]> git.sur5r.net Git - openldap/commitdiff
Reworked fix for ITS#3140 - add access parameter to backend_attribute
authorHoward Chu <hyc@openldap.org>
Wed, 18 Aug 2004 17:14:22 +0000 (17:14 +0000)
committerHoward Chu <hyc@openldap.org>
Wed, 18 Aug 2004 17:14:22 +0000 (17:14 +0000)
servers/slapd/acl.c
servers/slapd/backend.c
servers/slapd/overlays/collect.c
servers/slapd/proto-slap.h
servers/slapd/saslauthz.c
servers/slapd/syncrepl.c

index 475826cc87a77bf75f6947f03ab5f22aa9c9d0bd..a1dfd1f147fd08c4437c2f351ec1f58349078937 100644 (file)
@@ -1431,7 +1431,7 @@ dn_match_cleanup:;
                                while ( parent_ndn.bv_val != old_parent_ndn.bv_val ){
                                        old_parent_ndn = parent_ndn;
                                        Debug(LDAP_DEBUG_ACL, "checking ACI of %s\n", parent_ndn.bv_val, 0, 0);
-                                       ret = backend_attribute(op, NULL, &parent_ndn, b->a_aci_at, &bvals);
+                                       ret = backend_attribute(op, NULL, &parent_ndn, b->a_aci_at, &bvals, ACL_AUTH);
                                        switch(ret){
                                        case LDAP_SUCCESS :
                                                stop = 0;
@@ -1803,7 +1803,7 @@ aci_set_gather (SetCookie *cookie, struct berval *name, struct berval *attr)
                AttributeDescription *desc = NULL;
                if (slap_bv2ad(attr, &desc, &text) == LDAP_SUCCESS) {
                        backend_attribute(cp->op,
-                               cp->e, &ndn, desc, &bvals);
+                               cp->e, &ndn, desc, &bvals, ACL_NONE);
                }
                slap_sl_free(ndn.bv_val, cp->op->o_tmpmemctx);
        }
@@ -1821,12 +1821,9 @@ aci_match_set (
        struct berval   set = BER_BVNULL;
        int             rc = 0;
        AciSetCookie    cookie;
-       Operation       op2 = *op;
-
-       op2.o_conn = NULL;
 
        if (setref == 0) {
-               ber_dupbv_x( &set, subj, op2.o_tmpmemctx );
+               ber_dupbv_x( &set, subj, op->o_tmpmemctx );
        } else {
                struct berval           subjdn, ndn = BER_BVNULL;
                struct berval           setat;
@@ -1848,9 +1845,9 @@ aci_match_set (
                 * as the length of the dn to be normalized
                 */
                if ( slap_bv2ad( &setat, &desc, &text ) == LDAP_SUCCESS ) {
-                       if ( dnNormalize( 0, NULL, NULL, &subjdn, &ndn, op2.o_tmpmemctx ) == LDAP_SUCCESS )
+                       if ( dnNormalize( 0, NULL, NULL, &subjdn, &ndn, op->o_tmpmemctx ) == LDAP_SUCCESS )
                        {
-                               backend_attribute( &op2, e, &ndn, desc, &bvals );
+                               backend_attribute( op, e, &ndn, desc, &bvals, ACL_NONE );
                                if ( bvals != NULL && !BER_BVISNULL( &bvals[0] ) ) {
                                        int     i;
 
@@ -1861,18 +1858,18 @@ aci_match_set (
                                        bvals[0].bv_val = bvals[i-1].bv_val;
                                        BER_BVZERO( &bvals[i-1] );
                                }
-                               ber_bvarray_free_x( bvals, op2.o_tmpmemctx );
-                               slap_sl_free( ndn.bv_val, op2.o_tmpmemctx );
+                               ber_bvarray_free_x( bvals, op->o_tmpmemctx );
+                               slap_sl_free( ndn.bv_val, op->o_tmpmemctx );
                        }
                }
        }
 
        if ( !BER_BVISNULL( &set ) ) {
-               cookie.op = &op2;
+               cookie.op = op;
                cookie.e = e;
                rc = ( slap_set_filter( aci_set_gather, (SetCookie *)&cookie, &set,
-                       &op2.o_ndn, &e->e_nname, NULL ) > 0 );
-               slap_sl_free( set.bv_val, op2.o_tmpmemctx );
+                       &op->o_ndn, &e->e_nname, NULL ) > 0 );
+               slap_sl_free( set.bv_val, op->o_tmpmemctx );
        }
 
        return(rc);
index 768a2e340e2e91399655741c4d35a58f6090928c..3489730dd2f8e072ed2c3940d45ce62324e04382 100644 (file)
@@ -1483,7 +1483,8 @@ backend_attribute(
        Entry   *target,
        struct berval   *edn,
        AttributeDescription *entry_at,
-       BerVarray *vals )
+       BerVarray *vals,
+       slap_access_t access )
 {
        Entry *e;
        Attribute *a;
@@ -1504,8 +1505,8 @@ backend_attribute(
                if ( a ) {
                        BerVarray v;
 
-                       if ( op->o_conn && access_allowed( op,
-                               e, entry_at, NULL, ACL_AUTH,
+                       if ( op->o_conn && access > ACL_NONE && access_allowed( op,
+                               e, entry_at, NULL, access,
                                &acl_state ) == 0 ) {
                                rc = LDAP_INSUFFICIENT_ACCESS;
                                goto freeit;
@@ -1516,10 +1517,10 @@ backend_attribute(
                        v = op->o_tmpalloc( sizeof(struct berval) * (i+1),
                                op->o_tmpmemctx );
                        for ( i=0,j=0; a->a_vals[i].bv_val; i++ ) {
-                               if ( op->o_conn && access_allowed( op,
+                               if ( op->o_conn && access > ACL_NONE && access_allowed( op,
                                        e, entry_at,
                                        &a->a_nvals[i],
-                                       ACL_AUTH, &acl_state ) == 0 ) {
+                                       access, &acl_state ) == 0 ) {
                                        continue;
                                }
                                ber_dupbv_x( &v[j],
index 9cd0a344260197cf13b21d30abed3ea6885a6198..32e474118d8b540573d53b7cc17ef6dd55364aad 100644 (file)
@@ -72,7 +72,7 @@ collect_response( Operation *op, SlapReply *rs )
                        /* Extract the values of the desired attribute from
                         * the ancestor entry
                         */
-                       rc = backend_attribute( op, NULL, &ci->ci_dn, ci->ci_ad, &vals );
+                       rc = backend_attribute( op, NULL, &ci->ci_dn, ci->ci_ad, &vals, ACL_READ );
 
                        /* If there are any values, merge them into the
                         * current entry
index 2f336291107aba9afc25b9f0ca82afd130aceddc..acd8e3ed9e35edeccda304dcf1211c5e387f3a9a 100644 (file)
@@ -274,7 +274,8 @@ LDAP_SLAPD_F (int) backend_attribute LDAP_P((
        Entry *target,
        struct berval *entry_ndn,
        AttributeDescription *entry_at,
-       BerVarray *vals
+       BerVarray *vals,
+       slap_access_t access
 ));
 
 LDAP_SLAPD_F (int) backend_operational LDAP_P((
index 035a3ee0b5d53b66776c616eeb7ab4e3dacf0b38..e178192b26cbdc11a72770aadcba0c67f980c777 100644 (file)
@@ -1112,7 +1112,7 @@ slap_sasl_check_authz( Operation *op,
           assertDN->bv_val, ad->ad_cname.bv_val, searchDN->bv_val);
 #endif
 
-       rc = backend_attribute( op, NULL, searchDN, ad, &vals );
+       rc = backend_attribute( op, NULL, searchDN, ad, &vals, ACL_AUTH );
        if( rc != LDAP_SUCCESS ) goto COMPLETE;
 
        /* Check if the *assertDN matches any *vals */
index c6ed3ec6ca14639c3d57374eb0505956ca85d294..ec6a067c8c0deea09a2f7cd75b5ac65be1c7e40f 100644 (file)
@@ -344,7 +344,7 @@ do_syncrep1(
 
                /* read stored cookie if it exists */
                backend_attribute( op, NULL, &op->o_req_ndn,
-                       slap_schema.si_ad_syncreplCookie, &cookie );
+                       slap_schema.si_ad_syncreplCookie, &cookie, ACL_READ );
 
                if ( !cookie ) {
                        /* no stored cookie */
@@ -399,7 +399,7 @@ do_syncrep1(
                        struct berval cookie_bv;
                        /* try to read stored cookie */
                        backend_attribute( op, NULL, &op->o_req_ndn,
-                               slap_schema.si_ad_syncreplCookie, &cookie );
+                               slap_schema.si_ad_syncreplCookie, &cookie, ACL_READ );
                        if ( cookie ) {
                                ber_dupbv( &cookie_bv, &cookie[0] );
                                ber_bvarray_add( &si->si_syncCookie.octet_str, &cookie_bv );