Fixed libldap interaction with GnuTLS CN IP-based matches (ITS#5789)
Fixed libldap Ipv6 detection (ITS#5739)
Fixed slapd acl checks on ADD (ITS#4556,ITS#5723)
+ Fixed slapd acl application to newly created backends (ITS#5572)
Added slapd keyword add_content_acl for add checks (ITS#4556,ITS#5723)
Fixed slapd config backend olcLogFile support (ITS#5765)
Fixed slapd contextCSN pending list (ITS#5709)
slap_access_t access_level;
const char *attr;
regmatch_t matches[MAXREMATCHES];
+ AccessControlState acl_state = ACL_STATE_INIT;
assert( op != NULL );
assert( e != NULL );
}
/* use backend default access if no backend acls */
- if ( op->o_bd->be_acl == NULL ) {
+ if ( op->o_bd->be_acl == NULL && frontendDB->be_acl == NULL ) {
int i;
Debug( LDAP_DEBUG_ACL,
ret = 0;
control = ACL_BREAK;
- if ( state && state->as_vd_ad == desc ) {
+ if ( state == NULL )
+ state = &acl_state;
+ if ( state->as_vd_ad == desc ) {
a = state->as_vd_acl;
count = state->as_vd_acl_count;
-
+ if ( state->as_fe_done )
+ state->as_fe_done--;
} else {
- if ( state ) state->as_vi_acl = NULL;
+ state->as_vi_acl = NULL;
+
a = NULL;
count = 0;
}
+ if ( a == NULL )
+ state->as_fe_done = 0;
+
ACL_PRIV_ASSIGN( mask, *maskp );
memset( matches, '\0', sizeof( matches ) );
assert( e != NULL );
assert( count != NULL );
assert( desc != NULL );
+ assert( state != NULL );
attr = desc->ad_cname.bv_val;
assert( attr != NULL );
if( a == NULL ) {
- if( op->o_bd == NULL ) {
+ if( op->o_bd == NULL || op->o_bd->be_acl == NULL ) {
a = frontendDB->be_acl;
} else {
a = op->o_bd->be_acl;
prev = NULL;
assert( a != NULL );
-
+ if ( a == frontendDB->be_acl )
+ state->as_fe_done = 1;
} else {
prev = a;
a = a->acl_next;
dnlen = e->e_nname.bv_len;
+ retry:
for ( ; a != NULL; prev = a, a = a->acl_next ) {
(*count) ++;
+ if ( a != frontendDB->be_acl && state->as_fe_done )
+ state->as_fe_done++;
+
if ( a->acl_dn_pat.bv_len || ( a->acl_dn_style != ACL_STYLE_REGEX )) {
if ( a->acl_dn_style == ACL_STYLE_REGEX ) {
Debug( LDAP_DEBUG_ACL, "=> dnpat: [%d] %s nsub: %d\n",
continue;
}
- if( state && !( state->as_recorded & ACL_STATE_RECORDED_VD )) {
+ if( !( state->as_recorded & ACL_STATE_RECORDED_VD )) {
state->as_recorded |= ACL_STATE_RECORDED_VD;
state->as_vd_acl = prev;
state->as_vd_acl_count = *count - 1;
return a;
}
+ if ( !state->as_fe_done ) {
+ state->as_fe_done = 1;
+ a = frontendDB->be_acl;
+ goto retry;
+ }
+
Debug( LDAP_DEBUG_ACL, "<= acl_get: done.\n", 0, 0, 0 );
return( NULL );
}
}
/* use backend default access if no backend acls */
- if( op->o_bd != NULL && op->o_bd->be_acl == NULL ) {
+ if( op->o_bd != NULL && op->o_bd->be_acl == NULL && frontendDB->be_acl == NULL ) {
Debug( LDAP_DEBUG_ACL,
"=> access_allowed: backend default %s access %s to \"%s\"\n",
access2str( ACL_WRITE ),
free( a );
}
-/* Because backend_startup uses acl_append to tack on the global_acl to
- * the end of each backend's acl, we cannot just take one argument and
- * merrily free our way to the end of the list. backend_destroy calls us
- * with the be_acl in arg1, and global_acl in arg2 to give us a stopping
- * point. config_destroy calls us with global_acl in arg1 and NULL in
- * arg2, so we then proceed to polish off the global_acl.
- */
void
-acl_destroy( AccessControl *a, AccessControl *end )
+acl_destroy( AccessControl *a )
{
AccessControl *n;
- for ( ; a && a != end; a = n ) {
+ for ( ; a; a = n ) {
n = a->acl_next;
acl_free( a );
}
return rc;
}
}
- /* append global access controls */
- acl_append( &be->be_acl, frontendDB->be_acl, -1 );
return backend_startup_one( be, &cr );
}
"has no suffix\n",
i, be->bd_info->bi_type, 0 );
}
- /* append global access controls */
- acl_append( &be->be_acl, frontendDB->be_acl, -1 );
rc = backend_startup_one( be, &cr );
if ( !BER_BVISNULL( &bd->be_rootpw ) ) {
free( bd->be_rootpw.bv_val );
}
- acl_destroy( bd->be_acl, frontendDB->be_acl );
+ acl_destroy( bd->be_acl );
limits_destroy( bd->be_limits );
if ( !BER_BVISNULL( &bd->be_update_ndn ) ) {
ch_free( bd->be_update_ndn.bv_val );
if ( !BER_BVISNULL( &bd->be_rootpw ) ) {
free( bd->be_rootpw.bv_val );
}
- acl_destroy( bd->be_acl, frontendDB->be_acl );
+ acl_destroy( bd->be_acl );
+ frontendDB = NULL;
}
return 0;
AccessControl *a;
char *src, *dst, ibuf[11];
struct berval bv, abv;
- AccessControl *end;
- if ( c->be == frontendDB )
- end = NULL;
- else
- end = frontendDB->be_acl;
- for (i=0, a=c->be->be_acl; a && a != end; i++,a=a->acl_next) {
+ for (i=0, a=c->be->be_acl; a; i++,a=a->acl_next) {
abv.bv_len = snprintf( ibuf, sizeof( ibuf ), SLAP_X_ORDERED_FMT, i );
if ( abv.bv_len >= sizeof( ibuf ) ) {
ber_bvarray_free_x( c->rvalue_vals, NULL );
case CFG_ACL:
if ( c->valx < 0 ) {
- AccessControl *end;
- if ( c->be == frontendDB )
- end = NULL;
- else
- end = frontendDB->be_acl;
- acl_destroy( c->be->be_acl, end );
- c->be->be_acl = end;
+ acl_destroy( c->be->be_acl );
+ c->be->be_acl = NULL;
} else {
AccessControl **prev, *a;
case CFG_ACL:
/* Don't append to the global ACL if we're on a specific DB */
i = c->valx;
- if ( c->be != frontendDB && frontendDB->be_acl && c->valx == -1 ) {
+ if ( c->valx == -1 ) {
AccessControl *a;
i = 0;
- for ( a=c->be->be_acl; a && a != frontendDB->be_acl;
- a = a->acl_next )
+ for ( a=c->be->be_acl; a; a = a->acl_next )
i++;
}
if ( parse_acl(c->be, c->fname, c->lineno, c->argc, c->argv, i ) ) {
/* If we have no explicitly configured ACLs, don't just use
* the global ACLs. Explicitly deny access to everything.
*/
- if ( frontendDB->be_acl && be->be_acl == frontendDB->be_acl ) {
+ if ( !be->be_acl ) {
parse_acl(be, "config_back_db_open", 0, 6, (char **)defacl, 0 );
}
if ( frontendDB->be_schemadn.bv_val )
free( frontendDB->be_schemadn.bv_val );
if ( frontendDB->be_acl )
- acl_destroy( frontendDB->be_acl, NULL );
+ acl_destroy( frontendDB->be_acl );
}
free( line );
if ( slapd_args_file )
LDAP_SLAPD_F (char *) accessmask2str LDAP_P(( slap_mask_t mask, char*, int debug ));
LDAP_SLAPD_F (slap_mask_t) str2accessmask LDAP_P(( const char *str ));
LDAP_SLAPD_F (void) acl_unparse LDAP_P(( AccessControl*, struct berval* ));
-LDAP_SLAPD_F (void) acl_destroy LDAP_P(( AccessControl*, AccessControl* ));
+LDAP_SLAPD_F (void) acl_destroy LDAP_P(( AccessControl* ));
LDAP_SLAPD_F (void) acl_free LDAP_P(( AccessControl *a ));
slap_acl_state_t as_recorded;
int as_vd_acl_count;
int as_result;
+ int as_fe_done;
} AccessControlState;
#define ACL_STATE_INIT { NULL, NULL, NULL, \
- ACL_STATE_NOT_RECORDED, 0, 0 }
+ ACL_STATE_NOT_RECORDED, 0, 0, 0 }
/*
* Backend-info
projects / openldap / commitdiff