( l.sl_name.bv_len + 1 );
snprintf( l.sl_name.bv_val, l.sl_name.bv_len + 1,
projects / openldap / commitdiff