From: Quanah Gibson-Mount Date: Tue, 11 Nov 2008 21:09:28 +0000 (+0000) Subject: ITS#5572 from Rein X-Git-Tag: ACLCHECK_0~1128 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=e701d9b88532667a91b2735991fc11e2fee20147;p=openldap ITS#5572 from Rein --- diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c index a9c2a79155..c04f3044b0 100644 --- a/servers/slapd/acl.c +++ b/servers/slapd/acl.c @@ -138,6 +138,7 @@ slap_access_allowed( slap_access_t access_level; const char *attr; regmatch_t matches[MAXREMATCHES]; + AccessControlState acl_state = ACL_STATE_INIT; assert( op != NULL ); assert( e != NULL ); @@ -179,7 +180,7 @@ slap_access_allowed( } /* use backend default access if no backend acls */ - if ( op->o_bd->be_acl == NULL ) { + if ( op->o_bd->be_acl == NULL && frontendDB->be_acl == NULL ) { int i; Debug( LDAP_DEBUG_ACL, @@ -201,15 +202,22 @@ slap_access_allowed( ret = 0; control = ACL_BREAK; - if ( state && state->as_vd_ad == desc ) { + if ( state == NULL ) + state = &acl_state; + if ( state->as_vd_ad == desc ) { a = state->as_vd_acl; count = state->as_vd_acl_count; - + if ( state->as_fe_done ) + state->as_fe_done--; } else { - if ( state ) state->as_vi_acl = NULL; + state->as_vi_acl = NULL; + a = NULL; count = 0; } + if ( a == NULL ) + state->as_fe_done = 0; + ACL_PRIV_ASSIGN( mask, *maskp ); memset( matches, '\0', sizeof( matches ) ); @@ -476,13 +484,14 @@ slap_acl_get( assert( e != NULL ); assert( count != NULL ); assert( desc != NULL ); + assert( state != NULL ); attr = desc->ad_cname.bv_val; assert( attr != NULL ); if( a == NULL ) { - if( op->o_bd == NULL ) { + if( op->o_bd == NULL || op->o_bd->be_acl == NULL ) { a = frontendDB->be_acl; } else { a = op->o_bd->be_acl; @@ -490,7 +499,8 @@ slap_acl_get( prev = NULL; assert( a != NULL ); - + if ( a == frontendDB->be_acl ) + state->as_fe_done = 1; } else { prev = a; a = a->acl_next; @@ -498,9 +508,13 @@ slap_acl_get( dnlen = e->e_nname.bv_len; + retry: for ( ; a != NULL; prev = a, a = a->acl_next ) { (*count) ++; + if ( a != frontendDB->be_acl && state->as_fe_done ) + state->as_fe_done++; + if ( a->acl_dn_pat.bv_len || ( a->acl_dn_style != ACL_STYLE_REGEX )) { if ( a->acl_dn_style == ACL_STYLE_REGEX ) { Debug( LDAP_DEBUG_ACL, "=> dnpat: [%d] %s nsub: %d\n", @@ -567,7 +581,7 @@ slap_acl_get( continue; } - if( state && !( state->as_recorded & ACL_STATE_RECORDED_VD )) { + if( !( state->as_recorded & ACL_STATE_RECORDED_VD )) { state->as_recorded |= ACL_STATE_RECORDED_VD; state->as_vd_acl = prev; state->as_vd_acl_count = *count - 1; @@ -649,6 +663,12 @@ slap_acl_get( return a; } + if ( !state->as_fe_done ) { + state->as_fe_done = 1; + a = frontendDB->be_acl; + goto retry; + } + Debug( LDAP_DEBUG_ACL, "<= acl_get: done.\n", 0, 0, 0 ); return( NULL ); } @@ -1856,7 +1876,7 @@ acl_check_modlist( } /* use backend default access if no backend acls */ - if( op->o_bd != NULL && op->o_bd->be_acl == NULL ) { + if( op->o_bd != NULL && op->o_bd->be_acl == NULL && frontendDB->be_acl == NULL ) { Debug( LDAP_DEBUG_ACL, "=> access_allowed: backend default %s access %s to \"%s\"\n", access2str( ACL_WRITE ), diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c index 3754a258f2..aad928e616 100644 --- a/servers/slapd/backend.c +++ b/servers/slapd/backend.c @@ -261,8 +261,6 @@ int backend_startup(Backend *be) return rc; } } - /* append global access controls */ - acl_append( &be->be_acl, frontendDB->be_acl, -1 ); return backend_startup_one( be, &cr ); } @@ -310,8 +308,6 @@ int backend_startup(Backend *be) "has no suffix\n", i, be->bd_info->bi_type, 0 ); } - /* append global access controls */ - acl_append( &be->be_acl, frontendDB->be_acl, -1 ); rc = backend_startup_one( be, &cr ); diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h index ae7d51b8d6..9a699456d3 100644 --- a/servers/slapd/slap.h +++ b/servers/slapd/slap.h @@ -1542,9 +1542,10 @@ typedef struct AccessControlState { slap_acl_state_t as_recorded; int as_vd_acl_count; int as_result; + int as_fe_done; } AccessControlState; #define ACL_STATE_INIT { NULL, NULL, NULL, \ - ACL_STATE_NOT_RECORDED, 0, 0 } + ACL_STATE_NOT_RECORDED, 0, 0, 0 } /* * Backend-info