From: Kurt Zeilenga Date: Mon, 7 Oct 2002 21:56:43 +0000 (+0000) Subject: More entry level access control for back-shell X-Git-Tag: NO_SLAP_OP_BLOCKS~920 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=df6c69ffd64e9ae7668f1167c64e829f6bbce3be;p=openldap More entry level access control for back-shell (should be applied to back-perl and other programmable backends) --- diff --git a/servers/slapd/back-shell/bind.c b/servers/slapd/back-shell/bind.c index 6c4ec9ab48..ad1b9c80c1 100644 --- a/servers/slapd/back-shell/bind.c +++ b/servers/slapd/back-shell/bind.c @@ -28,6 +28,8 @@ shell_back_bind( ) { struct shellinfo *si = (struct shellinfo *) be->be_private; + AttributeDescription *entry = slap_schema.si_ad_entry; + Entry e; FILE *rfp, *wfp; int rc; @@ -37,6 +39,23 @@ shell_back_bind( return( -1 ); } + e.e_id = NOID; + e.e_name = *dn; + e.e_nname = *ndn; + e.e_attrs = NULL; + e.e_ocflags = 0; + e.e_bv.bv_len = 0; + e.e_bv.bv_val = NULL; + e.e_private = NULL; + + if ( ! access_allowed( be, conn, op, &e, + entry, NULL, ACL_AUTH, NULL ) ) + { + send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS, + NULL, NULL, NULL, NULL ); + return -1; + } + if ( (op->o_private = (void *) forkandexec( si->si_bind, &rfp, &wfp )) == (void *) -1 ) { send_ldap_result( conn, op, LDAP_OTHER, NULL, diff --git a/servers/slapd/back-shell/compare.c b/servers/slapd/back-shell/compare.c index 19a3498c96..c70edd530d 100644 --- a/servers/slapd/back-shell/compare.c +++ b/servers/slapd/back-shell/compare.c @@ -26,6 +26,8 @@ shell_back_compare( ) { struct shellinfo *si = (struct shellinfo *) be->be_private; + AttributeDescription *entry = slap_schema.si_ad_entry; + Entry e; FILE *rfp, *wfp; if ( IS_NULLCMD( si->si_compare ) ) { @@ -34,6 +36,23 @@ shell_back_compare( return( -1 ); } + e.e_id = NOID; + e.e_name = *dn; + e.e_nname = *ndn; + e.e_attrs = NULL; + e.e_ocflags = 0; + e.e_bv.bv_len = 0; + e.e_bv.bv_val = NULL; + e.e_private = NULL; + + if ( ! access_allowed( be, conn, op, &e, + entry, NULL, ACL_READ, NULL ) ) + { + send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS, + NULL, NULL, NULL, NULL ); + return -1; + } + if ( (op->o_private = (void *) forkandexec( si->si_compare, &rfp, &wfp )) == (void *) -1 ) { send_ldap_result( conn, op, LDAP_OTHER, NULL, diff --git a/servers/slapd/back-shell/modify.c b/servers/slapd/back-shell/modify.c index 69ad41d740..9b82f70be4 100644 --- a/servers/slapd/back-shell/modify.c +++ b/servers/slapd/back-shell/modify.c @@ -27,6 +27,8 @@ shell_back_modify( { Modification *mod; struct shellinfo *si = (struct shellinfo *) be->be_private; + AttributeDescription *entry = slap_schema.si_ad_entry; + Entry e; FILE *rfp, *wfp; int i; @@ -36,6 +38,23 @@ shell_back_modify( return( -1 ); } + e.e_id = NOID; + e.e_name = *dn; + e.e_nname = *ndn; + e.e_attrs = NULL; + e.e_ocflags = 0; + e.e_bv.bv_len = 0; + e.e_bv.bv_val = NULL; + e.e_private = NULL; + + if ( ! access_allowed( be, conn, op, &e, + entry, NULL, ACL_WRITE, NULL ) ) + { + send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS, + NULL, NULL, NULL, NULL ); + return -1; + } + if ( (op->o_private = (void *) forkandexec( si->si_modify, &rfp, &wfp )) == (void *) -1 ) { send_ldap_result( conn, op, LDAP_OTHER, NULL,