manageDIT framework and obsolete objectclasses/DIT-content-rule override

diff --git a/servers/slapd/back-bdb/add.c b/servers/slapd/back-bdb/add.c
index 7db122d5bf4e25e72b60bf8ada3e431ce232f040..6b9baee6bfd9cc3d47f332b7e0264e4600a8100b 100644 (file)
--- a/servers/slapd/back-bdb/add.c
+++ b/servers/slapd/back-bdb/add.c
@@ -52,8 +52,8 @@ bdb_add(Operation *op, SlapReply *rs )
        ctrls[num_ctrls] = 0;
 
        /* check entry's schema */
-       rs->sr_err = entry_schema_check( op->o_bd, op->oq_add.rs_e,
-               NULL, &rs->sr_text, textbuf, textlen );
+       rs->sr_err = entry_schema_check( op->o_bd, op->oq_add.rs_e, NULL, 0,
+               &rs->sr_text, textbuf, textlen );
        if ( rs->sr_err != LDAP_SUCCESS ) {
                Debug( LDAP_DEBUG_TRACE,
                        LDAP_XSTRING(bdb_add) ": entry failed schema check: "
@@ -191,8 +191,8 @@ retry:      /* transaction retry */
                        }
 
                        Debug( LDAP_DEBUG_TRACE,
-                               LDAP_XSTRING(bdb_add) ": no write access "
-                               "to parent\n", 0, 0, 0 );
+                               LDAP_XSTRING(bdb_add) ": no write access to parent\n",
+                               0, 0, 0 );
                        rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
                        rs->sr_text = "no write access to parent";
                        goto return_results;;

diff --git a/servers/slapd/back-bdb/init.c b/servers/slapd/back-bdb/init.c
index b63961f027b19353fdea6fb262178d1094685edd..64ba497ce4b51b7e25911bd2052367a1a5425322 100644 (file)
--- a/servers/slapd/back-bdb/init.c
+++ b/servers/slapd/back-bdb/init.c
@@ -650,6 +650,7 @@ bdb_back_initialize(
        static char *controls[] = {
                LDAP_CONTROL_ASSERT,
                LDAP_CONTROL_MANAGEDSAIT,
+               LDAP_CONTROL_MANAGEDIT,
                LDAP_CONTROL_NOOP,
                LDAP_CONTROL_PAGEDRESULTS,
 #ifdef LDAP_CONTROL_SUBENTRIES

diff --git a/servers/slapd/back-bdb/modify.c b/servers/slapd/back-bdb/modify.c
index 1f8af04ce46746ed0b7a4c659e990a01ea89211a..edaf3720b56155e346c09874d33a4fcd711cbb41 100644 (file)
--- a/servers/slapd/back-bdb/modify.c
+++ b/servers/slapd/back-bdb/modify.c
@@ -42,10 +42,21 @@ int bdb_modify_internal(
        Attribute       *save_attrs;
        Attribute       *ap;
        int                     glue_attr_delete = 0;
+       int     manage=0;
 
        Debug( LDAP_DEBUG_TRACE, "bdb_modify_internal: 0x%08lx: %s\n",
                e->e_id, e->e_dn, 0);
 
+       if( get_manageDIT(op) ) {
+               AttributeDescription *entry = slap_schema.si_ad_entry;
+               if( !access_allowed( op, e, entry, NULL, ACL_MANAGE, NULL )) {
+                       *text = "not authorized to manage entry";
+                       return LDAP_INSUFFICIENT_ACCESS;
+               }
+
+               manage = 1;
+       }
+
        if ( !acl_check_modlist( op, e, modlist )) {
                return LDAP_INSUFFICIENT_ACCESS;
        }
@@ -196,7 +207,8 @@ int bdb_modify_internal(
        }
 
        /* check that the entry still obeys the schema */
-       rc = entry_schema_check( op->o_bd, e, save_attrs, text, textbuf, textlen );
+       rc = entry_schema_check( op->o_bd, e, save_attrs, manage,
+               text, textbuf, textlen );
        if ( rc != LDAP_SUCCESS || op->o_noop ) {
                attrs_free( e->e_attrs );
                /* clear the indexing flags */

diff --git a/servers/slapd/back-ldbm/add.c b/servers/slapd/back-ldbm/add.c
index 25cb07cc0b6e9ab8a02607b2db4da503e6e6defd..1425cb461e509450aa20dd02adf76669cd613f8d 100644 (file)
--- a/servers/slapd/back-ldbm/add.c
+++ b/servers/slapd/back-ldbm/add.c
@@ -45,7 +45,7 @@ ldbm_back_add(
        Debug(LDAP_DEBUG_ARGS, "==> ldbm_back_add: %s\n",
                op->o_req_dn.bv_val, 0, 0);
        
-       rs->sr_err = entry_schema_check( op->o_bd, op->oq_add.rs_e, NULL,
+       rs->sr_err = entry_schema_check( op->o_bd, op->oq_add.rs_e, NULL, 0,
                &rs->sr_text, textbuf, textlen );
 
        if ( rs->sr_err != LDAP_SUCCESS ) {

diff --git a/servers/slapd/back-ldbm/modify.c b/servers/slapd/back-ldbm/modify.c
index 3e34178d209f796f1b97300d9e1dc52202a492e6..e2a9122643c7761f006470fae71f502c3cdb450d 100644 (file)
--- a/servers/slapd/back-ldbm/modify.c
+++ b/servers/slapd/back-ldbm/modify.c
@@ -164,8 +164,8 @@ int ldbm_modify_internal(
        }
 
        /* check that the entry still obeys the schema */
-       rc = entry_schema_check( op->o_bd, e, save_attrs, text, textbuf, textlen );
-
+       rc = entry_schema_check( op->o_bd, e, save_attrs, 0,
+               text, textbuf, textlen );
        if ( rc != LDAP_SUCCESS ) {
                Debug( LDAP_DEBUG_ANY, "entry failed schema check: %s\n",
                        *text, 0, 0 );

diff --git a/servers/slapd/back-ldif/ldif.c b/servers/slapd/back-ldif/ldif.c
index 10f7a523d10e37946a74f3ae87b96bda52e97dca..1f3cdf60c87801f10bd4511bde5329c24b9761ee 100644 (file)
--- a/servers/slapd/back-ldif/ldif.c
+++ b/servers/slapd/back-ldif/ldif.c
@@ -553,8 +553,8 @@ static int apply_modify_to_entry(Entry * entry,
                        entry->e_ocflags = 0;
                }
                /* check that the entry still obeys the schema */
-               rc = entry_schema_check(op->o_bd, entry, NULL,
-                                 &rs->sr_text, textbuf, sizeof( textbuf ) );
+               rc = entry_schema_check(op->o_bd, entry, NULL, 0,
+                         &rs->sr_text, textbuf, sizeof( textbuf ) );
        }
        return rc;
 }
@@ -760,8 +760,8 @@ static int ldif_back_add(Operation *op, SlapReply *rs) {
        int statres;
        char textbuf[SLAP_TEXT_BUFLEN];
 
-       rs->sr_err = entry_schema_check(op->o_bd, e,
-                                 NULL, &rs->sr_text, textbuf, sizeof( textbuf ) );
+       rs->sr_err = entry_schema_check(op->o_bd, e, NULL, 0,
+               &rs->sr_text, textbuf, sizeof( textbuf ) );
        if ( rs->sr_err != LDAP_SUCCESS ) goto send_res;
                                
        ldap_pvt_thread_mutex_lock(&ni->li_mutex);

diff --git a/servers/slapd/back-monitor/log.c b/servers/slapd/back-monitor/log.c
index 607b6354a4c0a51e02068436680d7797243cd4f9..d54b572ee78d818261023f3132121538d4e9b1ee 100644 (file)
--- a/servers/slapd/back-monitor/log.c
+++ b/servers/slapd/back-monitor/log.c
@@ -197,8 +197,8 @@ monitor_subsys_log_modify(
                }
 
                /* check that the entry still obeys the schema */
-               rc = entry_schema_check( be_monitor, e, save_attrs, 
-                               &text, textbuf, sizeof( textbuf ) );
+               rc = entry_schema_check( be_monitor, e, save_attrs, 0,
+                       &text, textbuf, sizeof( textbuf ) );
                if ( rc != LDAP_SUCCESS ) {
                        rs->sr_err = rc;
                        goto cleanup;

diff --git a/servers/slapd/back-sql/add.c b/servers/slapd/back-sql/add.c
index 03accfc5ea0f871b838d3293f2af69eccbacab34..8b1144d126d7ad7fe13bfca7afa7a0292f5b0fc4 100644 (file)
--- a/servers/slapd/back-sql/add.c
+++ b/servers/slapd/back-sql/add.c
@@ -989,9 +989,8 @@ backsql_add( Operation *op, SlapReply *rs )
        if ( BACKSQL_CHECK_SCHEMA( bi ) ) {
                char            textbuf[ SLAP_TEXT_BUFLEN ] = { '\0' };
 
-               rs->sr_err = entry_schema_check( op->o_bd, op->ora_e,
-                               NULL,
-                               &rs->sr_text, textbuf, sizeof( textbuf ) );
+               rs->sr_err = entry_schema_check( op->o_bd, op->ora_e, NULL, 0,
+                       &rs->sr_text, textbuf, sizeof( textbuf ) );
                if ( rs->sr_err != LDAP_SUCCESS ) {
                        Debug( LDAP_DEBUG_TRACE, "   backsql_add(\"%s\"): "
                                "entry failed schema check -- aborting\n",

diff --git a/servers/slapd/back-sql/modify.c b/servers/slapd/back-sql/modify.c
index b75697a2d82765b148b56b81c9b28f771aa8b34c..6b192631e2ccbff998b89ea38c0bc6e8079171d6 100644 (file)
--- a/servers/slapd/back-sql/modify.c
+++ b/servers/slapd/back-sql/modify.c
@@ -167,9 +167,8 @@ backsql_modify( Operation *op, SlapReply *rs )
                        goto do_transact;
                }
 
-               rs->sr_err = entry_schema_check( op->o_bd, &m,
-                               NULL,
-                               &rs->sr_text, textbuf, sizeof( textbuf ) );
+               rs->sr_err = entry_schema_check( op->o_bd, &m, NULL, 0,
+                       &rs->sr_text, textbuf, sizeof( textbuf ) );
                if ( rs->sr_err != LDAP_SUCCESS ) {
                        Debug( LDAP_DEBUG_TRACE, "   backsql_add(\"%s\"): "
                                "entry failed schema check -- aborting\n",

diff --git a/servers/slapd/back-sql/modrdn.c b/servers/slapd/back-sql/modrdn.c
index 7c6c36baeae093deb76b9ad86e3539dd4dc79364..ade189bae898b3cae7811c982b0e9906f20737de 100644 (file)
--- a/servers/slapd/back-sql/modrdn.c
+++ b/servers/slapd/back-sql/modrdn.c
@@ -495,9 +495,8 @@ backsql_modrdn( Operation *op, SlapReply *rs )
 
                e_id = bsi.bsi_base_id;
 
-               rs->sr_err = entry_schema_check( op->o_bd, &r,
-                               NULL,
-                               &rs->sr_text, textbuf, sizeof( textbuf ) );
+               rs->sr_err = entry_schema_check( op->o_bd, &r, NULL, 0,
+                       &rs->sr_text, textbuf, sizeof( textbuf ) );
                if ( rs->sr_err != LDAP_SUCCESS ) {
                        Debug( LDAP_DEBUG_TRACE, "   backsql_add(\"%s\"): "
                                "entry failed schema check -- aborting\n",

diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
index 356ba2f46534107a71ce2ebd8f9abac5b15f66c8..3a1d41969b93f46653e1ecd2059b007a49836c03 100644 (file)
--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@@ -3305,8 +3305,8 @@ config_modify_internal( CfEntryInfo *ce, Operation *op, SlapReply *rs,
        
        if(rc == LDAP_SUCCESS) {
                /* check that the entry still obeys the schema */
-               rc = entry_schema_check(op->o_bd, e, NULL,
-                                 &rs->sr_text, ca->msg, sizeof(ca->msg) );
+               rc = entry_schema_check(op->o_bd, e, NULL, 0,
+                       &rs->sr_text, ca->msg, sizeof(ca->msg) );
        }
        if ( rc == LDAP_SUCCESS ) {
                /* Basic syntax checks are OK. Do the actual settings. */

diff --git a/servers/slapd/modify.c b/servers/slapd/modify.c
index f80cebdf66a833066b535c764fdac3ac89343c70..f33d3e44b8da184bf26d6e7ffb58647df3947a0f 100644 (file)
--- a/servers/slapd/modify.c
+++ b/servers/slapd/modify.c
@@ -187,7 +187,7 @@ do_modify(
        }
 
        rs->sr_err = slap_mods_check( modlist, &rs->sr_text,
-                       textbuf, textlen, NULL );
+               textbuf, textlen, NULL );
 
        if ( rs->sr_err != LDAP_SUCCESS ) {
                send_ldap_result( op, rs );
@@ -442,8 +442,6 @@ fe_op_modify( Operation *op, SlapReply *rs )
                                }
                        }
 
-
-
                        if ( !repl_user ) {
                                for( modtail = &modlist;
                                        *modtail != NULL;

diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h
index 1250297aa396d462dc71292166b45c39857219f0..c8c2095d2f90045ee28942f9ccea103198528ede 100644 (file)
--- a/servers/slapd/proto-slap.h
+++ b/servers/slapd/proto-slap.h
@@ -1272,7 +1272,10 @@ LDAP_SLAPD_F( int ) structural_class(
        char *textbuf, size_t textlen );
 
 LDAP_SLAPD_F( int ) entry_schema_check(
-       Backend *be, Entry *e, Attribute *attrs,
+       Backend *be,
+       Entry *e,
+       Attribute *attrs,
+       int manage,
        const char** text,
        char *textbuf, size_t textlen );
 

diff --git a/servers/slapd/schema_check.c b/servers/slapd/schema_check.c
index cdf21460cae777dbd8e7203d8f1b37cbe3e2007b..1d47ff4365ecb1f3f5ef508518fc089e9e42a973 100644 (file)
--- a/servers/slapd/schema_check.c
+++ b/servers/slapd/schema_check.c
@@ -31,6 +31,7 @@ static char * oc_check_required(
 
 static int entry_naming_check(
        Entry *e,
+       int manage,
        const char** text,
        char *textbuf, size_t textlen );
 /*
@@ -45,6 +46,7 @@ entry_schema_check(
        Backend *be,
        Entry *e,
        Attribute *oldattrs,
+       int manage,
        const char** text,
        char *textbuf, size_t textlen )
 {
@@ -151,7 +153,7 @@ entry_schema_check(
                return LDAP_OTHER;
        }
 
-       if( sc->soc_obsolete ) {
+       if( !manage && sc->soc_obsolete ) {
                snprintf( textbuf, textlen, 
                        "structuralObjectClass '%s' is OBSOLETE",
                        asc->a_vals[0].bv_val );
@@ -201,7 +203,7 @@ entry_schema_check(
 
        /* naming check */
        if ( !is_entry_objectclass ( e, slap_schema.si_oc_glue, 0 ) ) {
-               rc = entry_naming_check( e, text, textbuf, textlen );
+               rc = entry_naming_check( e, manage, text, textbuf, textlen );
                if( rc != LDAP_SUCCESS ) {
                        return rc;
                }
@@ -217,7 +219,7 @@ entry_schema_check(
 
        /* check that the entry has required attrs of the content rule */
        if( cr ) {
-               if( cr->scr_obsolete ) {
+               if( !manage && cr->scr_obsolete ) {
                        snprintf( textbuf, textlen, 
                                "content rule '%s' is obsolete",
                                ldap_contentrule2name( &cr->scr_crule ));
@@ -292,7 +294,7 @@ entry_schema_check(
                        return LDAP_OBJECT_CLASS_VIOLATION;
                }
 
-               if ( oc->soc_obsolete ) {
+               if ( !manage && oc->soc_obsolete ) {
                        /* disallow obsolete classes */
                        snprintf( textbuf, textlen, 
                                "objectClass '%s' is OBSOLETE",
@@ -727,6 +729,7 @@ int mods_structural_class(
 static int
 entry_naming_check(
        Entry *e,
+       int manage,
        const char** text,
        char *textbuf, size_t textlen )
 {
@@ -787,7 +790,7 @@ entry_naming_check(
                        break;
                }
 
-               if( desc->ad_type->sat_obsolete ) {
+               if( !manage && desc->ad_type->sat_obsolete ) {
                        snprintf( textbuf, textlen, 
                                "naming attribute '%s' is obsolete",
                                ava->la_attr.bv_val );

diff --git a/servers/slapd/slapadd.c b/servers/slapd/slapadd.c
index 1ee67a86b42e2f162bd776058b4485cf20e8e007..ac66a3f00864a38ed6b9f74d2b03b16b33869053 100644 (file)
--- a/servers/slapd/slapadd.c
+++ b/servers/slapd/slapadd.c
@@ -53,6 +53,7 @@ slapadd( int argc, char **argv )
        char textbuf[SLAP_TEXT_BUFLEN] = { '\0' };
        size_t textlen = sizeof textbuf;
        const char *progname = "slapadd";
+       int manage = 0; 
 
        struct berval csn;
        struct berval maxcsn;
@@ -181,7 +182,8 @@ slapadd( int argc, char **argv )
                        }
 
                        /* check schema */
-                       rc = entry_schema_check( be, e, NULL, &text, textbuf, textlen );
+                       rc = entry_schema_check( be, e, NULL, manage,
+                               &text, textbuf, textlen );
 
                        if( rc != LDAP_SUCCESS ) {
                                fprintf( stderr, "%s: dn=\"%s\" (line=%d): (%d) %s\n",

diff --git a/servers/slapd/slapi/slapi_utils.c b/servers/slapd/slapi/slapi_utils.c
index 7590a93912675a39341fcd935ed42dea638bd9a2..1adeb85086284b2b9aa2744a2915492fc8f91375 100644 (file)
--- a/servers/slapd/slapi/slapi_utils.c
+++ b/servers/slapd/slapi/slapi_utils.c
@@ -4118,7 +4118,8 @@ int slapi_entry_schema_check( Slapi_PBlock *pb, Slapi_Entry *e )
        if ( slapi_pblock_get( pb, SLAPI_BACKEND, (void **)&be ) != 0 )
                return -1;
 
-       rc = entry_schema_check( be, e, NULL, &text, textbuf, textlen );
+       rc = entry_schema_check( be, e, NULL, 0,
+               &text, textbuf, textlen );
 
        return ( rc == LDAP_SUCCESS ) ? 0 : 1;
 #else