From: Kurt Zeilenga Date: Fri, 13 May 2005 19:07:31 +0000 (+0000) Subject: manageDIT framework and obsolete objectclasses/DIT-content-rule override X-Git-Tag: OPENLDAP_AC_BP~640 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=feeeabcd682e39d0c871e9ee1821e0a1ee99c3d0;p=openldap manageDIT framework and obsolete objectclasses/DIT-content-rule override --- diff --git a/servers/slapd/back-bdb/add.c b/servers/slapd/back-bdb/add.c index 7db122d5bf..6b9baee6bf 100644 --- a/servers/slapd/back-bdb/add.c +++ b/servers/slapd/back-bdb/add.c @@ -52,8 +52,8 @@ bdb_add(Operation *op, SlapReply *rs ) ctrls[num_ctrls] = 0; /* check entry's schema */ - rs->sr_err = entry_schema_check( op->o_bd, op->oq_add.rs_e, - NULL, &rs->sr_text, textbuf, textlen ); + rs->sr_err = entry_schema_check( op->o_bd, op->oq_add.rs_e, NULL, 0, + &rs->sr_text, textbuf, textlen ); if ( rs->sr_err != LDAP_SUCCESS ) { Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(bdb_add) ": entry failed schema check: " @@ -191,8 +191,8 @@ retry: /* transaction retry */ } Debug( LDAP_DEBUG_TRACE, - LDAP_XSTRING(bdb_add) ": no write access " - "to parent\n", 0, 0, 0 ); + LDAP_XSTRING(bdb_add) ": no write access to parent\n", + 0, 0, 0 ); rs->sr_err = LDAP_INSUFFICIENT_ACCESS; rs->sr_text = "no write access to parent"; goto return_results;; diff --git a/servers/slapd/back-bdb/init.c b/servers/slapd/back-bdb/init.c index b63961f027..64ba497ce4 100644 --- a/servers/slapd/back-bdb/init.c +++ b/servers/slapd/back-bdb/init.c @@ -650,6 +650,7 @@ bdb_back_initialize( static char *controls[] = { LDAP_CONTROL_ASSERT, LDAP_CONTROL_MANAGEDSAIT, + LDAP_CONTROL_MANAGEDIT, LDAP_CONTROL_NOOP, LDAP_CONTROL_PAGEDRESULTS, #ifdef LDAP_CONTROL_SUBENTRIES diff --git a/servers/slapd/back-bdb/modify.c b/servers/slapd/back-bdb/modify.c index 1f8af04ce4..edaf3720b5 100644 --- a/servers/slapd/back-bdb/modify.c +++ b/servers/slapd/back-bdb/modify.c @@ -42,10 +42,21 @@ int bdb_modify_internal( Attribute *save_attrs; Attribute *ap; int glue_attr_delete = 0; + int manage=0; Debug( LDAP_DEBUG_TRACE, "bdb_modify_internal: 0x%08lx: %s\n", e->e_id, e->e_dn, 0); + if( get_manageDIT(op) ) { + AttributeDescription *entry = slap_schema.si_ad_entry; + if( !access_allowed( op, e, entry, NULL, ACL_MANAGE, NULL )) { + *text = "not authorized to manage entry"; + return LDAP_INSUFFICIENT_ACCESS; + } + + manage = 1; + } + if ( !acl_check_modlist( op, e, modlist )) { return LDAP_INSUFFICIENT_ACCESS; } @@ -196,7 +207,8 @@ int bdb_modify_internal( } /* check that the entry still obeys the schema */ - rc = entry_schema_check( op->o_bd, e, save_attrs, text, textbuf, textlen ); + rc = entry_schema_check( op->o_bd, e, save_attrs, manage, + text, textbuf, textlen ); if ( rc != LDAP_SUCCESS || op->o_noop ) { attrs_free( e->e_attrs ); /* clear the indexing flags */ diff --git a/servers/slapd/back-ldbm/add.c b/servers/slapd/back-ldbm/add.c index 25cb07cc0b..1425cb461e 100644 --- a/servers/slapd/back-ldbm/add.c +++ b/servers/slapd/back-ldbm/add.c @@ -45,7 +45,7 @@ ldbm_back_add( Debug(LDAP_DEBUG_ARGS, "==> ldbm_back_add: %s\n", op->o_req_dn.bv_val, 0, 0); - rs->sr_err = entry_schema_check( op->o_bd, op->oq_add.rs_e, NULL, + rs->sr_err = entry_schema_check( op->o_bd, op->oq_add.rs_e, NULL, 0, &rs->sr_text, textbuf, textlen ); if ( rs->sr_err != LDAP_SUCCESS ) { diff --git a/servers/slapd/back-ldbm/modify.c b/servers/slapd/back-ldbm/modify.c index 3e34178d20..e2a9122643 100644 --- a/servers/slapd/back-ldbm/modify.c +++ b/servers/slapd/back-ldbm/modify.c @@ -164,8 +164,8 @@ int ldbm_modify_internal( } /* check that the entry still obeys the schema */ - rc = entry_schema_check( op->o_bd, e, save_attrs, text, textbuf, textlen ); - + rc = entry_schema_check( op->o_bd, e, save_attrs, 0, + text, textbuf, textlen ); if ( rc != LDAP_SUCCESS ) { Debug( LDAP_DEBUG_ANY, "entry failed schema check: %s\n", *text, 0, 0 ); diff --git a/servers/slapd/back-ldif/ldif.c b/servers/slapd/back-ldif/ldif.c index 10f7a523d1..1f3cdf60c8 100644 --- a/servers/slapd/back-ldif/ldif.c +++ b/servers/slapd/back-ldif/ldif.c @@ -553,8 +553,8 @@ static int apply_modify_to_entry(Entry * entry, entry->e_ocflags = 0; } /* check that the entry still obeys the schema */ - rc = entry_schema_check(op->o_bd, entry, NULL, - &rs->sr_text, textbuf, sizeof( textbuf ) ); + rc = entry_schema_check(op->o_bd, entry, NULL, 0, + &rs->sr_text, textbuf, sizeof( textbuf ) ); } return rc; } @@ -760,8 +760,8 @@ static int ldif_back_add(Operation *op, SlapReply *rs) { int statres; char textbuf[SLAP_TEXT_BUFLEN]; - rs->sr_err = entry_schema_check(op->o_bd, e, - NULL, &rs->sr_text, textbuf, sizeof( textbuf ) ); + rs->sr_err = entry_schema_check(op->o_bd, e, NULL, 0, + &rs->sr_text, textbuf, sizeof( textbuf ) ); if ( rs->sr_err != LDAP_SUCCESS ) goto send_res; ldap_pvt_thread_mutex_lock(&ni->li_mutex); diff --git a/servers/slapd/back-monitor/log.c b/servers/slapd/back-monitor/log.c index 607b6354a4..d54b572ee7 100644 --- a/servers/slapd/back-monitor/log.c +++ b/servers/slapd/back-monitor/log.c @@ -197,8 +197,8 @@ monitor_subsys_log_modify( } /* check that the entry still obeys the schema */ - rc = entry_schema_check( be_monitor, e, save_attrs, - &text, textbuf, sizeof( textbuf ) ); + rc = entry_schema_check( be_monitor, e, save_attrs, 0, + &text, textbuf, sizeof( textbuf ) ); if ( rc != LDAP_SUCCESS ) { rs->sr_err = rc; goto cleanup; diff --git a/servers/slapd/back-sql/add.c b/servers/slapd/back-sql/add.c index 03accfc5ea..8b1144d126 100644 --- a/servers/slapd/back-sql/add.c +++ b/servers/slapd/back-sql/add.c @@ -989,9 +989,8 @@ backsql_add( Operation *op, SlapReply *rs ) if ( BACKSQL_CHECK_SCHEMA( bi ) ) { char textbuf[ SLAP_TEXT_BUFLEN ] = { '\0' }; - rs->sr_err = entry_schema_check( op->o_bd, op->ora_e, - NULL, - &rs->sr_text, textbuf, sizeof( textbuf ) ); + rs->sr_err = entry_schema_check( op->o_bd, op->ora_e, NULL, 0, + &rs->sr_text, textbuf, sizeof( textbuf ) ); if ( rs->sr_err != LDAP_SUCCESS ) { Debug( LDAP_DEBUG_TRACE, " backsql_add(\"%s\"): " "entry failed schema check -- aborting\n", diff --git a/servers/slapd/back-sql/modify.c b/servers/slapd/back-sql/modify.c index b75697a2d8..6b192631e2 100644 --- a/servers/slapd/back-sql/modify.c +++ b/servers/slapd/back-sql/modify.c @@ -167,9 +167,8 @@ backsql_modify( Operation *op, SlapReply *rs ) goto do_transact; } - rs->sr_err = entry_schema_check( op->o_bd, &m, - NULL, - &rs->sr_text, textbuf, sizeof( textbuf ) ); + rs->sr_err = entry_schema_check( op->o_bd, &m, NULL, 0, + &rs->sr_text, textbuf, sizeof( textbuf ) ); if ( rs->sr_err != LDAP_SUCCESS ) { Debug( LDAP_DEBUG_TRACE, " backsql_add(\"%s\"): " "entry failed schema check -- aborting\n", diff --git a/servers/slapd/back-sql/modrdn.c b/servers/slapd/back-sql/modrdn.c index 7c6c36baea..ade189bae8 100644 --- a/servers/slapd/back-sql/modrdn.c +++ b/servers/slapd/back-sql/modrdn.c @@ -495,9 +495,8 @@ backsql_modrdn( Operation *op, SlapReply *rs ) e_id = bsi.bsi_base_id; - rs->sr_err = entry_schema_check( op->o_bd, &r, - NULL, - &rs->sr_text, textbuf, sizeof( textbuf ) ); + rs->sr_err = entry_schema_check( op->o_bd, &r, NULL, 0, + &rs->sr_text, textbuf, sizeof( textbuf ) ); if ( rs->sr_err != LDAP_SUCCESS ) { Debug( LDAP_DEBUG_TRACE, " backsql_add(\"%s\"): " "entry failed schema check -- aborting\n", diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c index 356ba2f465..3a1d41969b 100644 --- a/servers/slapd/bconfig.c +++ b/servers/slapd/bconfig.c @@ -3305,8 +3305,8 @@ config_modify_internal( CfEntryInfo *ce, Operation *op, SlapReply *rs, if(rc == LDAP_SUCCESS) { /* check that the entry still obeys the schema */ - rc = entry_schema_check(op->o_bd, e, NULL, - &rs->sr_text, ca->msg, sizeof(ca->msg) ); + rc = entry_schema_check(op->o_bd, e, NULL, 0, + &rs->sr_text, ca->msg, sizeof(ca->msg) ); } if ( rc == LDAP_SUCCESS ) { /* Basic syntax checks are OK. Do the actual settings. */ diff --git a/servers/slapd/modify.c b/servers/slapd/modify.c index f80cebdf66..f33d3e44b8 100644 --- a/servers/slapd/modify.c +++ b/servers/slapd/modify.c @@ -187,7 +187,7 @@ do_modify( } rs->sr_err = slap_mods_check( modlist, &rs->sr_text, - textbuf, textlen, NULL ); + textbuf, textlen, NULL ); if ( rs->sr_err != LDAP_SUCCESS ) { send_ldap_result( op, rs ); @@ -442,8 +442,6 @@ fe_op_modify( Operation *op, SlapReply *rs ) } } - - if ( !repl_user ) { for( modtail = &modlist; *modtail != NULL; diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h index 1250297aa3..c8c2095d2f 100644 --- a/servers/slapd/proto-slap.h +++ b/servers/slapd/proto-slap.h @@ -1272,7 +1272,10 @@ LDAP_SLAPD_F( int ) structural_class( char *textbuf, size_t textlen ); LDAP_SLAPD_F( int ) entry_schema_check( - Backend *be, Entry *e, Attribute *attrs, + Backend *be, + Entry *e, + Attribute *attrs, + int manage, const char** text, char *textbuf, size_t textlen ); diff --git a/servers/slapd/schema_check.c b/servers/slapd/schema_check.c index cdf21460ca..1d47ff4365 100644 --- a/servers/slapd/schema_check.c +++ b/servers/slapd/schema_check.c @@ -31,6 +31,7 @@ static char * oc_check_required( static int entry_naming_check( Entry *e, + int manage, const char** text, char *textbuf, size_t textlen ); /* @@ -45,6 +46,7 @@ entry_schema_check( Backend *be, Entry *e, Attribute *oldattrs, + int manage, const char** text, char *textbuf, size_t textlen ) { @@ -151,7 +153,7 @@ entry_schema_check( return LDAP_OTHER; } - if( sc->soc_obsolete ) { + if( !manage && sc->soc_obsolete ) { snprintf( textbuf, textlen, "structuralObjectClass '%s' is OBSOLETE", asc->a_vals[0].bv_val ); @@ -201,7 +203,7 @@ entry_schema_check( /* naming check */ if ( !is_entry_objectclass ( e, slap_schema.si_oc_glue, 0 ) ) { - rc = entry_naming_check( e, text, textbuf, textlen ); + rc = entry_naming_check( e, manage, text, textbuf, textlen ); if( rc != LDAP_SUCCESS ) { return rc; } @@ -217,7 +219,7 @@ entry_schema_check( /* check that the entry has required attrs of the content rule */ if( cr ) { - if( cr->scr_obsolete ) { + if( !manage && cr->scr_obsolete ) { snprintf( textbuf, textlen, "content rule '%s' is obsolete", ldap_contentrule2name( &cr->scr_crule )); @@ -292,7 +294,7 @@ entry_schema_check( return LDAP_OBJECT_CLASS_VIOLATION; } - if ( oc->soc_obsolete ) { + if ( !manage && oc->soc_obsolete ) { /* disallow obsolete classes */ snprintf( textbuf, textlen, "objectClass '%s' is OBSOLETE", @@ -727,6 +729,7 @@ int mods_structural_class( static int entry_naming_check( Entry *e, + int manage, const char** text, char *textbuf, size_t textlen ) { @@ -787,7 +790,7 @@ entry_naming_check( break; } - if( desc->ad_type->sat_obsolete ) { + if( !manage && desc->ad_type->sat_obsolete ) { snprintf( textbuf, textlen, "naming attribute '%s' is obsolete", ava->la_attr.bv_val ); diff --git a/servers/slapd/slapadd.c b/servers/slapd/slapadd.c index 1ee67a86b4..ac66a3f008 100644 --- a/servers/slapd/slapadd.c +++ b/servers/slapd/slapadd.c @@ -53,6 +53,7 @@ slapadd( int argc, char **argv ) char textbuf[SLAP_TEXT_BUFLEN] = { '\0' }; size_t textlen = sizeof textbuf; const char *progname = "slapadd"; + int manage = 0; struct berval csn; struct berval maxcsn; @@ -181,7 +182,8 @@ slapadd( int argc, char **argv ) } /* check schema */ - rc = entry_schema_check( be, e, NULL, &text, textbuf, textlen ); + rc = entry_schema_check( be, e, NULL, manage, + &text, textbuf, textlen ); if( rc != LDAP_SUCCESS ) { fprintf( stderr, "%s: dn=\"%s\" (line=%d): (%d) %s\n", diff --git a/servers/slapd/slapi/slapi_utils.c b/servers/slapd/slapi/slapi_utils.c index 7590a93912..1adeb85086 100644 --- a/servers/slapd/slapi/slapi_utils.c +++ b/servers/slapd/slapi/slapi_utils.c @@ -4118,7 +4118,8 @@ int slapi_entry_schema_check( Slapi_PBlock *pb, Slapi_Entry *e ) if ( slapi_pblock_get( pb, SLAPI_BACKEND, (void **)&be ) != 0 ) return -1; - rc = entry_schema_check( be, e, NULL, &text, textbuf, textlen ); + rc = entry_schema_check( be, e, NULL, 0, + &text, textbuf, textlen ); return ( rc == LDAP_SUCCESS ) ? 0 : 1; #else