From: Kurt Zeilenga <kurt@openldap.org>
Date: Wed, 12 Mar 2003 21:58:18 +0000 (+0000)
Subject: internal SASL searches need to be checked for "auth" access,
X-Git-Tag: OPENLDAP_REL_ENG_2_1_16~13
X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=87cfd1dd90f37a2a849eec1f19aec8ca41493680;p=openldap

internal SASL searches need to be checked for "auth" access,
not "search"/"read".
---

diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c
index 20935cad3d..b62b61c9a7 100644
--- a/servers/slapd/acl.c
+++ b/servers/slapd/acl.c
@@ -142,6 +142,9 @@ access_allowed(
 
 	assert( attr != NULL );
 
+	if( op && op->o_is_auth_check && (access == ACL_SEARCH || access == ACL_READ)) {
+		access = ACL_AUTH;
+	}
 	if( state && state->as_recorded && state->as_vd_ad==desc) { 
 		if( state->as_recorded & ACL_STATE_RECORDED_NV &&
 			val == NULL )
diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c
index 355a5c3c0b..257689a1ef 100644
--- a/servers/slapd/sasl.c
+++ b/servers/slapd/sasl.c
@@ -438,6 +438,7 @@ slap_auxprop_lookup(
 			op.o_callback = &cb;
 			op.o_time = slap_get_time();
 			op.o_do_not_cache = 1;
+			op.o_is_auth_check = 1;
 			op.o_threadctx = conn->c_sasl_bindop->o_threadctx;
 
 			(*be->be_search)( be, conn, &op, NULL, &dn,
@@ -563,6 +564,7 @@ slap_sasl_checkpass(
 		op.o_callback = &cb;
 		op.o_time = slap_get_time();
 		op.o_do_not_cache = 1;
+		op.o_is_auth_check = 1;
 		op.o_threadctx = conn->c_sasl_bindop->o_threadctx;
 
 		(*be->be_search)( be, conn, &op, NULL, &dn,
diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
index 763094d714..50c6b5fd67 100644
--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -474,6 +474,7 @@ int slap_sasl_match(Connection *conn, struct berval *rule, struct berval *assert
 	op.o_callback = &cb;
 	op.o_time = slap_get_time();
 	op.o_do_not_cache = 1;
+	op.o_is_auth_check = 1;
 	op.o_threadctx = conn->c_sasl_bindop->o_threadctx;
 
 	(*be->be_search)( be, conn, &op, /*base=*/NULL, &searchbase,
@@ -634,6 +635,7 @@ void slap_sasl2dn( Connection *conn,
 	op.o_callback = &cb;
 	op.o_time = slap_get_time();
 	op.o_do_not_cache = 1;
+	op.o_is_auth_check = 1;
 	op.o_threadctx = conn->c_sasl_bindop->o_threadctx;
 
 	(*be->be_search)( be, conn, &op, NULL, &dn,
diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h
index c4722208c2..aae80c7b3b 100644
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@@ -1681,6 +1681,7 @@ typedef struct slap_op {
 #define SLAP_CANCEL_DONE				0x03
 
 	char o_do_not_cache;	/* don't cache from this op */
+	char o_is_auth_check;	/* authorization in progress */
 
 #define SLAP_NO_CONTROL 0
 #define SLAP_NONCRITICAL_CONTROL 1