From: Kurt Zeilenga Date: Wed, 4 Jan 2006 01:15:47 +0000 (+0000) Subject: Fixed slapd attrs/objectclass replog issues (ITS#4298) X-Git-Tag: OPENLDAP_REL_ENG_2_3_15~4 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=5f6043c00a7831468a4dd164fb4976a94bcc7b92;p=openldap Fixed slapd attrs/objectclass replog issues (ITS#4298) Fixed slapd-ldap password modify exop password return (ITS#4294) --- diff --git a/CHANGES b/CHANGES index 845e04bc27..a08a9e65f1 100644 --- a/CHANGES +++ b/CHANGES @@ -2,8 +2,10 @@ OpenLDAP 2.3 Change Log OpenLDAP 2.3.15 Engineering Fixed slapd strerror logging bug (ITS#4292) - Fixed slapd-ldap password modify exop password return (ITS#4294) Fixed slapd ACL add/delete fraction issue (ITS#4295) + Fixed slapd ACL users selfwrite issue (ITS#4299) + Fixed slapd attrs/objectclass replog issues (ITS#4298) + Fixed slapd-ldap password modify exop password return (ITS#4294) Build environment Disable test030-relay when threads are unavailable (ITS#4297) diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c index 1779ff8e7e..5e52833b1f 100644 --- a/servers/slapd/acl.c +++ b/servers/slapd/acl.c @@ -951,6 +951,8 @@ static int acl_mask_dn( Operation *op, Entry *e, + AttributeDescription *desc, + struct berval *val, AccessControl *a, int nmatch, regmatch_t *matches, @@ -978,6 +980,27 @@ acl_mask_dn( return 1; } + if ( b->a_self ) { + const char *dummy; + int rc, match = 0; + + /* must have DN syntax */ + if ( desc->ad_type->sat_syntax != slap_schema.si_syn_distinguishedName ) return 1; + + /* check if the target is an attribute. */ + if ( val == NULL ) return 1; + + /* target is attribute, check if the attribute value + * is the op dn. + */ + rc = value_match( &match, desc, + desc->ad_type->sat_equality, 0, + val, opndn, &dummy ); + /* on match error or no match, fail the ACL clause */ + if ( rc != LDAP_SUCCESS || match != 0 ) + return 1; + } + } else if ( b->a_style == ACL_STYLE_SELF ) { struct berval ndn, selfndn; int level; @@ -1411,7 +1434,7 @@ slap_acl_mask( * is maintaned in a_dn_pat. */ - if ( acl_mask_dn( op, e, a, nmatch, matches, + if ( acl_mask_dn( op, e, desc, val, a, nmatch, matches, &b->a_dn, &op->o_ndn ) ) { continue; @@ -1442,7 +1465,7 @@ slap_acl_mask( ndn = op->o_ndn; } - if ( acl_mask_dn( op, e, a, nmatch, matches, + if ( acl_mask_dn( op, e, desc, val, a, nmatch, matches, &b->a_realdn, &ndn ) ) { continue; diff --git a/servers/slapd/repl.c b/servers/slapd/repl.c index f8fcec3934..a2ccdb7ab4 100644 --- a/servers/slapd/repl.c +++ b/servers/slapd/repl.c @@ -328,11 +328,22 @@ replog1( if ( ri && ri->ri_attrs ) { int is_in = ad_inlist( ml->sml_desc, ri->ri_attrs ); + /* skip if: + * 1) the attribute is not in the list, + * and it's not an exclusion list + * 2) the attribute is in the list + * and it's an exclusion list, + * and either the objectClass attribute + * has already been dealt with or + * this is not the objectClass attr + */ if ( ( !is_in && !ri->ri_exclude ) - || ( is_in && ri->ri_exclude ) ) + || ( ( is_in && ri->ri_exclude ) + && ( !ocs || a->a_desc != slap_schema.si_ad_objectClass ) ) ) { continue; } + /* If this is objectClass, see if the value is included * in any subset, otherwise drop it. */ @@ -347,11 +358,24 @@ replog1( int match = 0; for ( an = ri->ri_attrs; an->an_name.bv_val; an++ ) { if ( an->an_oc ) { + struct berval bv = an->an_name; + ocs = 1; match |= an->an_oc_exclude; - if ( ml->sml_values[i].bv_len == an->an_name.bv_len + + switch ( bv.bv_val[ 0 ] ) { + case '@': + case '+': + case '!': + bv.bv_val++; + bv.bv_len--; + break; + } + + if ( ml->sml_values[i].bv_len == bv.bv_len && !strcasecmp(ml->sml_values[i].bv_val, - an->an_name.bv_val ) ) { + bv.bv_val ) ) + { match = !an->an_oc_exclude; break; } @@ -374,7 +398,7 @@ replog1( fprintf( fp, "%s: %s\n", did, type ); first = 0; } - vals[0] = an->an_name; + vals[0] = a->a_nvals[i]; print_vals( fp, &ml->sml_desc->ad_cname, vals ); ocs = 2; } @@ -406,7 +430,20 @@ replog1( for ( a = op->ora_e->e_attrs ; a != NULL; a=a->a_next ) { if ( ri && ri->ri_attrs ) { int is_in = ad_inlist( a->a_desc, ri->ri_attrs ); - if ( ( !is_in && !ri->ri_exclude ) || ( is_in && ri->ri_exclude ) ) { + + /* skip if: + * 1) the attribute is not in the list, + * and it's not an exclusion list + * 2) the attribute is in the list + * and it's an exclusion list, + * and either the objectClass attribute + * has already been dealt with or + * this is not the objectClass attr + */ + if ( ( !is_in && !ri->ri_exclude ) + || ( ( is_in && ri->ri_exclude ) + && ( !ocs || a->a_desc != slap_schema.si_ad_objectClass ) ) ) + { continue; } @@ -423,11 +460,24 @@ replog1( int match = 0; for ( an = ri->ri_attrs; an->an_name.bv_val; an++ ) { if ( an->an_oc ) { + struct berval bv = an->an_name; + ocs = 1; match |= an->an_oc_exclude; - if ( a->a_vals[i].bv_len == an->an_name.bv_len + + switch ( bv.bv_val[ 0 ] ) { + case '@': + case '+': + case '!': + bv.bv_val++; + bv.bv_len--; + break; + } + + if ( a->a_vals[i].bv_len == bv.bv_len && !strcasecmp(a->a_vals[i].bv_val, - an->an_name.bv_val ) ) { + bv.bv_val ) ) + { match = !an->an_oc_exclude; break; } @@ -442,7 +492,7 @@ replog1( fprintf( fp, "changetype: add\n" ); dohdr = 0; } - vals[0] = an->an_name; + vals[0] = a->a_nvals[i]; print_vals( fp, &a->a_desc->ad_cname, vals ); } }