From: Kurt Zeilenga Date: Fri, 13 May 2005 21:09:26 +0000 (+0000) Subject: Additional manageDIT changes. X-Git-Tag: OPENLDAP_AC_BP~636 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=31727f0f4dc04e6d9d7303e0c0910a0eb673d763;p=openldap Additional manageDIT changes. Now require be_isroot() instead of "manage". --- diff --git a/servers/slapd/back-bdb/add.c b/servers/slapd/back-bdb/add.c index 6b9baee6bf..4ef340e92b 100644 --- a/servers/slapd/back-bdb/add.c +++ b/servers/slapd/back-bdb/add.c @@ -52,8 +52,8 @@ bdb_add(Operation *op, SlapReply *rs ) ctrls[num_ctrls] = 0; /* check entry's schema */ - rs->sr_err = entry_schema_check( op->o_bd, op->oq_add.rs_e, NULL, 0, - &rs->sr_text, textbuf, textlen ); + rs->sr_err = entry_schema_check( op->o_bd, op->oq_add.rs_e, NULL, + get_manageDIT(op), &rs->sr_text, textbuf, textlen ); if ( rs->sr_err != LDAP_SUCCESS ) { Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(bdb_add) ": entry failed schema check: " diff --git a/servers/slapd/back-bdb/init.c b/servers/slapd/back-bdb/init.c index 64ba497ce4..b63961f027 100644 --- a/servers/slapd/back-bdb/init.c +++ b/servers/slapd/back-bdb/init.c @@ -650,7 +650,6 @@ bdb_back_initialize( static char *controls[] = { LDAP_CONTROL_ASSERT, LDAP_CONTROL_MANAGEDSAIT, - LDAP_CONTROL_MANAGEDIT, LDAP_CONTROL_NOOP, LDAP_CONTROL_PAGEDRESULTS, #ifdef LDAP_CONTROL_SUBENTRIES diff --git a/servers/slapd/back-bdb/modify.c b/servers/slapd/back-bdb/modify.c index edaf3720b5..7e85e8b322 100644 --- a/servers/slapd/back-bdb/modify.c +++ b/servers/slapd/back-bdb/modify.c @@ -42,21 +42,10 @@ int bdb_modify_internal( Attribute *save_attrs; Attribute *ap; int glue_attr_delete = 0; - int manage=0; Debug( LDAP_DEBUG_TRACE, "bdb_modify_internal: 0x%08lx: %s\n", e->e_id, e->e_dn, 0); - if( get_manageDIT(op) ) { - AttributeDescription *entry = slap_schema.si_ad_entry; - if( !access_allowed( op, e, entry, NULL, ACL_MANAGE, NULL )) { - *text = "not authorized to manage entry"; - return LDAP_INSUFFICIENT_ACCESS; - } - - manage = 1; - } - if ( !acl_check_modlist( op, e, modlist )) { return LDAP_INSUFFICIENT_ACCESS; } @@ -207,7 +196,7 @@ int bdb_modify_internal( } /* check that the entry still obeys the schema */ - rc = entry_schema_check( op->o_bd, e, save_attrs, manage, + rc = entry_schema_check( op->o_bd, e, save_attrs, get_manageDIT(op), text, textbuf, textlen ); if ( rc != LDAP_SUCCESS || op->o_noop ) { attrs_free( e->e_attrs ); diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c index be7c78de35..4552a6ac1c 100644 --- a/servers/slapd/backend.c +++ b/servers/slapd/backend.c @@ -98,8 +98,7 @@ int backend_init(void) return -1; } - for( bi=slap_binfo; bi->bi_type != NULL; bi++,nBackendInfo++ ) - { + for( bi=slap_binfo; bi->bi_type != NULL; bi++,nBackendInfo++ ) { assert( bi->bi_init ); rc = bi->bi_init( bi ); @@ -855,6 +854,12 @@ backend_check_controls( } } + /* check should be generalized */ + if( get_manageDIT(op) && !be_isroot(op)) { + rs->sr_text = "requires manager authorization"; + rs->sr_err = LDAP_UNWILLING_TO_PERFORM; + } + done:; return rs->sr_err; } diff --git a/servers/slapd/controls.c b/servers/slapd/controls.c index e44ad67c94..7360e06fcb 100644 --- a/servers/slapd/controls.c +++ b/servers/slapd/controls.c @@ -164,7 +164,7 @@ static struct slap_control control_defs[] = { #endif { LDAP_CONTROL_MANAGEDIT, (int)offsetof(struct slap_control_ids, sc_manageDIT), - SLAP_CTRL_ACCESS, NULL, + SLAP_CTRL_GLOBAL|SLAP_CTRL_UPDATE, NULL, parseManageDIT, LDAP_SLIST_ENTRY_INITIALIZER(next) }, { LDAP_CONTROL_MANAGEDSAIT, (int)offsetof(struct slap_control_ids, sc_manageDSAit), @@ -410,8 +410,8 @@ slap_global_control( Operation *op, const char *oid, int *cid ) if ( cid ) *cid = ctrl->sc_cid; if ( ( ctrl->sc_mask & SLAP_CTRL_GLOBAL ) || - ( ( op->o_tag & LDAP_REQ_SEARCH ) && - ( ctrl->sc_mask & SLAP_CTRL_GLOBAL_SEARCH ) ) ) + ( ( op->o_tag & LDAP_REQ_SEARCH ) && + ( ctrl->sc_mask & SLAP_CTRL_GLOBAL_SEARCH ) ) ) { return LDAP_COMPARE_TRUE; } diff --git a/servers/slapd/schema_prep.c b/servers/slapd/schema_prep.c index c22c935a98..e6d66910ca 100644 --- a/servers/slapd/schema_prep.c +++ b/servers/slapd/schema_prep.c @@ -449,7 +449,7 @@ static struct slap_schema_ad_map { "EQUALITY objectIdentifierMatch " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 " "SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )", - NULL, 0, + NULL, SLAP_AT_MANAGEABLE, oidValidate, objectClassPretty, NULL, NULL, objectSubClassMatch, objectSubClassIndexer, objectSubClassFilter, @@ -460,7 +460,7 @@ static struct slap_schema_ad_map { "ORDERING generalizedTimeOrderingMatch " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 " "SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )", - NULL, 0, + NULL, SLAP_AT_MANAGEABLE, NULL, NULL, NULL, NULL, NULL, NULL, NULL, offsetof(struct slap_internal_schema, si_ad_createTimestamp) }, @@ -470,7 +470,7 @@ static struct slap_schema_ad_map { "ORDERING generalizedTimeOrderingMatch " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 " "SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )", - NULL, 0, + NULL, SLAP_AT_MANAGEABLE, NULL, NULL, NULL, NULL, NULL, NULL, NULL, offsetof(struct slap_internal_schema, si_ad_modifyTimestamp) }, @@ -479,7 +479,7 @@ static struct slap_schema_ad_map { "EQUALITY distinguishedNameMatch " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 " "SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )", - NULL, 0, + NULL, SLAP_AT_MANAGEABLE, NULL, NULL, NULL, NULL, NULL, NULL, NULL, offsetof(struct slap_internal_schema, si_ad_creatorsName) }, @@ -488,7 +488,7 @@ static struct slap_schema_ad_map { "EQUALITY distinguishedNameMatch " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 " "SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )", - NULL, 0, + NULL, SLAP_AT_MANAGEABLE, NULL, NULL, NULL, NULL, NULL, NULL, NULL, offsetof(struct slap_internal_schema, si_ad_modifiersName) }, @@ -845,6 +845,8 @@ static struct slap_schema_ad_map { NULL, NULL, NULL, NULL, NULL, NULL, NULL, offsetof(struct slap_internal_schema, si_ad_children) }, + + /* access control externals */ { "authzTo", "( 1.3.6.1.4.1.4203.666.1.8 " "NAME ( 'authzTo' 'saslAuthzTo' ) " "DESC 'proxy authorization targets' " diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h index c3f862740a..dfda761af6 100644 --- a/servers/slapd/slap.h +++ b/servers/slapd/slap.h @@ -658,20 +658,23 @@ typedef struct slap_attribute_type { AttributeTypeSchemaCheckFN *sat_check; char *sat_oidmacro; -#define SLAP_AT_NONE 0x0000U -#define SLAP_AT_ABSTRACT 0x0100U /* cannot be instantiated */ -#define SLAP_AT_FINAL 0x0200U /* cannot be subtyped */ +#define SLAP_AT_NONE 0x0000U +#define SLAP_AT_ABSTRACT 0x0100U /* cannot be instantiated */ +#define SLAP_AT_FINAL 0x0200U /* cannot be subtyped */ #ifdef LDAP_DEVEL -#define SLAP_AT_HIDE 0x0000U /* publish everything */ +#define SLAP_AT_HIDE 0x0000U /* publish everything */ #else -#define SLAP_AT_HIDE 0x8000U /* hide attribute */ +#define SLAP_AT_HIDE 0x8000U /* hide attribute */ #endif -#define SLAP_AT_DYNAMIC 0x0400U /* dynamically generated */ +#define SLAP_AT_DYNAMIC 0x0400U /* dynamically generated */ + +#define SLAP_AT_MANAGEABLE 0x0800U /* no-user-mod can be by-passed */ #define SLAP_AT_ORDERED_VAL 0x0001U /* values are ordered */ #define SLAP_AT_ORDERED_SIB 0x0002U /* siblings are ordered */ -#define SLAP_AT_ORDERED 0x0003U /* value has order index */ -#define SLAP_AT_HARDCODE 0x10000U /* This is hardcoded schema */ +#define SLAP_AT_ORDERED 0x0003U /* value has order index */ + +#define SLAP_AT_HARDCODE 0x10000U /* hardcoded schema */ slap_mask_t sat_flags; @@ -2354,6 +2357,9 @@ typedef struct slap_op { char o_do_not_cache; /* don't cache groups from this op */ char o_is_auth_check; /* authorization in progress */ + char o_nocaching; + char o_delete_glue_parent; + #define SLAP_CONTROL_NONE 0 #define SLAP_CONTROL_IGNORED 1 #define SLAP_CONTROL_NONCRITICAL 2 @@ -2445,9 +2451,6 @@ typedef struct slap_op { LDAP_STAILQ_ENTRY(slap_op) o_next; /* next operation in list */ - int o_nocaching; - int o_delete_glue_parent; - } Operation; #define OPERATION_BUFFER_SIZE (sizeof(Operation)+sizeof(Opheader)+SLAP_MAX_CIDS*sizeof(void *)) @@ -2672,6 +2675,8 @@ typedef struct slap_counters_t { #define SLAP_CTRL_HIDE 0x80000000U #endif +#define SLAP_CTRL_REQUIRES_ROOT 0x40000000U /* for ManageDIT */ + #define SLAP_CTRL_GLOBAL 0x00800000U #define SLAP_CTRL_GLOBAL_SEARCH 0x00010000U /* for NOOP */