From: Pierangelo Masarati Date: Sat, 17 Jul 2004 16:20:25 +0000 (+0000) Subject: disable ACI caching (ITS#3215) X-Git-Tag: OPENLDAP_REL_ENG_2_2_15~23 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=db67cbfebed479004042eb7d36b0c5e3cfae409f;p=openldap disable ACI caching (ITS#3215) --- diff --git a/CHANGES b/CHANGES index 9d1d0482bb..198a77cd43 100644 --- a/CHANGES +++ b/CHANGES @@ -14,6 +14,7 @@ OpenLDAP 2.2.15 Engineering Fixed slapd group ACL locking bug (ITS#3173) Fixed slapd abandon/cancel pending bug Fixed slapd attribute description syntax bug + Fixed slapd ACI caching bug (caching disabled, ITS#3215) Fixed libldap SASL re-encode bug Fixed libldap sasl_encode 64-bit bug (ITS#3054,3212) Fixed libldap matchedValues parsing bug (ITS#3208,3216) diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c index 9666b6d231..d752681652 100644 --- a/servers/slapd/acl.c +++ b/servers/slapd/acl.c @@ -1359,7 +1359,11 @@ dn_match_cleanup:; /* get the aci attribute */ at = attr_find( e->e_attrs, b->a_aci_at ); if ( at != NULL ) { +#if 0 + /* FIXME: this breaks acl caching; + * see also ACL_RECORD_VALUE_STATE below */ ACL_RECORD_VALUE_STATE; +#endif /* the aci is an multi-valued attribute. The * rights are determined by OR'ing the individual * rights given by the acis. @@ -1388,47 +1392,56 @@ dn_match_cleanup:; while ( parent_ndn.bv_val != old_parent_ndn.bv_val ){ old_parent_ndn = parent_ndn; Debug(LDAP_DEBUG_ACL, "checking ACI of %s\n", parent_ndn.bv_val, 0, 0); - ret=backend_attribute(op, NULL, &parent_ndn, b->a_aci_at, &bvals); + ret = backend_attribute(op, NULL, &parent_ndn, b->a_aci_at, &bvals); switch(ret){ - case LDAP_SUCCESS : - if(bvals){ - for( i = 0; bvals[i].bv_val != NULL; i++){ - ACL_RECORD_VALUE_STATE; - if (aci_mask(op, e, desc, val, &bvals[i], matches, - &grant, &deny, &aci_bv_children) != 0) { - tgrant |= grant; - tdeny |= deny; - /* evaluation stops as soon as either a "deny" or a - * "grant" directive matches. - */ - if( (tgrant != ACL_PRIV_NONE) || (tdeny != ACL_PRIV_NONE) ){ - stop=1; - } - } - Debug(LDAP_DEBUG_ACL, "<= aci_mask grant %s deny %s\n", - accessmask2str(tgrant,accessmaskbuf), - accessmask2str(tdeny, accessmaskbuf1), 0); + case LDAP_SUCCESS : + stop = 0; + if (!bvals){ + break; + } + + for( i = 0; bvals[i].bv_val != NULL; i++){ +#if 0 + /* FIXME: this breaks acl caching; + * see also ACL_RECORD_VALUE_STATE above */ + ACL_RECORD_VALUE_STATE; +#endif + if (aci_mask(op, e, desc, val, &bvals[i], matches, + &grant, &deny, &aci_bv_children) != 0) { + tgrant |= grant; + tdeny |= deny; + /* evaluation stops as soon as either a "deny" or a + * "grant" directive matches. + */ + if( (tgrant != ACL_PRIV_NONE) || (tdeny != ACL_PRIV_NONE) ){ + stop = 1; } } - stop=0; - break; - case LDAP_NO_SUCH_ATTRIBUTE: - /* just go on if the aci-Attribute is not present in - * the current entry - */ - Debug(LDAP_DEBUG_ACL, "no such attribute\n", 0, 0, 0); - stop=0; - break; - case LDAP_NO_SUCH_OBJECT: - /* We have reached the base object */ - Debug(LDAP_DEBUG_ACL, "no such object\n", 0, 0, 0); - stop=1; - break; - default: - stop=1; - break; + Debug(LDAP_DEBUG_ACL, "<= aci_mask grant %s deny %s\n", + accessmask2str(tgrant,accessmaskbuf), + accessmask2str(tdeny, accessmaskbuf1), 0); + } + break; + + case LDAP_NO_SUCH_ATTRIBUTE: + /* just go on if the aci-Attribute is not present in + * the current entry + */ + Debug(LDAP_DEBUG_ACL, "no such attribute\n", 0, 0, 0); + stop = 0; + break; + + case LDAP_NO_SUCH_OBJECT: + /* We have reached the base object */ + Debug(LDAP_DEBUG_ACL, "no such object\n", 0, 0, 0); + stop = 1; + break; + + default: + stop = 1; + break; } - if(stop){ + if (stop){ break; } dnParent(&old_parent_ndn, &parent_ndn);