Entry ACLs

diff --git a/servers/slapd/back-shell/add.c b/servers/slapd/back-shell/add.c
index 2eb06b53ad601652b3f199624917194f46d897ca..ae65d4cf2520c15d4720f7cd5c699f6305b0d04f 100644 (file)
--- a/servers/slapd/back-shell/add.c
+++ b/servers/slapd/back-shell/add.c
@@ -24,6 +24,7 @@ shell_back_add(
 )
 {
        struct shellinfo        *si = (struct shellinfo *) be->be_private;
+       AttributeDescription *entry = slap_schema.si_ad_entry;
        FILE                    *rfp, *wfp;
        int                     len;
 
@@ -33,6 +34,14 @@ shell_back_add(
                return( -1 );
        }
 
+       if ( ! access_allowed( be, conn, op, e,
+               entry, NULL, ACL_WRITE, NULL ) )
+       {
+               send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
+                       NULL, NULL, NULL, NULL );
+               return -1;
+       }
+
        if ( (op->o_private = (void *) forkandexec( si->si_add, &rfp, &wfp )) == (void *) -1 ) {
                send_ldap_result( conn, op, LDAP_OTHER, NULL,
                    "could not fork/exec", NULL, NULL );

diff --git a/servers/slapd/back-shell/bind.c b/servers/slapd/back-shell/bind.c
index 6c4ec9ab48f0d20e37c1864164cdf686b56ab671..ad1b9c80c1c9aebe7f63db18023c6a6851d48c6f 100644 (file)
--- a/servers/slapd/back-shell/bind.c
+++ b/servers/slapd/back-shell/bind.c
@@ -28,6 +28,8 @@ shell_back_bind(
 )
 {
        struct shellinfo        *si = (struct shellinfo *) be->be_private;
+       AttributeDescription *entry = slap_schema.si_ad_entry;
+       Entry e;
        FILE                    *rfp, *wfp;
        int                     rc;
 
@@ -37,6 +39,23 @@ shell_back_bind(
                return( -1 );
        }
 
+       e.e_id = NOID;
+       e.e_name = *dn;
+       e.e_nname = *ndn;
+       e.e_attrs = NULL;
+       e.e_ocflags = 0;
+       e.e_bv.bv_len = 0;
+       e.e_bv.bv_val = NULL;
+       e.e_private = NULL;
+
+       if ( ! access_allowed( be, conn, op, &e,
+               entry, NULL, ACL_AUTH, NULL ) )
+       {
+               send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
+                       NULL, NULL, NULL, NULL );
+               return -1;
+       }
+
        if ( (op->o_private = (void *) forkandexec( si->si_bind, &rfp, &wfp ))
            == (void *) -1 ) {
                send_ldap_result( conn, op, LDAP_OTHER, NULL,

diff --git a/servers/slapd/back-shell/compare.c b/servers/slapd/back-shell/compare.c
index 19a3498c96e4cfaf08a6ec5b48018f56eb19073c..c70edd530db478f09b72d2632014b0457171ce9a 100644 (file)
--- a/servers/slapd/back-shell/compare.c
+++ b/servers/slapd/back-shell/compare.c
@@ -26,6 +26,8 @@ shell_back_compare(
 )
 {
        struct shellinfo        *si = (struct shellinfo *) be->be_private;
+       AttributeDescription *entry = slap_schema.si_ad_entry;
+       Entry e;
        FILE                    *rfp, *wfp;
 
        if ( IS_NULLCMD( si->si_compare ) ) {
@@ -34,6 +36,23 @@ shell_back_compare(
                return( -1 );
        }
 
+       e.e_id = NOID;
+       e.e_name = *dn;
+       e.e_nname = *ndn;
+       e.e_attrs = NULL;
+       e.e_ocflags = 0;
+       e.e_bv.bv_len = 0;
+       e.e_bv.bv_val = NULL;
+       e.e_private = NULL;
+
+       if ( ! access_allowed( be, conn, op, &e,
+               entry, NULL, ACL_READ, NULL ) )
+       {
+               send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
+                       NULL, NULL, NULL, NULL );
+               return -1;
+       }
+
        if ( (op->o_private = (void *) forkandexec( si->si_compare, &rfp, &wfp ))
            == (void *) -1 ) {
                send_ldap_result( conn, op, LDAP_OTHER, NULL,

diff --git a/servers/slapd/back-shell/delete.c b/servers/slapd/back-shell/delete.c
index 73dd65e52fbd9eaaab4b545b852b5d60d0e64021..eb6c977b9864847fd5d4d22b12ce5e2f0b1554c2 100644 (file)
--- a/servers/slapd/back-shell/delete.c
+++ b/servers/slapd/back-shell/delete.c
@@ -25,6 +25,8 @@ shell_back_delete(
 )
 {
        struct shellinfo        *si = (struct shellinfo *) be->be_private;
+       AttributeDescription *entry = slap_schema.si_ad_entry;
+       Entry e;
        FILE                    *rfp, *wfp;
 
        if ( IS_NULLCMD( si->si_delete ) ) {
@@ -33,6 +35,23 @@ shell_back_delete(
                return( -1 );
        }
 
+       e.e_id = NOID;
+       e.e_name = *dn;
+       e.e_nname = *ndn;
+       e.e_attrs = NULL;
+       e.e_ocflags = 0;
+       e.e_bv.bv_len = 0;
+       e.e_bv.bv_val = NULL;
+       e.e_private = NULL;
+
+       if ( ! access_allowed( be, conn, op, &e,
+               entry, NULL, ACL_WRITE, NULL ) )
+       {
+               send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
+                       NULL, NULL, NULL, NULL );
+               return -1;
+       }
+
        if ( (op->o_private = (void *) forkandexec( si->si_delete, &rfp, &wfp ))
            == (void *) -1 ) {
                send_ldap_result( conn, op, LDAP_OTHER, NULL,

diff --git a/servers/slapd/back-shell/modify.c b/servers/slapd/back-shell/modify.c
index 69ad41d740ab6d5f9939ecd017e081d77e11e9b6..9b82f70be4b7b8de9106b2eb695dd0f8f227666e 100644 (file)
--- a/servers/slapd/back-shell/modify.c
+++ b/servers/slapd/back-shell/modify.c
@@ -27,6 +27,8 @@ shell_back_modify(
 {
        Modification *mod;
        struct shellinfo        *si = (struct shellinfo *) be->be_private;
+       AttributeDescription *entry = slap_schema.si_ad_entry;
+       Entry e;
        FILE                    *rfp, *wfp;
        int                     i;
 
@@ -36,6 +38,23 @@ shell_back_modify(
                return( -1 );
        }
 
+       e.e_id = NOID;
+       e.e_name = *dn;
+       e.e_nname = *ndn;
+       e.e_attrs = NULL;
+       e.e_ocflags = 0;
+       e.e_bv.bv_len = 0;
+       e.e_bv.bv_val = NULL;
+       e.e_private = NULL;
+
+       if ( ! access_allowed( be, conn, op, &e,
+               entry, NULL, ACL_WRITE, NULL ) )
+       {
+               send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
+                       NULL, NULL, NULL, NULL );
+               return -1;
+       }
+
        if ( (op->o_private = (void *) forkandexec( si->si_modify, &rfp, &wfp ))
            == (void *) -1 ) {
                send_ldap_result( conn, op, LDAP_OTHER, NULL,

diff --git a/servers/slapd/back-shell/modrdn.c b/servers/slapd/back-shell/modrdn.c
index 2e92d8731c90340cddd19effba9b985b5afcafed..bfe86a95103403fdeba74eac539a0b0ed8168932 100644 (file)
--- a/servers/slapd/back-shell/modrdn.c
+++ b/servers/slapd/back-shell/modrdn.c
@@ -43,6 +43,8 @@ shell_back_modrdn(
 )
 {
        struct shellinfo        *si = (struct shellinfo *) be->be_private;
+       AttributeDescription *entry = slap_schema.si_ad_entry;
+       Entry e;
        FILE                    *rfp, *wfp;
 
        if ( IS_NULLCMD( si->si_modrdn ) ) {
@@ -51,6 +53,23 @@ shell_back_modrdn(
                return( -1 );
        }
 
+       e.e_id = NOID;
+       e.e_name = *dn;
+       e.e_nname = *ndn;
+       e.e_attrs = NULL;
+       e.e_ocflags = 0;
+       e.e_bv.bv_len = 0;
+       e.e_bv.bv_val = NULL;
+       e.e_private = NULL;
+
+       if ( ! access_allowed( be, conn, op, &e,
+               entry, NULL, ACL_WRITE, NULL ) )
+       {
+               send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
+                       NULL, NULL, NULL, NULL );
+               return -1;
+       }
+
        if ( (op->o_private = (void *) forkandexec( si->si_modrdn, &rfp, &wfp ))
            == (void *) -1 ) {
                send_ldap_result( conn, op, LDAP_OTHER, NULL,