From: Quanah Gibson-Mount <quanah@openldap.org>
Date: Tue, 4 Jan 2011 19:38:06 +0000 (+0000)
Subject: ITS#6753
X-Git-Tag: OPENLDAP_REL_ENG_2_4_24~145
X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=9fd0ad6f68f361d780bd64e6127309f6b05bd489;p=openldap

ITS#6753
---

diff --git a/CHANGES b/CHANGES
index ca91ce3f93..5888a89bd6 100644
--- a/CHANGES
+++ b/CHANGES
@@ -28,6 +28,7 @@ OpenLDAP 2.4.24 Engineering
 	Fixed slapd config leak with olcDbDirectory (ITS#6634)
 	Fixed slapd connectionless warnings (ITS#6747)
 	Fixed slapd to free controls if needed (ITS#6629)
+	Fixed slapd entry comparisons (ITS#6753)
 	Fixed slapd filter leak (ITS#6635)
 	Fixed slapd matching rules for strict ordering (ITS#6722)
 	Fixed slapd extensible match for ordering rules (ITS#6532)
diff --git a/servers/slapd/back-bdb/compare.c b/servers/slapd/back-bdb/compare.c
index cd1058de61..095033eb14 100644
--- a/servers/slapd/back-bdb/compare.c
+++ b/servers/slapd/back-bdb/compare.c
@@ -122,52 +122,7 @@ dn2entry_retry:
 		goto done;
 	}
 
-	if ( get_assert( op ) &&
-		( test_filter( op, e, get_assertion( op )) != LDAP_COMPARE_TRUE ))
-	{
-		if ( !access_allowed( op, e, slap_schema.si_ad_entry,
-			NULL, ACL_DISCLOSE, NULL ) )
-		{
-			rs->sr_err = LDAP_NO_SUCH_OBJECT;
-		} else {
-			rs->sr_err = LDAP_ASSERTION_FAILED;
-		}
-		goto return_results;
-	}
-
-	if ( !access_allowed( op, e, op->oq_compare.rs_ava->aa_desc,
-		&op->oq_compare.rs_ava->aa_value, ACL_COMPARE, NULL ) )
-	{
-		/* return error only if "disclose"
-		 * is granted on the object */
-		if ( !access_allowed( op, e, slap_schema.si_ad_entry,
-					NULL, ACL_DISCLOSE, NULL ) )
-		{
-			rs->sr_err = LDAP_NO_SUCH_OBJECT;
-		} else {
-			rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
-		}
-		goto return_results;
-	}
-
-	rs->sr_err = LDAP_NO_SUCH_ATTRIBUTE;
-
-	for ( a = attrs_find( e->e_attrs, op->oq_compare.rs_ava->aa_desc );
-		a != NULL;
-		a = attrs_find( a->a_next, op->oq_compare.rs_ava->aa_desc ) )
-	{
-		rs->sr_err = LDAP_COMPARE_FALSE;
-
-		if ( attr_valfind( a,
-			SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
-				SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
-			&op->oq_compare.rs_ava->aa_value, NULL,
-			op->o_tmpmemctx ) == 0 )
-		{
-			rs->sr_err = LDAP_COMPARE_TRUE;
-			break;
-		}
-	}
+	rs->sr_err = slap_compare_entry( op, e, op->orc_ava );
 
 return_results:
 	send_ldap_result( op, rs );
diff --git a/servers/slapd/back-monitor/compare.c b/servers/slapd/back-monitor/compare.c
index 3fb71e0db2..8fa2fa4154 100644
--- a/servers/slapd/back-monitor/compare.c
+++ b/servers/slapd/back-monitor/compare.c
@@ -57,30 +57,7 @@ monitor_back_compare( Operation *op, SlapReply *rs )
 		return rs->sr_err;
 	}
 
-	rs->sr_err = access_allowed( op, e, op->oq_compare.rs_ava->aa_desc,
-			&op->oq_compare.rs_ava->aa_value, ACL_COMPARE, NULL );
-	if ( !rs->sr_err ) {
-		rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
-		goto return_results;
-	}
-
-	rs->sr_err = LDAP_NO_SUCH_ATTRIBUTE;
-
-	for ( a = attrs_find( e->e_attrs, op->oq_compare.rs_ava->aa_desc );
-			a != NULL;
-			a = attrs_find( a->a_next, op->oq_compare.rs_ava->aa_desc )) {
-		rs->sr_err = LDAP_COMPARE_FALSE;
-
-		if ( attr_valfind( a,
-			SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
-				SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
-			&op->oq_compare.rs_ava->aa_value, NULL,
-			op->o_tmpmemctx ) == 0 )
-		{
-			rs->sr_err = LDAP_COMPARE_TRUE;
-			break;
-		}
-	}
+	rs->sr_err = slap_compare_entry( op, e, op->orc_ava );
 
 return_results:;
 	rc = rs->sr_err;
@@ -90,15 +67,7 @@ return_results:;
 		rc = LDAP_SUCCESS;
 		break;
 
-	case LDAP_NO_SUCH_ATTRIBUTE:
-		break;
-
 	default:
-		if ( !access_allowed_mask( op, e, slap_schema.si_ad_entry,
-				NULL, ACL_DISCLOSE, NULL, NULL ) )
-		{
-			rs->sr_err = LDAP_NO_SUCH_OBJECT;
-		}
 		break;
 	}
 		
diff --git a/servers/slapd/compare.c b/servers/slapd/compare.c
index 0d64b735e2..269d80ffc5 100644
--- a/servers/slapd/compare.c
+++ b/servers/slapd/compare.c
@@ -31,11 +31,6 @@
 
 #include "slap.h"
 
-static int compare_entry(
-	Operation *op,
-	Entry *e,
-	AttributeAssertion *ava );
-
 int
 do_compare(
     Operation	*op,
@@ -176,7 +171,7 @@ fe_op_compare( Operation *op, SlapReply *rs )
 	}
 
 	if( entry ) {
-		rs->sr_err = compare_entry( op, entry, ava );
+		rs->sr_err = slap_compare_entry( op, entry, ava );
 		entry_free( entry );
 
 		send_ldap_result( op, rs );
@@ -352,7 +347,7 @@ cleanup:;
 	return rs->sr_err;
 }
 
-static int compare_entry(
+int slap_compare_entry(
 	Operation *op,
 	Entry *e,
 	AttributeAssertion *ava )
@@ -367,13 +362,20 @@ static int compare_entry(
 		goto done;
 	}
 
+	if ( get_assert( op ) &&
+		( test_filter( op, e, get_assertion( op )) != LDAP_COMPARE_TRUE ))
+	{
+		rc = LDAP_ASSERTION_FAILED;
+		goto done;
+	}
+
 	a = attrs_find( e->e_attrs, ava->aa_desc );
 	if( a == NULL ) {
 		rc = LDAP_NO_SUCH_ATTRIBUTE;
 		goto done;
 	}
 
-	for(a = attrs_find( e->e_attrs, ava->aa_desc );
+	for(;
 		a != NULL;
 		a = attrs_find( a->a_next, ava->aa_desc ))
 	{
diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h
index fa225d9e7e..e95abef2c7 100644
--- a/servers/slapd/proto-slap.h
+++ b/servers/slapd/proto-slap.h
@@ -515,6 +515,15 @@ LDAP_SLAPD_F (void) ch_free LDAP_P(( void * ));
 #define free ch_free
 #endif
 
+/*
+ * compare.c
+ */
+
+LDAP_SLAPD_F (int) slap_compare_entry LDAP_P((
+	Operation *op,
+	Entry *e,
+	AttributeAssertion *ava ));
+
 /*
  * component.c
  */