Don't exclude no-user-modification attributes from ACL checks

unless access requested is WRITE.  This allows you to apply
an ACL to limit search/reading of no-user-modification attributes.
Writes, of course, are always prohibited (by do_add, do_modify).

diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c
index f50005d09f5198ee940891d3d3299c426c0c1ad4..cc0802a211d272a0922d28e5a4b6df49cb5136fb 100644 (file)
--- a/servers/slapd/acl.c
+++ b/servers/slapd/acl.c
@@ -98,8 +98,12 @@ access_allowed(
                return 1;
        }
 
-       /* no user modify operational attributes are ignored by ACL checking */
-       if ( oc_check_no_usermod_attr( attr ) ) {
+       /*
+        * no-user-modification operational attributes are ignored
+        * by ACL_WRITE checking as any found here are not provided
+        * by the user
+        */
+       if ( access >= ACL_WRITE && oc_check_no_usermod_attr( attr ) ) {
                Debug( LDAP_DEBUG_ACL, "NoUserMod Operational attribute:"
                        " %s access granted\n",
                        attr, 0, 0 );
@@ -623,9 +627,14 @@ acl_check_modlist(
        }
 
        for ( ; mlist != NULL; mlist = mlist->ml_next ) {
-               /* the lastmod attributes are ignored by ACL checking */
+               /*
+                * no-user-modification operational attributes are ignored
+                * by ACL_WRITE checking as any found here are not provided
+                * by the user
+                */
                if ( oc_check_no_usermod_attr( mlist->ml_type ) ) {
-                       Debug( LDAP_DEBUG_ACL, "Operational attribute: %s access allowed\n",
+                       Debug( LDAP_DEBUG_ACL, "NoUserMod Operational attribute:"
+                               " modify access granted\n",
                                mlist->ml_type, 0, 0 );
                        continue;
                }