ITS#4556,ITS#5723

diff --git a/CHANGES b/CHANGES
index 72088270df4b9570ecddf9d21de522b0f32e1208..1eb0c9991283ba25d55b5e23f16b8b67dbe2cef7 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -5,6 +5,8 @@ OpenLDAP 2.4.13 Engineering
        Fixed liblutil hex conversion (ITS#5699)
        Fixed liblutil returning undefined data (ITS#5748)
        Fixed libldap error code return (ITS#5762)
+       Fixed slapd acl checks on ADD (ITS#4556,ITS#5723)
+       Added slapd keyword add_content_acl for add checks (ITS#4556,ITS#5723)
        Fixed slapd config backend olcLogFile support (ITS#5765)
        Added slapd dn.this search limits (ITS#5734)
        Fixed slapd nameUIDPretty bitstring parsing (ITS#5750)

diff --git a/servers/slapd/back-bdb/add.c b/servers/slapd/back-bdb/add.c
index cea8a0be4c9e8230c95794082ff0d736077bfb54..402c837b9cc9f531bb55fadc7cb1a7d779f62dca 100644 (file)
--- a/servers/slapd/back-bdb/add.c
+++ b/servers/slapd/back-bdb/add.c
@@ -299,6 +299,24 @@ retry:     /* transaction retry */
                goto return_results;;
        }
 
+       /* 
+        * Check ACL for attribute write access
+        */
+       if (!acl_check_modlist(op, oe, op->ora_modlist)) {
+               switch( opinfo.boi_err ) {
+               case DB_LOCK_DEADLOCK:
+               case DB_LOCK_NOTGRANTED:
+                       goto retry;
+               }
+
+               Debug( LDAP_DEBUG_TRACE,
+                       LDAP_XSTRING(bdb_add) ": no write access to attribute\n",
+                       0, 0, 0 );
+               rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
+               rs->sr_text = "no write access to attribute";
+               goto return_results;;
+       }
+
        if ( eid == NOID ) {
                rs->sr_err = bdb_next_id( op->o_bd, &eid );
                if( rs->sr_err != 0 ) {

diff --git a/servers/slapd/back-ndb/add.cpp b/servers/slapd/back-ndb/add.cpp
index 8a5ca68fec294a4376cc0a3cde6767e22c8c6fa2..cd7bffe12992ccdb196228755c358a951f02bc66 100644 (file)
--- a/servers/slapd/back-ndb/add.cpp
+++ b/servers/slapd/back-ndb/add.cpp
@@ -223,6 +223,19 @@ is_ref:                    p.e_attrs = NULL;
                goto return_results;;
        }
 
+       /* 
+        * Check ACL for attribute write access
+        */
+       if (!acl_check_modlist(op, op->ora_e, op->ora_modlist)) {
+               Debug( LDAP_DEBUG_TRACE,
+                       LDAP_XSTRING(bdb_add) ": no write access to attribute\n",
+                       0, 0, 0 );
+               rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
+               rs->sr_text = "no write access to attribute";
+               goto return_results;;
+       }
+
+
        /* acquire entry ID */
        if ( op->ora_e->e_id == NOID ) {
                rs->sr_err = ndb_next_id( op->o_bd, NA.ndb, &op->ora_e->e_id );

diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
index 615526ba4f45609447c9d16a2feec6356454d8ae..aeba5c405d6ba527c67abb3b5e48845f515a63a0 100644 (file)
--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@@ -4651,6 +4651,15 @@ config_back_add( Operation *op, SlapReply *rs )
                goto out;
        }
 
+       /*
+        * Check for attribute ACL
+        */
+       if ( !acl_check_modlist( op, op->ora_e, op->orm_modlist )) {
+               rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
+               rs->sr_text = "no write access to attribute";
+               goto out;
+       }
+
        cfb = (CfBackInfo *)op->o_bd->be_private;
 
        /* add opattrs for syncprov */

diff --git a/tests/data/slapd-acl.conf b/tests/data/slapd-acl.conf
index bfcabfc491e925741006cb83619712432f62bd0a..64cde948c73521677ea45d1c0cbe403cce2d69ee 100644 (file)
--- a/tests/data/slapd-acl.conf
+++ b/tests/data/slapd-acl.conf
@@ -55,6 +55,7 @@ rootpw                secret
 
 #access                to attrs=objectclass dn.subtree="dc=example,dc=com"
 access         to attrs=objectclass
+               by dn.exact="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" add
                by * =rsc stop
 
 #access                to filter="(objectclass=person)" attrs=userpassword dn.subtree="dc=example,dc=com"

diff --git a/tests/data/slapd-dds.conf b/tests/data/slapd-dds.conf
index eacc2ec8ad800a52fccac3fc094bc73873652dd9..bb9ebbf10d75948753c1e6af6780bb52757ee610 100644 (file)
--- a/tests/data/slapd-dds.conf
+++ b/tests/data/slapd-dds.conf
@@ -66,19 +66,21 @@ access to dn.base="ou=Groups,dc=example,dc=com"
         by users write
 
 access to dn.onelevel="ou=Groups,dc=example,dc=com"
-                attrs=entry
-        by dnattr=creatorsName write
+                attrs=entryTtl
+        by dnattr=member manage
         by * read
 
 access to dn.onelevel="ou=Groups,dc=example,dc=com"
-                attrs=member
         by dnattr=creatorsName write
-        by users selfwrite
+        by * break
+
+access to dn.onelevel="ou=Groups,dc=example,dc=com"
+                attrs=entry
         by * read
 
 access to dn.onelevel="ou=Groups,dc=example,dc=com"
-                attrs=entryTtl
-        by dnattr=member manage
+                attrs=member
+        by users selfwrite
         by * read
 
 access to *