allow to specify the required access privileges in internal operations (ITS#4806)

diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c
index f557f50fc8c2b3527b24e8a6799615d910ba3b51..59478d83a6b2c4605ab2ccb5767e3ac3c6a0406b 100644 (file)
--- a/servers/slapd/acl.c
+++ b/servers/slapd/acl.c
@@ -351,7 +351,10 @@ access_allowed_mask(
        assert( attr != NULL );
 
        if ( op ) {
-               if ( op->o_is_auth_check &&
+               if ( op->o_acl_priv != ACL_NONE ) {
+                       access = op->o_acl_priv;
+
+               } else if ( op->o_is_auth_check &&
                        ( access_level == ACL_SEARCH || access_level == ACL_READ ) )
                {
                        access = ACL_AUTH;

diff --git a/servers/slapd/overlays/dynlist.c b/servers/slapd/overlays/dynlist.c
index 5c0a1d73a327a0acfad29fdbdc4d218c0ff99917..ff2d80b6e72a2ad6dd5f5bfe56c0a9611ebcaa66 100644 (file)
--- a/servers/slapd/overlays/dynlist.c
+++ b/servers/slapd/overlays/dynlist.c
@@ -623,6 +623,8 @@ dynlist_compare( Operation *op, SlapReply *rs )
                o.ors_attrs = an;
                o.ors_attrsonly = 0;
 
+               o.o_acl_priv = ACL_COMPARE;
+
                rc = o.o_bd->be_search( &o, &r );
                filter_free_x( &o, o.ors_filter );
 

diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h
index fa30ea09cb9927a648017a1ad89985b88bd4e6e4..5d7420c58db526ba5e7c43f0f3d3b64cbc2d0a60 100644 (file)
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@@ -2480,6 +2480,7 @@ typedef struct slap_op {
        GroupAssertion *o_groups;
        char o_do_not_cache;    /* don't cache groups from this op */
        char o_is_auth_check;   /* authorization in progress */
+       slap_access_t o_acl_priv;
 
        char o_nocaching;
        char o_delete_glue_parent;