From 9655b23ce098518f03ff0c17f527a18fa3667100 Mon Sep 17 00:00:00 2001 From: Howard Chu Date: Thu, 26 Feb 2015 00:14:41 +0000 Subject: [PATCH] ITS#8006 more rootdn privs --- contrib/slapd-modules/autogroup/autogroup.c | 53 ++++++++++++++++++++- 1 file changed, 52 insertions(+), 1 deletion(-) diff --git a/contrib/slapd-modules/autogroup/autogroup.c b/contrib/slapd-modules/autogroup/autogroup.c index a3e3277bc8..5f1a597969 100644 --- a/contrib/slapd-modules/autogroup/autogroup.c +++ b/contrib/slapd-modules/autogroup/autogroup.c @@ -770,7 +770,15 @@ autogroup_add_entry_cb( Operation *op, SlapReply *rs ) } else { autogroup_entry_t *age; autogroup_filter_t *agf; + struct berval odn, ondn; int rc; + + /* must use rootdn when calling test_filter */ + odn = op->o_dn; + ondn = op->o_ndn; + op->o_dn = op->o_bd->be_rootdn; + op->o_ndn = op->o_bd->be_rootndn; + for ( age = agi->agi_entry; age ; age = age->age_next ) { ldap_pvt_thread_mutex_lock( &age->age_mutex ); @@ -794,6 +802,8 @@ autogroup_add_entry_cb( Operation *op, SlapReply *rs ) } ldap_pvt_thread_mutex_unlock( &age->age_mutex ); } + op->o_dn = odn; + op->o_ndn = ondn; } ldap_pvt_thread_mutex_unlock( &agi->agi_mutex ); @@ -924,6 +934,7 @@ autogroup_delete_entry( Operation *op, SlapReply *rs) autogroup_filter_t *agf; Entry *e; int matched_group = 0, rc = 0; + struct berval odn, ondn; Debug( LDAP_DEBUG_TRACE, "==> autogroup_delete_entry <%s>\n", op->o_req_dn.bv_val, 0, 0); @@ -967,6 +978,11 @@ autogroup_delete_entry( Operation *op, SlapReply *rs) /* Check if the entry matches any of the groups. If yes, we can delete the entry from that group. */ + odn = op->o_dn; + ondn = op->o_ndn; + op->o_dn = op->o_bd->be_rootdn; + op->o_ndn = op->o_bd->be_rootndn; + for ( age = agi->agi_entry ; age ; age = age->age_next ) { ldap_pvt_thread_mutex_lock( &age->age_mutex ); @@ -990,6 +1006,8 @@ autogroup_delete_entry( Operation *op, SlapReply *rs) } ldap_pvt_thread_mutex_unlock( &age->age_mutex ); } + op->o_dn = odn; + op->o_ndn = ondn; overlay_entry_release_ov( op, e, 0, on ); ldap_pvt_thread_mutex_unlock( &agi->agi_mutex ); @@ -1198,9 +1216,15 @@ autogroup_response( Operation *op, SlapReply *rs ) } else if ( is_olddn == 0 && is_newdn == 1 ) { Entry etmp; + struct berval odn, ondn; etmp.e_name = op->o_req_dn; etmp.e_nname = op->o_req_ndn; etmp.e_attrs = attrs; + odn = op->o_dn; + ondn = op->o_ndn; + op->o_dn = op->o_bd->be_rootdn; + op->o_ndn = op->o_bd->be_rootndn; + for ( agf = age->age_filter; agf; agf = agf->agf_next ) { if ( test_filter( op, &etmp, agf->agf_filter ) == LDAP_COMPARE_TRUE ) { if ( ea ) { @@ -1210,6 +1234,8 @@ autogroup_response( Operation *op, SlapReply *rs ) break; } } + op->o_dn = odn; + op->o_ndn = ondn; } else if ( is_olddn == 1 && is_newdn == 1 && dn_equal != 0 ) { if ( ea ) { @@ -1241,6 +1267,7 @@ autogroup_response( Operation *op, SlapReply *rs ) if ( op->o_tag == LDAP_REQ_MODIFY ) { if ( rs->sr_type == REP_RESULT && rs->sr_err == LDAP_SUCCESS && !get_manageDSAit( op ) ) { Entry etmp; + struct berval odn, ondn; Debug( LDAP_DEBUG_TRACE, "==> autogroup_response MODIFY <%s>\n", op->o_req_dn.bv_val, 0, 0); ldap_pvt_thread_mutex_lock( &agi->agi_mutex ); @@ -1328,11 +1355,15 @@ autogroup_response( Operation *op, SlapReply *rs ) etmp.e_name = op->o_req_dn; etmp.e_nname = op->o_req_ndn; etmp.e_attrs = attrs; + odn = op->o_dn; + ondn = op->o_ndn; + op->o_dn = op->o_bd->be_rootdn; + op->o_ndn = op->o_bd->be_rootndn; + for ( age = agi->agi_entry ; age ; age = age->age_next ) { is_olddn = 0; is_newdn = 0; - ldap_pvt_thread_mutex_lock( &age->age_mutex ); if ( age->age_filter && age->age_filter->agf_anlist ) { @@ -1350,6 +1381,8 @@ autogroup_response( Operation *op, SlapReply *rs ) attrs_free( attrs ); ldap_pvt_thread_mutex_unlock( &age->age_mutex ); ldap_pvt_thread_mutex_unlock( &agi->agi_mutex ); + op->o_dn = odn; + op->o_ndn = ondn; return SLAP_CB_CONTINUE; } @@ -1393,6 +1426,8 @@ autogroup_response( Operation *op, SlapReply *rs ) ldap_pvt_thread_mutex_unlock( &age->age_mutex ); } + op->o_dn = odn; + op->o_ndn = ondn; attrs_free( attrs ); ldap_pvt_thread_mutex_unlock( &agi->agi_mutex ); @@ -1443,6 +1478,7 @@ autogroup_modify_entry( Operation *op, SlapReply *rs) autogroup_entry_t *age; Entry *e; Attribute *a; + struct berval odn, ondn; if ( get_manageDSAit( op ) ) { return SLAP_CB_CONTINUE; @@ -1458,6 +1494,11 @@ autogroup_modify_entry( Operation *op, SlapReply *rs) return SLAP_CB_CONTINUE; } + odn = op->o_dn; + ondn = op->o_ndn; + op->o_dn = op->o_bd->be_rootdn; + op->o_ndn = op->o_bd->be_rootndn; + /* Must refresh groups if a matching member value is modified OR filter contains memberOf=DN */ for ( age = agi->agi_entry; age ; age = age->age_next ) { autogroup_filter_t *agf; @@ -1481,6 +1522,8 @@ autogroup_modify_entry( Operation *op, SlapReply *rs) } } } + op->o_dn = odn; + op->o_ndn = ondn; a = attrs_find( e->e_attrs, slap_schema.si_ad_objectClass ); @@ -1542,6 +1585,7 @@ autogroup_modrdn_entry( Operation *op, SlapReply *rs) autogroup_info_t *agi = (autogroup_info_t *)on->on_bi.bi_private; autogroup_entry_t *age; Entry *e; + struct berval odn, ondn; if ( get_manageDSAit( op ) ) { return SLAP_CB_CONTINUE; @@ -1557,6 +1601,11 @@ autogroup_modrdn_entry( Operation *op, SlapReply *rs) return SLAP_CB_CONTINUE; } + odn = op->o_dn; + ondn = op->o_ndn; + op->o_dn = op->o_bd->be_rootdn; + op->o_ndn = op->o_bd->be_rootndn; + /* Must check if a dn is modified */ for ( age = agi->agi_entry; age ; age = age->age_next ) { autogroup_filter_t *agf; @@ -1571,6 +1620,8 @@ autogroup_modrdn_entry( Operation *op, SlapReply *rs) } } } + op->o_dn = odn; + op->o_ndn = ondn; overlay_entry_release_ov( op, e, 0, on ); ldap_pvt_thread_mutex_unlock( &agi->agi_mutex ); -- 2.39.5