From: Howard Chu <hyc@openldap.org>
Date: Mon, 10 Mar 2003 22:07:21 +0000 (+0000)
Subject: Added op->o_is_auth_check; use ACL_AUTH instead of ACL_SEARCH/ACL_READ
X-Git-Tag: NO_SLAP_OP_BLOCKS~155
X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=40454ccec8d26babd8ddcfc50c9863032880a9a1;p=openldap

Added op->o_is_auth_check; use ACL_AUTH instead of ACL_SEARCH/ACL_READ
in access_allowed() if flag is set. Set in sasl/saslauth searches.
---

diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c
index 404842ad14..f276270fbc 100644
--- a/servers/slapd/acl.c
+++ b/servers/slapd/acl.c
@@ -142,6 +142,9 @@ access_allowed(
 
 	assert( attr != NULL );
 
+	if( op && op->o_is_auth_check && (access == ACL_SEARCH || access == ACL_READ)) {
+		access = ACL_AUTH;
+	}
 	if( state && state->as_recorded && state->as_vd_ad==desc) { 
 		if( state->as_recorded & ACL_STATE_RECORDED_NV &&
 			val == NULL )
diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c
index e763dae5a2..518db4ec92 100644
--- a/servers/slapd/sasl.c
+++ b/servers/slapd/sasl.c
@@ -438,6 +438,7 @@ slap_auxprop_lookup(
 			op.o_callback = &cb;
 			op.o_time = slap_get_time();
 			op.o_do_not_cache = 1;
+			op.o_is_auth_check = 1;
 			op.o_threadctx = conn->c_sasl_bindop->o_threadctx;
 
 			(*be->be_search)( be, conn, &op, NULL, &dn,
@@ -563,6 +564,7 @@ slap_sasl_checkpass(
 		op.o_callback = &cb;
 		op.o_time = slap_get_time();
 		op.o_do_not_cache = 1;
+		op.o_is_auth_check = 1;
 		op.o_threadctx = conn->c_sasl_bindop->o_threadctx;
 
 		(*be->be_search)( be, conn, &op, NULL, &dn,
diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
index 3dc0158afc..775979bf1d 100644
--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -474,6 +474,7 @@ int slap_sasl_match(Connection *conn, struct berval *rule, struct berval *assert
 	op.o_callback = &cb;
 	op.o_time = slap_get_time();
 	op.o_do_not_cache = 1;
+	op.o_is_auth_check = 1;
 	op.o_threadctx = conn->c_sasl_bindop->o_threadctx;
 
 	(*be->be_search)( be, conn, &op, /*base=*/NULL, &searchbase,
@@ -634,6 +635,7 @@ void slap_sasl2dn( Connection *conn,
 	op.o_callback = &cb;
 	op.o_time = slap_get_time();
 	op.o_do_not_cache = 1;
+	op.o_is_auth_check = 1;
 	op.o_threadctx = conn->c_sasl_bindop ? conn->c_sasl_bindop->o_threadctx:
 		ldap_pvt_thread_pool_context( &connection_pool );
 
diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h
index 2c712bb977..8efac644f5 100644
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@@ -1749,6 +1749,7 @@ typedef struct slap_op {
 #define SLAP_CANCEL_DONE				0x03
 
 	char o_do_not_cache;	/* don't cache from this op */
+	char o_is_auth_check;	/* authorization in progress */
 
 #define SLAP_NO_CONTROL 0
 #define SLAP_NONCRITICAL_CONTROL 1