ITS#5572 from Rein

diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c
index a9c2a791550d483972226bd8fa82edb8df7d7b3e..c04f3044b09442184d522d6c73b4777e8dfa6c37 100644 (file)
--- a/servers/slapd/acl.c
+++ b/servers/slapd/acl.c
@@ -138,6 +138,7 @@ slap_access_allowed(
        slap_access_t                   access_level;
        const char                      *attr;
        regmatch_t                      matches[MAXREMATCHES];
+       AccessControlState      acl_state = ACL_STATE_INIT;
 
        assert( op != NULL );
        assert( e != NULL );
@@ -179,7 +180,7 @@ slap_access_allowed(
        }
 
        /* use backend default access if no backend acls */
-       if ( op->o_bd->be_acl == NULL ) {
+       if ( op->o_bd->be_acl == NULL && frontendDB->be_acl == NULL ) {
                int     i;
 
                Debug( LDAP_DEBUG_ACL,
@@ -201,15 +202,22 @@ slap_access_allowed(
        ret = 0;
        control = ACL_BREAK;
 
-       if ( state && state->as_vd_ad == desc ) {
+       if ( state == NULL )
+               state = &acl_state;
+       if ( state->as_vd_ad == desc ) {
                a = state->as_vd_acl;
                count = state->as_vd_acl_count;
-
+               if ( state->as_fe_done )
+                       state->as_fe_done--;
        } else {
-               if ( state ) state->as_vi_acl = NULL;
+               state->as_vi_acl = NULL;
+
                a = NULL;
                count = 0;
        }
+       if ( a == NULL )
+               state->as_fe_done = 0;
+
        ACL_PRIV_ASSIGN( mask, *maskp );
        memset( matches, '\0', sizeof( matches ) );
 
@@ -476,13 +484,14 @@ slap_acl_get(
        assert( e != NULL );
        assert( count != NULL );
        assert( desc != NULL );
+       assert( state != NULL );
 
        attr = desc->ad_cname.bv_val;
 
        assert( attr != NULL );
 
        if( a == NULL ) {
-               if( op->o_bd == NULL ) {
+               if( op->o_bd == NULL || op->o_bd->be_acl == NULL ) {
                        a = frontendDB->be_acl;
                } else {
                        a = op->o_bd->be_acl;
@@ -490,7 +499,8 @@ slap_acl_get(
                prev = NULL;
 
                assert( a != NULL );
-
+               if ( a == frontendDB->be_acl )
+                       state->as_fe_done = 1;
        } else {
                prev = a;
                a = a->acl_next;
@@ -498,9 +508,13 @@ slap_acl_get(
 
        dnlen = e->e_nname.bv_len;
 
+ retry:
        for ( ; a != NULL; prev = a, a = a->acl_next ) {
                (*count) ++;
 
+               if ( a != frontendDB->be_acl && state->as_fe_done )
+                       state->as_fe_done++;
+
                if ( a->acl_dn_pat.bv_len || ( a->acl_dn_style != ACL_STYLE_REGEX )) {
                        if ( a->acl_dn_style == ACL_STYLE_REGEX ) {
                                Debug( LDAP_DEBUG_ACL, "=> dnpat: [%d] %s nsub: %d\n", 
@@ -567,7 +581,7 @@ slap_acl_get(
                                continue;
                        }
 
-                       if( state && !( state->as_recorded & ACL_STATE_RECORDED_VD )) {
+                       if( !( state->as_recorded & ACL_STATE_RECORDED_VD )) {
                                state->as_recorded |= ACL_STATE_RECORDED_VD;
                                state->as_vd_acl = prev;
                                state->as_vd_acl_count = *count - 1;
@@ -649,6 +663,12 @@ slap_acl_get(
                return a;
        }
 
+       if ( !state->as_fe_done ) {
+               state->as_fe_done = 1;
+               a = frontendDB->be_acl;
+               goto retry;
+       }
+
        Debug( LDAP_DEBUG_ACL, "<= acl_get: done.\n", 0, 0, 0 );
        return( NULL );
 }
@@ -1856,7 +1876,7 @@ acl_check_modlist(
        }
 
        /* use backend default access if no backend acls */
-       if( op->o_bd != NULL && op->o_bd->be_acl == NULL ) {
+       if( op->o_bd != NULL && op->o_bd->be_acl == NULL && frontendDB->be_acl == NULL ) {
                Debug( LDAP_DEBUG_ACL,
                        "=> access_allowed: backend default %s access %s to \"%s\"\n",
                        access2str( ACL_WRITE ),

diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c
index 3754a258f20af6203dbce3bc5d295c85632fd207..aad928e616e75e7dd6064cfd316110777b228dcc 100644 (file)
--- a/servers/slapd/backend.c
+++ b/servers/slapd/backend.c
@@ -261,8 +261,6 @@ int backend_startup(Backend *be)
                                return rc;
                        }
                }
-               /* append global access controls */
-               acl_append( &be->be_acl, frontendDB->be_acl, -1 );
 
                return backend_startup_one( be, &cr );
        }
@@ -310,8 +308,6 @@ int backend_startup(Backend *be)
                                "has no suffix\n",
                                i, be->bd_info->bi_type, 0 );
                }
-               /* append global access controls */
-               acl_append( &be->be_acl, frontendDB->be_acl, -1 );
 
                rc = backend_startup_one( be, &cr );
 

diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h
index ae7d51b8d61d5370423ae6127350d81b18aec4a5..9a699456d3eced23274a6c3d7753e2f0c3ad896e 100644 (file)
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@@ -1542,9 +1542,10 @@ typedef struct AccessControlState {
        slap_acl_state_t as_recorded;
        int as_vd_acl_count;
        int as_result;
+       int as_fe_done;
 } AccessControlState;
 #define ACL_STATE_INIT { NULL, NULL, NULL, \
-       ACL_STATE_NOT_RECORDED, 0, 0 }
+       ACL_STATE_NOT_RECORDED, 0, 0, 0 }
 
 /*
  * Backend-info