From 056c5ba7c102bb06b3f600a4e9270ccc2438abf9 Mon Sep 17 00:00:00 2001 From: Pierangelo Masarati Date: Wed, 12 Jan 2005 00:28:37 +0000 Subject: [PATCH] fix couple of bugs in recent 'disclose' commits; prepare for sending matchedDN when appropriate; note ITS#3480 access control issues --- servers/slapd/back-sql/add.c | 8 ++-- servers/slapd/back-sql/back-sql.h | 2 +- servers/slapd/back-sql/compare.c | 66 ++++++++++++++++++------------ servers/slapd/back-sql/delete.c | 3 +- servers/slapd/back-sql/entry-id.c | 52 +++++++++++++---------- servers/slapd/back-sql/modify.c | 1 + servers/slapd/back-sql/modrdn.c | 9 ++-- servers/slapd/back-sql/proto-sql.h | 10 ++++- servers/slapd/back-sql/search.c | 30 +++++++++----- 9 files changed, 111 insertions(+), 70 deletions(-) diff --git a/servers/slapd/back-sql/add.c b/servers/slapd/back-sql/add.c index c46dbba0a1..051503848f 100644 --- a/servers/slapd/back-sql/add.c +++ b/servers/slapd/back-sql/add.c @@ -1068,7 +1068,7 @@ backsql_add( Operation *op, SlapReply *rs ) goto done; } - rs->sr_err = backsql_dn2id( op, rs, NULL, dbh, &realdn, 0 ); + rs->sr_err = backsql_dn2id( op, rs, dbh, &realdn, NULL, 0, 0 ); if ( rs->sr_err == LDAP_SUCCESS ) { Debug( LDAP_DEBUG_TRACE, " backsql_add(\"%s\"): " "entry exists\n", @@ -1087,7 +1087,7 @@ backsql_add( Operation *op, SlapReply *rs ) dnParent( &op->oq_add.rs_e->e_nname, &pdn ); } - rs->sr_err = backsql_dn2id( op, rs, &parent_id, dbh, &pdn, 1 ); + rs->sr_err = backsql_dn2id( op, rs, dbh, &pdn, &parent_id, 0, 1 ); if ( rs->sr_err != LDAP_SUCCESS ) { Debug( LDAP_DEBUG_TRACE, " backsql_add(\"%s\"): " "could not lookup parent entry for new record \"%s\"\n", @@ -1121,7 +1121,7 @@ backsql_add( Operation *op, SlapReply *rs ) /* * Empty DN ("") defaults to LDAP_SUCCESS */ - rs->sr_err = backsql_dn2id( op, rs, NULL, dbh, &pdn, 1 ); + rs->sr_err = backsql_dn2id( op, rs, dbh, &pdn, NULL, 0, 1 ); switch ( rs->sr_err ) { case LDAP_NO_SUCH_OBJECT: if ( !BER_BVISEMPTY( &pdn ) ) { @@ -1154,6 +1154,8 @@ backsql_add( Operation *op, SlapReply *rs ) p.e_attrs = NULL; p.e_name = pdn; dnParent( &op->oq_add.rs_e->e_nname, &p.e_nname ); + + /* FIXME: need the whole entry (ITS#3480) */ if ( !access_allowed( op, &p, slap_schema.si_ad_children, NULL, ACL_WRITE, NULL ) ) { rs->sr_err = LDAP_INSUFFICIENT_ACCESS; diff --git a/servers/slapd/back-sql/back-sql.h b/servers/slapd/back-sql/back-sql.h index dd3a35edce..b44bf0701d 100644 --- a/servers/slapd/back-sql/back-sql.h +++ b/servers/slapd/back-sql/back-sql.h @@ -498,7 +498,7 @@ typedef struct { #define BACKSQL_IS_BASEOBJECT_ID(id) (bvmatch((id), &backsql_baseObject_bv)) #else /* ! BACKSQL_ARBITRARY_KEY */ #define BACKSQL_BASEOBJECT_ID 0 -#define BACKSQL_BASEOBJECT_IDSTR "0" +#define BACKSQL_BASEOBJECT_IDSTR LDAP_XSTRING(BACKSQL_BASEOBJECT_ID) #define BACKSQL_BASEOBJECT_KEYVAL 0 #define BACKSQL_IS_BASEOBJECT_ID(id) (*(id) == BACKSQL_BASEOBJECT_ID) #endif /* ! BACKSQL_ARBITRARY_KEY */ diff --git a/servers/slapd/back-sql/compare.c b/servers/slapd/back-sql/compare.c index d7890156c9..7381ecc057 100644 --- a/servers/slapd/back-sql/compare.c +++ b/servers/slapd/back-sql/compare.c @@ -36,12 +36,11 @@ backsql_compare( Operation *op, SlapReply *rs ) Attribute *a = NULL; backsql_srch_info bsi; int rc; - AttributeName anlist[2]; + AttributeName anlist[2], + *anlistp = NULL; - user_entry.e_name.bv_val = NULL; - user_entry.e_name.bv_len = 0; - user_entry.e_nname.bv_val = NULL; - user_entry.e_nname.bv_len = 0; + BER_BVZERO( &user_entry.e_name ); + BER_BVZERO( &user_entry.e_nname ); user_entry.e_attrs = NULL; Debug( LDAP_DEBUG_TRACE, "==>backsql_compare()\n", 0, 0, 0 ); @@ -64,12 +63,43 @@ backsql_compare( Operation *op, SlapReply *rs ) /* * Try to get attr as dynamic operational */ + if ( !is_at_operational( op->oq_compare.rs_ava->aa_desc->ad_type ) ) { + anlistp = anlist; + } + + + rc = backsql_init_search( &bsi, &op->o_req_ndn, + LDAP_SCOPE_BASE, + SLAP_NO_LIMIT, SLAP_NO_LIMIT, + (time_t)(-1), NULL, dbh, op, rs, anlistp, + BACKSQL_ISF_GET_ID ); + if ( rc != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_TRACE, "backsql_compare(): " + "could not retrieve compareDN ID - no such entry\n", + 0, 0, 0 ); + rs->sr_err = LDAP_NO_SUCH_OBJECT; + goto return_results; + + } else { + Entry e = { 0 }; + + e.e_name = bsi.bsi_base_id.eid_dn; + e.e_nname = bsi.bsi_base_id.eid_ndn; + + /* FIXME: need the whole entry (ITS#3480) */ + if ( ! access_allowed( op, &e, slap_schema.si_ad_entry, NULL, + ACL_DISCLOSE, NULL ) ) { + rs->sr_err = LDAP_NO_SUCH_OBJECT; + goto return_results; + } + } + if ( is_at_operational( op->oq_compare.rs_ava->aa_desc->ad_type ) ) { SlapReply nrs = { 0 }; user_entry.e_attrs = NULL; - user_entry.e_name = op->o_req_dn; - user_entry.e_nname = op->o_req_ndn; + user_entry.e_name = bsi.bsi_base_id.eid_dn; + user_entry.e_nname = bsi.bsi_base_id.eid_ndn; nrs.sr_attrs = anlist; nrs.sr_entry = &user_entry; @@ -84,19 +114,6 @@ backsql_compare( Operation *op, SlapReply *rs ) user_entry.e_attrs = nrs.sr_operational_attrs; } else { - rc = backsql_init_search( &bsi, &op->o_req_ndn, - LDAP_SCOPE_BASE, - SLAP_NO_LIMIT, SLAP_NO_LIMIT, - (time_t)(-1), NULL, dbh, op, rs, anlist, - BACKSQL_ISF_GET_ID ); - if ( rc != LDAP_SUCCESS ) { - Debug( LDAP_DEBUG_TRACE, "backsql_compare(): " - "could not retrieve compareDN ID - no such entry\n", - 0, 0, 0 ); - rs->sr_err = LDAP_NO_SUCH_OBJECT; - goto return_results; - } - bsi.bsi_e = &user_entry; rc = backsql_id2entry( &bsi, &bsi.bsi_base_id ); if ( rc != LDAP_SUCCESS ) { @@ -109,12 +126,7 @@ backsql_compare( Operation *op, SlapReply *rs ) } e = &user_entry; - if ( ! access_allowed( op, e, slap_schema.si_ad_entry, NULL, - ACL_DISCLOSE, NULL ) ) { - rs->sr_err = LDAP_NO_SUCH_OBJECT; - goto return_results; - } - + /* FIXME: need the whole entry (ITS#3480) */ if ( ! access_allowed( op, e, op->oq_compare.rs_ava->aa_desc, &op->oq_compare.rs_ava->aa_value, ACL_COMPARE, NULL ) ) { @@ -125,7 +137,7 @@ backsql_compare( Operation *op, SlapReply *rs ) rs->sr_err = LDAP_NO_SUCH_ATTRIBUTE; for ( a = attrs_find( e->e_attrs, op->oq_compare.rs_ava->aa_desc ); a != NULL; - a = attrs_find( a->a_next, op->oq_compare.rs_ava->aa_desc )) + a = attrs_find( a->a_next, op->oq_compare.rs_ava->aa_desc ) ) { rs->sr_err = LDAP_COMPARE_FALSE; if ( value_find_ex( op->oq_compare.rs_ava->aa_desc, diff --git a/servers/slapd/back-sql/delete.c b/servers/slapd/back-sql/delete.c index 366297c791..20bab6dcc5 100644 --- a/servers/slapd/back-sql/delete.c +++ b/servers/slapd/back-sql/delete.c @@ -101,6 +101,7 @@ backsql_delete( Operation *op, SlapReply *rs ) e.e_attrs = NULL; /* check parent for "children" acl */ + /* FIXME: need the whole entry (ITS#3480) */ if ( !access_allowed( op, &e, slap_schema.si_ad_children, NULL, ACL_WRITE, NULL ) ) { Debug( LDAP_DEBUG_TRACE, " backsql_delete(): " @@ -121,7 +122,7 @@ backsql_delete( Operation *op, SlapReply *rs ) goto done; } - rs->sr_err = backsql_dn2id( op, rs, &e_id, dbh, &op->o_req_ndn, 1 ); + rs->sr_err = backsql_dn2id( op, rs, dbh, &op->o_req_ndn, &e_id, 0, 1 ); if ( rs->sr_err != LDAP_SUCCESS ) { Debug( LDAP_DEBUG_TRACE, " backsql_delete(): " "could not lookup entry id\n", 0, 0, 0 ); diff --git a/servers/slapd/back-sql/entry-id.c b/servers/slapd/back-sql/entry-id.c index 6d17e0e19f..03e19aa295 100644 --- a/servers/slapd/back-sql/entry-id.c +++ b/servers/slapd/back-sql/entry-id.c @@ -81,9 +81,10 @@ int backsql_dn2id( Operation *op, SlapReply *rs, - backsql_entryID *id, SQLHDBC dbh, struct berval *ndn, + backsql_entryID *id, + int matched, int muck ) { backsql_info *bi = op->o_bd->be_private; @@ -105,13 +106,14 @@ backsql_dn2id( * positive cases, or the most appropriate error */ - Debug( LDAP_DEBUG_TRACE, "==>backsql_dn2id(): dn=\"%s\"%s\n", - ndn->bv_val, id == NULL ? " (no ID)" : "", 0 ); + Debug( LDAP_DEBUG_TRACE, "==>backsql_dn2id(\"%s\")%s%s\n", + ndn->bv_val, id == NULL ? " (no ID expected)" : "", + matched ? " matched expected" : "" ); if ( ndn->bv_len > BACKSQL_MAX_DN_LEN ) { Debug( LDAP_DEBUG_TRACE, - "backsql_dn2id(): DN \"%s\" (%ld bytes) " - "exceeds max DN length (%d):\n", + " backsql_dn2id(\"%s\"): DN length=%ld " + "exceeds max DN length %d:\n", ndn->bv_val, ndn->bv_len, BACKSQL_MAX_DN_LEN ); return LDAP_OTHER; } @@ -141,13 +143,15 @@ backsql_dn2id( } /* begin TimesTen */ - Debug( LDAP_DEBUG_TRACE, "id_query \"%s\"\n", bi->sql_id_query, 0, 0 ); + Debug( LDAP_DEBUG_TRACE, " backsql_dn2id(\"%s\"): id_query \"%s\"\n", + ndn->bv_val, bi->sql_id_query, 0 ); assert( bi->sql_id_query ); rc = backsql_Prepare( dbh, &sth, bi->sql_id_query, 0 ); if ( rc != SQL_SUCCESS ) { Debug( LDAP_DEBUG_TRACE, - "backsql_dn2id(): error preparing SQL:\n%s", - bi->sql_id_query, 0, 0); + " backsql_dn2id(\"%s\"): " + "error preparing SQL:\n %s", + ndn->bv_val, bi->sql_id_query, 0 ); backsql_PrintErrors( bi->sql_db_env, dbh, sth, rc ); res = LDAP_OTHER; goto done; @@ -177,8 +181,9 @@ backsql_dn2id( upperdn[ i ] = '\0'; ldap_pvt_str2upper( upperdn ); - Debug( LDAP_DEBUG_TRACE, "==>backsql_dn2id(): upperdn=\"%s\"\n", - upperdn, 0, 0 ); + Debug( LDAP_DEBUG_TRACE, " backsql_dn2id(\"%s\"): " + "upperdn=\"%s\"\n", + ndn->bv_val, upperdn, 0 ); ber_str2bv( upperdn, 0, 0, &tbbDN ); } else { @@ -186,8 +191,9 @@ backsql_dn2id( AC_MEMCPY( upperdn, realndn.bv_val, realndn.bv_len + 1 ); ldap_pvt_str2upper( upperdn ); Debug( LDAP_DEBUG_TRACE, - "==>backsql_dn2id(): upperdn=\"%s\"\n", - upperdn, 0, 0 ); + " backsql_dn2id(\"%s\"): " + "upperdn=\"%s\"\n", + ndn->bv_val, upperdn, 0 ); ber_str2bv( upperdn, 0, 0, &tbbDN ); } else { @@ -198,9 +204,9 @@ backsql_dn2id( rc = backsql_BindParamBerVal( sth, 1, SQL_PARAM_INPUT, &tbbDN ); if ( rc != SQL_SUCCESS) { /* end TimesTen */ - Debug( LDAP_DEBUG_TRACE, "backsql_dn2id(): " + Debug( LDAP_DEBUG_TRACE, " backsql_dn2id(\"%s\"): " "error binding dn=\"%s\" parameter:\n", - tbbDN.bv_val, 0, 0 ); + ndn->bv_val, tbbDN.bv_val, 0 ); backsql_PrintErrors( bi->sql_db_env, dbh, sth, rc ); res = LDAP_OTHER; goto done; @@ -208,9 +214,9 @@ backsql_dn2id( rc = SQLExecute( sth ); if ( rc != SQL_SUCCESS ) { - Debug( LDAP_DEBUG_TRACE, "backsql_dn2id(): " + Debug( LDAP_DEBUG_TRACE, " backsql_dn2id(\"%s\"): " "error executing query (\"%s\", \"%s\"):\n", - bi->sql_id_query, tbbDN.bv_val, 0 ); + ndn->bv_val, bi->sql_id_query, tbbDN.bv_val ); backsql_PrintErrors( bi->sql_db_env, dbh, sth, rc ); res = LDAP_OTHER; goto done; @@ -219,7 +225,7 @@ backsql_dn2id( backsql_BindRowAsStrings( sth, &row ); rc = SQLFetch( sth ); if ( BACKSQL_SUCCESS( rc ) ) { - char buf[BUFSIZ]; + char buf[ SLAP_TEXT_BUFLEN ]; #ifdef LDAP_DEBUG snprintf( buf, sizeof(buf), @@ -227,7 +233,8 @@ backsql_dn2id( row.cols[ 0 ], row.cols[ 1 ], row.cols[ 2 ], row.cols[ 3 ] ); Debug( LDAP_DEBUG_TRACE, - "<==backsql_dn2id(): %s\n", buf, 0, 0 ); + " backsql_dn2id(\"%s\"): %s\n", + ndn->bv_val, buf, 0 ); #endif /* LDAP_DEBUG */ res = LDAP_SUCCESS; @@ -252,7 +259,7 @@ backsql_dn2id( res = dnPrettyNormal( NULL, &dn, &id->eid_dn, &id->eid_ndn, NULL ); if ( res != LDAP_SUCCESS ) { Debug( LDAP_DEBUG_TRACE, - "<==backsql_dn2id(\"%s\"): " + " backsql_dn2id(\"%s\"): " "dnPrettyNormal failed (%d: %s)\n", realndn.bv_val, res, ldap_err2string( res ) ); @@ -271,12 +278,13 @@ backsql_dn2id( } else { res = LDAP_NO_SUCH_OBJECT; - Debug( LDAP_DEBUG_TRACE, "<==backsql_dn2id(): no match\n", - 0, 0, 0 ); } backsql_FreeRow( &row ); done:; + Debug( LDAP_DEBUG_TRACE, + "<==backsql_dn2id(\"%s\"): err=%d\n", + ndn->bv_val, res, 0 ); if ( sth != SQL_NULL_HSTMT ) { SQLFreeStmt( sth, SQL_DROP ); } @@ -626,7 +634,7 @@ next:; int rc; bv[ 0 ] = bsi->bsi_oc->bom_oc->soc_cname; - bv[ 1 ].bv_val = NULL; + BER_BVZERO( &bv[ 1 ] ); rc = structural_class( bv, &soc, NULL, &text, textbuf, textlen ); diff --git a/servers/slapd/back-sql/modify.c b/servers/slapd/back-sql/modify.c index 621899c4ac..29b20f130d 100644 --- a/servers/slapd/back-sql/modify.c +++ b/servers/slapd/back-sql/modify.c @@ -113,6 +113,7 @@ backsql_modify( Operation *op, SlapReply *rs ) goto done; } + /* FIXME: need the whole entry (ITS#3480) */ if ( !acl_check_modlist( op, &e, op->oq_modify.rs_modlist ) ) { rs->sr_err = LDAP_INSUFFICIENT_ACCESS; diff --git a/servers/slapd/back-sql/modrdn.c b/servers/slapd/back-sql/modrdn.c index c54d8833c9..1ffa979158 100644 --- a/servers/slapd/back-sql/modrdn.c +++ b/servers/slapd/back-sql/modrdn.c @@ -66,7 +66,7 @@ backsql_modrdn( Operation *op, SlapReply *rs ) return 1; } - rs->sr_err = backsql_dn2id( op, rs, &e_id, dbh, &op->o_req_ndn, 1 ); + rs->sr_err = backsql_dn2id( op, rs, dbh, &op->o_req_ndn, &e_id, 0, 1 ); if ( rs->sr_err != LDAP_SUCCESS ) { Debug( LDAP_DEBUG_TRACE, " backsql_modrdn(): " "could not lookup entry id (%d)\n", @@ -116,6 +116,7 @@ backsql_modrdn( Operation *op, SlapReply *rs ) e.e_attrs = NULL; e.e_name = p_dn; e.e_nname = p_ndn; + /* FIXME: need the whole entry (ITS#3480) */ if ( !access_allowed( op, &e, slap_schema.si_ad_children, NULL, ACL_WRITE, NULL ) ) { Debug( LDAP_DEBUG_TRACE, " no access to parent\n", 0, 0, 0 ); @@ -145,6 +146,7 @@ backsql_modrdn( Operation *op, SlapReply *rs ) /* * Check for children access to new parent */ + /* FIXME: need the whole entry (ITS#3480) */ if ( !access_allowed( op, &e, slap_schema.si_ad_children, NULL, ACL_WRITE, NULL ) ) { Debug( LDAP_DEBUG_TRACE, " backsql_modrdn(): " @@ -192,7 +194,7 @@ backsql_modrdn( Operation *op, SlapReply *rs ) Debug( LDAP_DEBUG_TRACE, " backsql_modrdn(): new entry dn is \"%s\"\n", new_dn.bv_val, 0, 0 ); - rs->sr_err = backsql_dn2id( op, rs, &pe_id, dbh, &p_ndn, 1 ); + rs->sr_err = backsql_dn2id( op, rs, dbh, &p_ndn, &pe_id, 0, 1 ); if ( rs->sr_err != LDAP_SUCCESS ) { Debug( LDAP_DEBUG_TRACE, " backsql_modrdn(): " "could not lookup old parent entry id\n", 0, 0, 0 ); @@ -212,7 +214,7 @@ backsql_modrdn( Operation *op, SlapReply *rs ) (void)backsql_free_entryID( &pe_id, 0 ); - rs->sr_err = backsql_dn2id( op, rs, &new_pe_id, dbh, new_npdn, 1 ); + rs->sr_err = backsql_dn2id( op, rs, dbh, new_npdn, &new_pe_id, 0, 1 ); if ( rs->sr_err != LDAP_SUCCESS ) { Debug( LDAP_DEBUG_TRACE, " backsql_modrdn(): " "could not lookup new parent entry id\n", 0, 0, 0 ); @@ -420,6 +422,7 @@ backsql_modrdn( Operation *op, SlapReply *rs ) goto modrdn_return; } + /* FIXME: need the whole entry (ITS#3480) */ if ( !acl_check_modlist( op, &e, mod )) { rs->sr_err = LDAP_INSUFFICIENT_ACCESS; goto modrdn_return; diff --git a/servers/slapd/back-sql/proto-sql.h b/servers/slapd/back-sql/proto-sql.h index 1e019b587a..75b2634941 100644 --- a/servers/slapd/back-sql/proto-sql.h +++ b/servers/slapd/back-sql/proto-sql.h @@ -111,8 +111,9 @@ extern struct berval backsql_baseObject_bv; #endif /* BACKSQL_ARBITRARY_KEY */ /* stores in *id the ID in table ldap_entries corresponding to DN, if any */ -int backsql_dn2id( Operation *op, SlapReply *rs, backsql_entryID *id, - SQLHDBC dbh, struct berval *dn, int muck ); +int backsql_dn2id( Operation *op, SlapReply *rs, SQLHDBC dbh, + struct berval *ndn, backsql_entryID *id, + int matched, int muck ); /* stores in *nchildren the count of children for an entry */ int backsql_count_children( backsql_info *bi, SQLHDBC dbh, @@ -163,6 +164,11 @@ int backsql_destroy_schema_map( backsql_info *si ); /* the function must collect the entry associated to nbase */ #define BACKSQL_ISF_GET_ID 0x1U +#define BACKSQL_ISF_MATCHED 0x2U +#define BACKSQL_IS_GET_ID(f) \ + ( ( (f) & BACKSQL_ISF_GET_ID ) == BACKSQL_ISF_GET_ID ) +#define BACKSQL_IS_MATCHED(f) \ + ( ( (f) & BACKSQL_ISF_MATCHED ) == BACKSQL_ISF_MATCHED ) int backsql_init_search( backsql_srch_info *bsi, struct berval *nbase, int scope, int slimit, int tlimit, time_t stoptime, Filter *filter, SQLHDBC dbh, diff --git a/servers/slapd/back-sql/search.c b/servers/slapd/back-sql/search.c index ace1fc6d24..879379d039 100644 --- a/servers/slapd/back-sql/search.c +++ b/servers/slapd/back-sql/search.c @@ -195,10 +195,11 @@ backsql_init_search( bsi->bsi_flt_where.bb_len = 0; bsi->bsi_filter_oc = NULL; - if ( flags & BACKSQL_ISF_GET_ID ) { + if ( BACKSQL_IS_GET_ID( flags ) ) { assert( op->o_bd->be_private ); - rc = backsql_dn2id( op, rs, &bsi->bsi_base_id, dbh, nbase, 1 ); + rc = backsql_dn2id( op, rs, dbh, nbase, &bsi->bsi_base_id, + BACKSQL_IS_MATCHED( flags ), 1 ); } return ( bsi->bsi_status = rc ); @@ -686,8 +687,7 @@ backsql_process_filter( backsql_srch_info *bsi, Filter *f ) #ifdef BACKSQL_SYNCPROV } else if ( ad == slap_schema.si_ad_entryCSN ) { /* - * TODO: introduce appropriate entryCSN filtering - * to support syncrepl as producer... + * support for syncrepl as producer... */ if ( !bsi->bsi_op->o_sync ) { /* unsupported at present... */ @@ -1716,13 +1716,20 @@ backsql_search( Operation *op, SlapReply *rs ) if ( rs->sr_err != LDAP_SUCCESS ) { send_ldap_result( op, rs ); goto done; - } - if ( ! access_allowed( op, bsi.bsi_e, slap_schema.si_ad_entry, NULL, - ACL_DISCLOSE, NULL ) ) { - rs->sr_err = LDAP_NO_SUCH_OBJECT; - send_ldap_result( op, rs ); - goto done; + } else { + Entry e = { 0 }; + + e.e_name = bsi.bsi_base_id.eid_dn; + e.e_nname = bsi.bsi_base_id.eid_ndn; + /* FIXME: need the whole entry (ITS#3480) */ + if ( ! access_allowed( op, &e, slap_schema.si_ad_entry, + NULL, ACL_DISCLOSE, NULL ) ) + { + rs->sr_err = LDAP_NO_SUCH_OBJECT; + send_ldap_result( op, rs ); + goto done; + } } bsi.bsi_n_candidates = @@ -1911,7 +1918,7 @@ backsql_search( Operation *op, SlapReply *rs ) } if ( !rs->sr_ref ) { - rs->sr_text = "bad_referral object"; + rs->sr_text = "bad referral object"; } rs->sr_entry = e; @@ -1995,6 +2002,7 @@ backsql_search( Operation *op, SlapReply *rs ) if ( e == &user_entry ) { rs->sr_flags = REP_ENTRY_MODIFIABLE; } + /* FIXME: need the whole entry (ITS#3480) */ sres = send_search_entry( op, rs ); rs->sr_entry = NULL; rs->sr_attrs = NULL; -- 2.39.5