From: Kurt Zeilenga Date: Tue, 5 Sep 2000 21:55:53 +0000 (+0000) Subject: Import ACL "entry" changes from devel X-Git-Tag: OPENLDAP_REL_ENG_2_0_1~5 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=f617fbde33bb837bec72f285cdb32ab9c68385e8;p=openldap Import ACL "entry" changes from devel --- diff --git a/CHANGES b/CHANGES index 0040f6923d..5c7604ef74 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,7 @@ OpenLDAP 2.0.X Engineering Fixed StartTLS & ldaps:// client SDK Fixed slapd session close deadlock (ITS#704) Fixed slapd SSF ACLs + Fixed slapd "entry" ACLs Updated slapd MAXARGS to 200 Updated slapd nisNetgroupTriple validation routine (ITS#705) Updated slapd bootParameter validation routine (ITS#706) diff --git a/servers/slapd/back-ldbm/bind.c b/servers/slapd/back-ldbm/bind.c index e31a267f69..449fac2ee1 100644 --- a/servers/slapd/back-ldbm/bind.c +++ b/servers/slapd/back-ldbm/bind.c @@ -41,7 +41,6 @@ ldbm_back_bind( #endif AttributeDescription *password = slap_schema.si_ad_userPassword; - AttributeDescription *entry = slap_schema.si_ad_entry; Debug(LDAP_DEBUG_ARGS, "==> ldbm_back_bind: dn: %s\n", dn, 0, 0); @@ -101,15 +100,6 @@ ldbm_back_bind( /* check for deleted */ - if ( ! access_allowed( be, conn, op, e, - entry, NULL, ACL_AUTH ) ) - { - send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS, - NULL, NULL, NULL, NULL ); - rc = 1; - goto return_results; - } - if ( is_entry_alias( e ) ) { /* entry is an alias, don't allow bind */ Debug( LDAP_DEBUG_TRACE, "entry is alias\n", 0, diff --git a/servers/slapd/back-ldbm/delete.c b/servers/slapd/back-ldbm/delete.c index c216f6b901..dd0f7fc971 100644 --- a/servers/slapd/back-ldbm/delete.c +++ b/servers/slapd/back-ldbm/delete.c @@ -65,19 +65,6 @@ ldbm_back_delete( return( -1 ); } -#ifdef SLAPD_CHILD_MODIFICATION_WITH_ENTRY_ACL - if ( ! access_allowed( be, conn, op, e, - "entry", NULL, ACL_WRITE ) ) - { - Debug(LDAP_DEBUG_ARGS, - "<=- ldbm_back_delete: insufficient access %s\n", - dn, 0, 0); - send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS, - NULL, NULL, NULL, NULL ); - goto return_results; - } -#endif - if ( !manageDSAit && is_entry_referral( e ) ) { /* parent is a referral, don't allow add */ /* parent is an alias, don't allow add */ diff --git a/servers/slapd/back-ldbm/modrdn.c b/servers/slapd/back-ldbm/modrdn.c index 3f1438fbf9..7367f2ad8b 100644 --- a/servers/slapd/back-ldbm/modrdn.c +++ b/servers/slapd/back-ldbm/modrdn.c @@ -102,18 +102,6 @@ ldbm_back_modrdn( return( -1 ); } -#ifdef SLAPD_CHILD_MODIFICATION_WITH_ENTRY_ACL - if ( ! access_allowed( be, conn, op, e, - "entry", NULL, ACL_WRITE ) ) - { - Debug( LDAP_DEBUG_TRACE, "no access to entry\n", 0, - 0, 0 ); - send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS, - NULL, NULL, NULL, NULL ); - goto return_results; - } -#endif - if (!manageDSAit && is_entry_referral( e ) ) { /* parent is a referral, don't allow add */ /* parent is an alias, don't allow add */ diff --git a/servers/slapd/back-ldbm/passwd.c b/servers/slapd/back-ldbm/passwd.c index 8f2c968db9..b5156b0de3 100644 --- a/servers/slapd/back-ldbm/passwd.c +++ b/servers/slapd/back-ldbm/passwd.c @@ -40,8 +40,6 @@ ldbm_back_exop_passwd( char *dn; - AttributeDescription *entry = slap_schema.si_ad_entry; - assert( reqoid != NULL ); assert( strcmp( LDAP_EXOP_X_MODIFY_PASSWD, reqoid ) == 0 ); @@ -94,12 +92,6 @@ ldbm_back_exop_passwd( goto done; } - if( ! access_allowed( be, conn, op, e, entry, NULL, ACL_WRITE ) ) { - *text = "access to authorization entry denied"; - rc = LDAP_INSUFFICIENT_ACCESS; - goto done; - } - if( is_entry_alias( e ) ) { /* entry is an alias, don't allow operation */ *text = "authorization entry is alias"; diff --git a/tests/data/slapd-acl.conf b/tests/data/slapd-acl.conf index 58992bfb71..5a6bdf9333 100644 --- a/tests/data/slapd-acl.conf +++ b/tests/data/slapd-acl.conf @@ -39,7 +39,6 @@ access to filter="objectclass=person" attr=userpassword by self write access to dn.children="ou=Alumni Association, ou=People, o=University of Michigan, c=US" - by dn="^$" +x continue by dn.regex=".+,o=University of Michigan,c=US" +c continue by dn.subtree="o=University of Michigan, c=US" +rs continue by * stop