From: Kurt Zeilenga <kurt@openldap.org>
Date: Thu, 5 Sep 2002 02:37:10 +0000 (+0000)
Subject: back_attribute() should use ACL_AUTH not ACL_READ (at
X-Git-Tag: NO_SLAP_OP_BLOCKS~1021
X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=ab80b030579e9fddf76e03e84af79a92aca08f7c;p=openldap

back_attribute() should use ACL_AUTH not ACL_READ (at
least for current callers, may need to pass it the
permission level)
---

diff --git a/configure b/configure
index e4cd976870..9da9e413ca 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # $OpenLDAP$
-# from OpenLDAP: pkg/ldap/configure.in,v 1.428 2002/08/28 05:12:22 hyc Exp  
+# from OpenLDAP: pkg/ldap/configure.in,v 1.430 2002/09/04 08:58:25 hyc Exp  
 
 # Copyright 1998-2002 The OpenLDAP Foundation.  All Rights Reserved.
 # 
@@ -23128,6 +23128,12 @@ else
 	PLAT=UNIX
 fi
 
+if test -z "$SLAPD_STATIC_BACKENDS"; then
+	SLAPD_NO_STATIC='#'
+else
+	SLAPD_NO_STATIC=
+fi
+
 
 
 
@@ -23192,6 +23198,7 @@ fi
 
 
 
+
 
 
 # Check whether --with-xxinstall or --without-xxinstall was given.
@@ -23423,6 +23430,7 @@ s%@WRAP_LIBS@%$WRAP_LIBS%g
 s%@MOD_TCL_LIB@%$MOD_TCL_LIB%g
 s%@SLAPD_MODULES_CPPFLAGS@%$SLAPD_MODULES_CPPFLAGS%g
 s%@SLAPD_MODULES_LDFLAGS@%$SLAPD_MODULES_LDFLAGS%g
+s%@SLAPD_NO_STATIC@%$SLAPD_NO_STATIC%g
 s%@SLAPD_STATIC_BACKENDS@%$SLAPD_STATIC_BACKENDS%g
 s%@SLAPD_DYNAMIC_BACKENDS@%$SLAPD_DYNAMIC_BACKENDS%g
 s%@PERL_CPPFLAGS@%$PERL_CPPFLAGS%g
diff --git a/servers/slapd/back-bdb/attribute.c b/servers/slapd/back-bdb/attribute.c
index 6ad4b30e78..8b7ec4b8e4 100644
--- a/servers/slapd/back-bdb/attribute.c
+++ b/servers/slapd/back-bdb/attribute.c
@@ -91,7 +91,6 @@ bdb_attribute(
 			entry_ndn->bv_val, 0, 0 );
 #endif
 
-
 	} else {
 dn2entry_retry:
 		/* can we find entry */
@@ -165,14 +164,6 @@ dn2entry_retry:
 		goto return_results;
 	}
 
-	if (conn != NULL && op != NULL
-		&& access_allowed( be, conn, op, e, slap_schema.si_ad_entry,
-			NULL, ACL_READ, &acl_state ) == 0 )
-	{
-		rc = LDAP_INSUFFICIENT_ACCESS;
-		goto return_results;
-	}
-
 	if ((attr = attr_find(e->e_attrs, entry_at)) == NULL) {
 #ifdef NEW_LOGGING
 		LDAP_LOG( BACK_BDB, INFO, 
@@ -187,8 +178,8 @@ dn2entry_retry:
 	}
 
 	if (conn != NULL && op != NULL
-		&& access_allowed( be, conn, op, e, entry_at, NULL, ACL_READ, 
-			   &acl_state ) == 0 )
+		&& access_allowed( be, conn, op, e, entry_at, NULL,
+			ACL_AUTH, &acl_state ) == 0 )
 	{
 		rc = LDAP_INSUFFICIENT_ACCESS;
 		goto return_results;
@@ -204,7 +195,7 @@ dn2entry_retry:
 		if( conn != NULL
 			&& op != NULL
 			&& access_allowed(be, conn, op, e, entry_at,
-				&attr->a_vals[i], ACL_READ, &acl_state ) == 0)
+				&attr->a_vals[i], ACL_AUTH, &acl_state ) == 0)
 		{
 			continue;
 		}
diff --git a/servers/slapd/back-ldbm/attribute.c b/servers/slapd/back-ldbm/attribute.c
index 0dc5daf03a..4639f7d120 100644
--- a/servers/slapd/back-ldbm/attribute.c
+++ b/servers/slapd/back-ldbm/attribute.c
@@ -128,14 +128,6 @@ ldbm_back_attribute(
 		goto return_results;
 	}
 
-	if (conn != NULL && op != NULL
-		&& access_allowed( be, conn, op, e, slap_schema.si_ad_entry,
-			NULL, ACL_READ, NULL ) == 0)
-	{
-		rc = LDAP_INSUFFICIENT_ACCESS;
-		goto return_results;
-	}
-
 	if ((attr = attr_find(e->e_attrs, entry_at)) == NULL) {
 #ifdef NEW_LOGGING
 		LDAP_LOG( BACK_LDBM, INFO, 
@@ -152,7 +144,7 @@ ldbm_back_attribute(
 
 	if (conn != NULL && op != NULL
 		&& access_allowed( be, conn, op, e, entry_at, NULL,
-			ACL_READ, &acl_state ) == 0)
+			ACL_AUTH, &acl_state ) == 0)
 	{
 		rc = LDAP_INSUFFICIENT_ACCESS;
 		goto return_results;
@@ -168,7 +160,7 @@ ldbm_back_attribute(
 		if( conn != NULL
 			&& op != NULL
 			&& access_allowed( be, conn, op, e, entry_at,
-				iv, ACL_READ, &acl_state ) == 0)
+				iv, ACL_AUTH, &acl_state ) == 0)
 		{
 			continue;
 		}
diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
index ded88611f4..24ccf062b4 100644
--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -616,15 +616,16 @@ slap_sasl_check_authz( Connection *conn,
 
 #ifdef NEW_LOGGING
 	LDAP_LOG( TRANSPORT, ENTRY, 
-		   "slap_sasl_check_authz: does %s match %s rule in %s?\n",
-	       assertDN->bv_val, ad->ad_cname.bv_val, searchDN->bv_val);
+		"slap_sasl_check_authz: does %s match %s rule in %s?\n",
+	    assertDN->bv_val, ad->ad_cname.bv_val, searchDN->bv_val);
 #else
 	Debug( LDAP_DEBUG_TRACE,
 	   "==>slap_sasl_check_authz: does %s match %s rule in %s?\n",
 	   assertDN->bv_val, ad->ad_cname.bv_val, searchDN->bv_val);
 #endif
 
-	rc = backend_attribute( NULL, NULL, conn->c_sasl_bindop, NULL, searchDN, ad, &vals );
+	rc = backend_attribute( NULL, NULL, conn->c_sasl_bindop, NULL,
+		searchDN, ad, &vals );
 	if( rc != LDAP_SUCCESS )
 		goto COMPLETE;
 
@@ -641,11 +642,12 @@ COMPLETE:
 
 #ifdef NEW_LOGGING
 	LDAP_LOG( TRANSPORT, RESULTS, 
-		   "slap_sasl_check_authz: %s check returning %s\n", 
-		   ad->ad_cname.bv_val, rc, 0 );
+		"slap_sasl_check_authz: %s check returning %s\n", 
+		ad->ad_cname.bv_val, rc, 0 );
 #else
 	Debug( LDAP_DEBUG_TRACE,
-	   "<==slap_sasl_check_authz: %s check returning %d\n", ad->ad_cname.bv_val, rc, 0);
+	   "<==slap_sasl_check_authz: %s check returning %d\n",
+		ad->ad_cname.bv_val, rc, 0);
 #endif
 
 	return( rc );