From ab80b030579e9fddf76e03e84af79a92aca08f7c Mon Sep 17 00:00:00 2001 From: Kurt Zeilenga Date: Thu, 5 Sep 2002 02:37:10 +0000 Subject: [PATCH] back_attribute() should use ACL_AUTH not ACL_READ (at least for current callers, may need to pass it the permission level) --- configure | 10 +++++++++- servers/slapd/back-bdb/attribute.c | 15 +++------------ servers/slapd/back-ldbm/attribute.c | 12 ++---------- servers/slapd/saslauthz.c | 14 ++++++++------ 4 files changed, 22 insertions(+), 29 deletions(-) diff --git a/configure b/configure index e4cd976870..9da9e413ca 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # $OpenLDAP$ -# from OpenLDAP: pkg/ldap/configure.in,v 1.428 2002/08/28 05:12:22 hyc Exp +# from OpenLDAP: pkg/ldap/configure.in,v 1.430 2002/09/04 08:58:25 hyc Exp # Copyright 1998-2002 The OpenLDAP Foundation. All Rights Reserved. # @@ -23128,6 +23128,12 @@ else PLAT=UNIX fi +if test -z "$SLAPD_STATIC_BACKENDS"; then + SLAPD_NO_STATIC='#' +else + SLAPD_NO_STATIC= +fi + @@ -23192,6 +23198,7 @@ fi + # Check whether --with-xxinstall or --without-xxinstall was given. @@ -23423,6 +23430,7 @@ s%@WRAP_LIBS@%$WRAP_LIBS%g s%@MOD_TCL_LIB@%$MOD_TCL_LIB%g s%@SLAPD_MODULES_CPPFLAGS@%$SLAPD_MODULES_CPPFLAGS%g s%@SLAPD_MODULES_LDFLAGS@%$SLAPD_MODULES_LDFLAGS%g +s%@SLAPD_NO_STATIC@%$SLAPD_NO_STATIC%g s%@SLAPD_STATIC_BACKENDS@%$SLAPD_STATIC_BACKENDS%g s%@SLAPD_DYNAMIC_BACKENDS@%$SLAPD_DYNAMIC_BACKENDS%g s%@PERL_CPPFLAGS@%$PERL_CPPFLAGS%g diff --git a/servers/slapd/back-bdb/attribute.c b/servers/slapd/back-bdb/attribute.c index 6ad4b30e78..8b7ec4b8e4 100644 --- a/servers/slapd/back-bdb/attribute.c +++ b/servers/slapd/back-bdb/attribute.c @@ -91,7 +91,6 @@ bdb_attribute( entry_ndn->bv_val, 0, 0 ); #endif - } else { dn2entry_retry: /* can we find entry */ @@ -165,14 +164,6 @@ dn2entry_retry: goto return_results; } - if (conn != NULL && op != NULL - && access_allowed( be, conn, op, e, slap_schema.si_ad_entry, - NULL, ACL_READ, &acl_state ) == 0 ) - { - rc = LDAP_INSUFFICIENT_ACCESS; - goto return_results; - } - if ((attr = attr_find(e->e_attrs, entry_at)) == NULL) { #ifdef NEW_LOGGING LDAP_LOG( BACK_BDB, INFO, @@ -187,8 +178,8 @@ dn2entry_retry: } if (conn != NULL && op != NULL - && access_allowed( be, conn, op, e, entry_at, NULL, ACL_READ, - &acl_state ) == 0 ) + && access_allowed( be, conn, op, e, entry_at, NULL, + ACL_AUTH, &acl_state ) == 0 ) { rc = LDAP_INSUFFICIENT_ACCESS; goto return_results; @@ -204,7 +195,7 @@ dn2entry_retry: if( conn != NULL && op != NULL && access_allowed(be, conn, op, e, entry_at, - &attr->a_vals[i], ACL_READ, &acl_state ) == 0) + &attr->a_vals[i], ACL_AUTH, &acl_state ) == 0) { continue; } diff --git a/servers/slapd/back-ldbm/attribute.c b/servers/slapd/back-ldbm/attribute.c index 0dc5daf03a..4639f7d120 100644 --- a/servers/slapd/back-ldbm/attribute.c +++ b/servers/slapd/back-ldbm/attribute.c @@ -128,14 +128,6 @@ ldbm_back_attribute( goto return_results; } - if (conn != NULL && op != NULL - && access_allowed( be, conn, op, e, slap_schema.si_ad_entry, - NULL, ACL_READ, NULL ) == 0) - { - rc = LDAP_INSUFFICIENT_ACCESS; - goto return_results; - } - if ((attr = attr_find(e->e_attrs, entry_at)) == NULL) { #ifdef NEW_LOGGING LDAP_LOG( BACK_LDBM, INFO, @@ -152,7 +144,7 @@ ldbm_back_attribute( if (conn != NULL && op != NULL && access_allowed( be, conn, op, e, entry_at, NULL, - ACL_READ, &acl_state ) == 0) + ACL_AUTH, &acl_state ) == 0) { rc = LDAP_INSUFFICIENT_ACCESS; goto return_results; @@ -168,7 +160,7 @@ ldbm_back_attribute( if( conn != NULL && op != NULL && access_allowed( be, conn, op, e, entry_at, - iv, ACL_READ, &acl_state ) == 0) + iv, ACL_AUTH, &acl_state ) == 0) { continue; } diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c index ded88611f4..24ccf062b4 100644 --- a/servers/slapd/saslauthz.c +++ b/servers/slapd/saslauthz.c @@ -616,15 +616,16 @@ slap_sasl_check_authz( Connection *conn, #ifdef NEW_LOGGING LDAP_LOG( TRANSPORT, ENTRY, - "slap_sasl_check_authz: does %s match %s rule in %s?\n", - assertDN->bv_val, ad->ad_cname.bv_val, searchDN->bv_val); + "slap_sasl_check_authz: does %s match %s rule in %s?\n", + assertDN->bv_val, ad->ad_cname.bv_val, searchDN->bv_val); #else Debug( LDAP_DEBUG_TRACE, "==>slap_sasl_check_authz: does %s match %s rule in %s?\n", assertDN->bv_val, ad->ad_cname.bv_val, searchDN->bv_val); #endif - rc = backend_attribute( NULL, NULL, conn->c_sasl_bindop, NULL, searchDN, ad, &vals ); + rc = backend_attribute( NULL, NULL, conn->c_sasl_bindop, NULL, + searchDN, ad, &vals ); if( rc != LDAP_SUCCESS ) goto COMPLETE; @@ -641,11 +642,12 @@ COMPLETE: #ifdef NEW_LOGGING LDAP_LOG( TRANSPORT, RESULTS, - "slap_sasl_check_authz: %s check returning %s\n", - ad->ad_cname.bv_val, rc, 0 ); + "slap_sasl_check_authz: %s check returning %s\n", + ad->ad_cname.bv_val, rc, 0 ); #else Debug( LDAP_DEBUG_TRACE, - "<==slap_sasl_check_authz: %s check returning %d\n", ad->ad_cname.bv_val, rc, 0); + "<==slap_sasl_check_authz: %s check returning %d\n", + ad->ad_cname.bv_val, rc, 0); #endif return( rc ); -- 2.39.5