From: Kurt Zeilenga Date: Mon, 5 Aug 2002 17:52:16 +0000 (+0000) Subject: Patch: ACL #access-id# granted access to everyone (ITS#2006) X-Git-Tag: NO_SLAP_OP_BLOCKS~1291 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=f8c0481dd47a78d24a57e9872e8b775a7152b4d2;p=openldap Patch: ACL #access-id# granted access to everyone (ITS#2006) ================ Written by Hallvard B. Furuseth and placed into the public domain. This software is not subject to any license of the University of Oslo. ================ There is a bug in OpenLDAPaci's "access-id": If the specified DN is invalid so dnNormalize2() fails, everyone gets access. This means that e.g. "#access-id#[all]" gives public access, so it might be considered a feature, but I fixed it anyway:-) I guess that means the change should be documented in the release notes, though. See also ITS#2005 (add OpenLDAPaci #public# access). Hallvard B. Furuseth , Aug 2002. --- diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c index c99695b603..1295b99507 100644 --- a/servers/slapd/acl.c +++ b/servers/slapd/acl.c @@ -28,6 +28,7 @@ static struct berval aci_bv_br_all = BER_BVC("[all]"), aci_bv_access_id = BER_BVC("access-id"), aci_bv_anonymous = BER_BVC("anonymous"), + aci_bv_public = BER_BVC("public"), aci_bv_users = BER_BVC("users"), aci_bv_self = BER_BVC("self"), aci_bv_dnattr = BER_BVC("dnattr"), @@ -1707,6 +1708,8 @@ aci_mask( See draft-ietf-ldapext-aci-model-04.txt section 9.1 for a full description of the format for this attribute. + Differences: "this" in the draft is "self" here, and + "self" and "public" is in the position of dnType. For now, this routine only supports scope=entry. */ @@ -1751,6 +1754,9 @@ aci_mask( } return (rc); + } else if (ber_bvstrcasecmp( &aci_bv_public, &bv ) == 0) { + return(1); + } else if (ber_bvstrcasecmp( &aci_bv_self, &bv ) == 0) { if (dn_match(&op->o_ndn, &e->e_nname)) return(1);