From 434e7229ac48961f654e4530adf27098b2c8ef4d Mon Sep 17 00:00:00 2001 From: Kurt Zeilenga Date: Thu, 27 Jan 2000 19:02:24 +0000 Subject: [PATCH] Add code to handle operational attributes via new schema codes behind -USLAPD_SCHEMA_COMPAT. --- servers/slapd/acl.c | 4 +-- servers/slapd/add.c | 2 +- servers/slapd/modify.c | 2 +- servers/slapd/proto-slap.h | 6 ++-- servers/slapd/result.c | 8 ++--- servers/slapd/schema.c | 71 ++++++++++++++++++++++++++------------ 6 files changed, 60 insertions(+), 33 deletions(-) diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c index cc0802a211..fe3029b9c5 100644 --- a/servers/slapd/acl.c +++ b/servers/slapd/acl.c @@ -103,7 +103,7 @@ access_allowed( * by ACL_WRITE checking as any found here are not provided * by the user */ - if ( access >= ACL_WRITE && oc_check_no_usermod_attr( attr ) ) { + if ( access >= ACL_WRITE && oc_check_op_no_usermod_attr( attr ) ) { Debug( LDAP_DEBUG_ACL, "NoUserMod Operational attribute:" " %s access granted\n", attr, 0, 0 ); @@ -632,7 +632,7 @@ acl_check_modlist( * by ACL_WRITE checking as any found here are not provided * by the user */ - if ( oc_check_no_usermod_attr( mlist->ml_type ) ) { + if ( oc_check_op_no_usermod_attr( mlist->ml_type ) ) { Debug( LDAP_DEBUG_ACL, "NoUserMod Operational attribute:" " modify access granted\n", mlist->ml_type, 0, 0 ); diff --git a/servers/slapd/add.c b/servers/slapd/add.c index 9bc2133841..8aafe94d55 100644 --- a/servers/slapd/add.c +++ b/servers/slapd/add.c @@ -242,7 +242,7 @@ add_created_attrs( Operation *op, Entry *e ) /* return error on any attempts by the user to add these attrs */ for ( a = e->e_attrs; a != NULL; a = a->a_next ) { - if ( oc_check_no_usermod_attr( a->a_type ) ) { + if ( oc_check_op_no_usermod_attr( a->a_type ) ) { return LDAP_CONSTRAINT_VIOLATION; } } diff --git a/servers/slapd/modify.c b/servers/slapd/modify.c index 2eea03e3ef..a1cc074cec 100644 --- a/servers/slapd/modify.c +++ b/servers/slapd/modify.c @@ -272,7 +272,7 @@ add_modified_attrs( Operation *op, LDAPModList **modlist ) /* remove any attempts by the user to modify these attrs */ for ( m = *modlist; m != NULL; m = m->ml_next ) { - if ( oc_check_no_usermod_attr( m->ml_type ) ) { + if ( oc_check_op_no_usermod_attr( m->ml_type ) ) { return LDAP_CONSTRAINT_VIOLATION; } } diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h index 95d8347ac0..481f5fc792 100644 --- a/servers/slapd/proto-slap.h +++ b/servers/slapd/proto-slap.h @@ -439,9 +439,9 @@ LIBSLAPD_F (int) sasl_bind LDAP_P((Backend *, */ LIBSLAPD_F (int) oc_schema_check LDAP_P(( Entry *e )); -LIBSLAPD_F (int) oc_check_operational_attr LDAP_P(( const char *type )); -LIBSLAPD_F (int) oc_check_usermod_attr LDAP_P(( const char *type )); -LIBSLAPD_F (int) oc_check_no_usermod_attr LDAP_P(( const char *type )); +LIBSLAPD_F (int) oc_check_op_attr LDAP_P(( const char *type )); +LIBSLAPD_F (int) oc_check_op_usermod_attr LDAP_P(( const char *type )); +LIBSLAPD_F (int) oc_check_op_no_usermod_attr LDAP_P(( const char *type )); LIBSLAPD_F (ObjectClass *) oc_find LDAP_P((const char *ocname)); LIBSLAPD_F (int) oc_add LDAP_P((LDAP_OBJECT_CLASS *oc, const char **err)); diff --git a/servers/slapd/result.c b/servers/slapd/result.c index cd7c59e598..ab5b12750e 100644 --- a/servers/slapd/result.c +++ b/servers/slapd/result.c @@ -661,13 +661,13 @@ send_search_entry( for ( a = e->e_attrs; a != NULL; a = a->a_next ) { if ( attrs == NULL ) { /* all addrs request, skip operational attributes */ - if( !opattrs && oc_check_operational_attr( a->a_type ) ) { + if( !opattrs && oc_check_op_attr( a->a_type ) ) { continue; } } else { /* specific addrs requested */ - if ( oc_check_operational_attr( a->a_type ) ) { + if ( oc_check_op_attr( a->a_type ) ) { if( !opattrs && !charray_inlist( attrs, a->a_type ) ) { continue; @@ -735,13 +735,13 @@ send_search_entry( do { if ( attrs == NULL ) { /* all addrs request, skip operational attributes */ - if( !opattrs && oc_check_operational_attr( a->a_type ) ) { + if( !opattrs && oc_check_op_attr( a->a_type ) ) { continue; } } else { /* specific addrs requested */ - if ( oc_check_operational_attr( a->a_type ) ) { + if ( oc_check_op_attr( a->a_type ) ) { if( !opattrs && !charray_inlist( attrs, a->a_type ) ) { continue; diff --git a/servers/slapd/schema.c b/servers/slapd/schema.c index faf96a5e03..1e5287f740 100644 --- a/servers/slapd/schema.c +++ b/servers/slapd/schema.c @@ -138,15 +138,22 @@ oc_check_required( Entry *e, char *ocname ) return( NULL ); } -static char *oc_usermod_attrs[] = { +#ifdef SLAPD_SCHEMA_COMPAT + /* these shouldn't be hardcoded */ + +static char *oc_op_usermod_attrs[] = { /* - * OpenLDAP doesn't support any user modification of - * operational attributes. + * these are operational attributes which are + * not defined as NO-USER_MODIFICATION and + * which slapd supports modification of. + * + * Currently none. + * Likely candidate, "aci" */ NULL }; -static char *oc_operational_attrs[] = { +static char *oc_op_attrs[] = { /* * these are operational attributes * most could be user modifiable @@ -171,7 +178,7 @@ static char *oc_operational_attrs[] = { }; /* this list should be extensible */ -static char *oc_no_usermod_attrs[] = { +static char *oc_op_no_usermod_attrs[] = { /* * Operational and 'no user modification' attributes * which are STORED in the directory server. @@ -185,35 +192,57 @@ static char *oc_no_usermod_attrs[] = { NULL }; +#endif /* * check to see if attribute is 'operational' or not. */ int -oc_check_operational_attr( const char *type ) +oc_check_op_attr( const char *type ) { - return charray_inlist( oc_operational_attrs, type ) - || charray_inlist( oc_usermod_attrs, type ) - || charray_inlist( oc_no_usermod_attrs, type ); +#ifdef SLAPD_SCHEMA_COMPAT + return charray_inlist( oc_op_attrs, type ) + || charray_inlist( oc_op_usermod_attrs, type ) + || charray_inlist( oc_op_no_usermod_attrs, type ); +#else + AttributeType *at = at_find( type ); + + if( at == NULL ) return 0; + + return at->sat_usage != 0; +#endif } /* * check to see if attribute can be user modified or not. */ int -oc_check_usermod_attr( const char *type ) +oc_check_op_usermod_attr( const char *type ) { - return charray_inlist( oc_usermod_attrs, type ); +#ifdef SLAPD_SCHEMA_COMPAT + return charray_inlist( oc_op_usermod_attrs, type ); +#else + /* not (yet) in schema */ + return 0; +#endif } /* * check to see if attribute is 'no user modification' or not. */ int -oc_check_no_usermod_attr( const char *type ) +oc_check_op_no_usermod_attr( const char *type ) { - return charray_inlist( oc_no_usermod_attrs, type ); +#ifdef SLAPD_SCHEMA_COMPAT + return charray_inlist( oc_op_no_usermod_attrs, type ); +#else + AttributeType *at = at_find( type ); + + if( at == NULL ) return 0; + + return at->sat_no_user_mod; +#endif } @@ -234,15 +263,6 @@ oc_check_allowed( char *type, struct berval **ocl ) return( 0 ); } - /* - * All operational attributions are allowed by schema rules. - * However, we only check attributions which are stored in the - * the directory regardless if they are user or non-user modified. - */ - if ( oc_check_usermod_attr( type ) || oc_check_no_usermod_attr( type ) ) { - return( 0 ); - } - /* * The "type" we have received is actually an AttributeDescription. * Let's find out the corresponding type. @@ -260,6 +280,13 @@ oc_check_allowed( char *type, struct berval **ocl ) t = type; } + /* + * All operational attributions are allowed by schema rules. + */ + if ( oc_check_op_attr( t ) ) { + return( 0 ); + } + /* check that the type appears as req or opt in at least one oc */ for ( i = 0; ocl[i] != NULL; i++ ) { /* if we know about the oc */ -- 2.39.5