From e4eb033d919abc0442c3f649009f00648fc3a4e0 Mon Sep 17 00:00:00 2001 From: Kurt Zeilenga Date: Thu, 10 Oct 2002 03:31:30 +0000 Subject: [PATCH] Entry ACLs --- servers/slapd/back-shell/add.c | 9 +++++++++ servers/slapd/back-shell/bind.c | 19 +++++++++++++++++++ servers/slapd/back-shell/compare.c | 19 +++++++++++++++++++ servers/slapd/back-shell/delete.c | 19 +++++++++++++++++++ servers/slapd/back-shell/modify.c | 19 +++++++++++++++++++ servers/slapd/back-shell/modrdn.c | 19 +++++++++++++++++++ 6 files changed, 104 insertions(+) diff --git a/servers/slapd/back-shell/add.c b/servers/slapd/back-shell/add.c index 2eb06b53ad..ae65d4cf25 100644 --- a/servers/slapd/back-shell/add.c +++ b/servers/slapd/back-shell/add.c @@ -24,6 +24,7 @@ shell_back_add( ) { struct shellinfo *si = (struct shellinfo *) be->be_private; + AttributeDescription *entry = slap_schema.si_ad_entry; FILE *rfp, *wfp; int len; @@ -33,6 +34,14 @@ shell_back_add( return( -1 ); } + if ( ! access_allowed( be, conn, op, e, + entry, NULL, ACL_WRITE, NULL ) ) + { + send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS, + NULL, NULL, NULL, NULL ); + return -1; + } + if ( (op->o_private = (void *) forkandexec( si->si_add, &rfp, &wfp )) == (void *) -1 ) { send_ldap_result( conn, op, LDAP_OTHER, NULL, "could not fork/exec", NULL, NULL ); diff --git a/servers/slapd/back-shell/bind.c b/servers/slapd/back-shell/bind.c index 6c4ec9ab48..ad1b9c80c1 100644 --- a/servers/slapd/back-shell/bind.c +++ b/servers/slapd/back-shell/bind.c @@ -28,6 +28,8 @@ shell_back_bind( ) { struct shellinfo *si = (struct shellinfo *) be->be_private; + AttributeDescription *entry = slap_schema.si_ad_entry; + Entry e; FILE *rfp, *wfp; int rc; @@ -37,6 +39,23 @@ shell_back_bind( return( -1 ); } + e.e_id = NOID; + e.e_name = *dn; + e.e_nname = *ndn; + e.e_attrs = NULL; + e.e_ocflags = 0; + e.e_bv.bv_len = 0; + e.e_bv.bv_val = NULL; + e.e_private = NULL; + + if ( ! access_allowed( be, conn, op, &e, + entry, NULL, ACL_AUTH, NULL ) ) + { + send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS, + NULL, NULL, NULL, NULL ); + return -1; + } + if ( (op->o_private = (void *) forkandexec( si->si_bind, &rfp, &wfp )) == (void *) -1 ) { send_ldap_result( conn, op, LDAP_OTHER, NULL, diff --git a/servers/slapd/back-shell/compare.c b/servers/slapd/back-shell/compare.c index 19a3498c96..c70edd530d 100644 --- a/servers/slapd/back-shell/compare.c +++ b/servers/slapd/back-shell/compare.c @@ -26,6 +26,8 @@ shell_back_compare( ) { struct shellinfo *si = (struct shellinfo *) be->be_private; + AttributeDescription *entry = slap_schema.si_ad_entry; + Entry e; FILE *rfp, *wfp; if ( IS_NULLCMD( si->si_compare ) ) { @@ -34,6 +36,23 @@ shell_back_compare( return( -1 ); } + e.e_id = NOID; + e.e_name = *dn; + e.e_nname = *ndn; + e.e_attrs = NULL; + e.e_ocflags = 0; + e.e_bv.bv_len = 0; + e.e_bv.bv_val = NULL; + e.e_private = NULL; + + if ( ! access_allowed( be, conn, op, &e, + entry, NULL, ACL_READ, NULL ) ) + { + send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS, + NULL, NULL, NULL, NULL ); + return -1; + } + if ( (op->o_private = (void *) forkandexec( si->si_compare, &rfp, &wfp )) == (void *) -1 ) { send_ldap_result( conn, op, LDAP_OTHER, NULL, diff --git a/servers/slapd/back-shell/delete.c b/servers/slapd/back-shell/delete.c index 73dd65e52f..eb6c977b98 100644 --- a/servers/slapd/back-shell/delete.c +++ b/servers/slapd/back-shell/delete.c @@ -25,6 +25,8 @@ shell_back_delete( ) { struct shellinfo *si = (struct shellinfo *) be->be_private; + AttributeDescription *entry = slap_schema.si_ad_entry; + Entry e; FILE *rfp, *wfp; if ( IS_NULLCMD( si->si_delete ) ) { @@ -33,6 +35,23 @@ shell_back_delete( return( -1 ); } + e.e_id = NOID; + e.e_name = *dn; + e.e_nname = *ndn; + e.e_attrs = NULL; + e.e_ocflags = 0; + e.e_bv.bv_len = 0; + e.e_bv.bv_val = NULL; + e.e_private = NULL; + + if ( ! access_allowed( be, conn, op, &e, + entry, NULL, ACL_WRITE, NULL ) ) + { + send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS, + NULL, NULL, NULL, NULL ); + return -1; + } + if ( (op->o_private = (void *) forkandexec( si->si_delete, &rfp, &wfp )) == (void *) -1 ) { send_ldap_result( conn, op, LDAP_OTHER, NULL, diff --git a/servers/slapd/back-shell/modify.c b/servers/slapd/back-shell/modify.c index 69ad41d740..9b82f70be4 100644 --- a/servers/slapd/back-shell/modify.c +++ b/servers/slapd/back-shell/modify.c @@ -27,6 +27,8 @@ shell_back_modify( { Modification *mod; struct shellinfo *si = (struct shellinfo *) be->be_private; + AttributeDescription *entry = slap_schema.si_ad_entry; + Entry e; FILE *rfp, *wfp; int i; @@ -36,6 +38,23 @@ shell_back_modify( return( -1 ); } + e.e_id = NOID; + e.e_name = *dn; + e.e_nname = *ndn; + e.e_attrs = NULL; + e.e_ocflags = 0; + e.e_bv.bv_len = 0; + e.e_bv.bv_val = NULL; + e.e_private = NULL; + + if ( ! access_allowed( be, conn, op, &e, + entry, NULL, ACL_WRITE, NULL ) ) + { + send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS, + NULL, NULL, NULL, NULL ); + return -1; + } + if ( (op->o_private = (void *) forkandexec( si->si_modify, &rfp, &wfp )) == (void *) -1 ) { send_ldap_result( conn, op, LDAP_OTHER, NULL, diff --git a/servers/slapd/back-shell/modrdn.c b/servers/slapd/back-shell/modrdn.c index 2e92d8731c..bfe86a9510 100644 --- a/servers/slapd/back-shell/modrdn.c +++ b/servers/slapd/back-shell/modrdn.c @@ -43,6 +43,8 @@ shell_back_modrdn( ) { struct shellinfo *si = (struct shellinfo *) be->be_private; + AttributeDescription *entry = slap_schema.si_ad_entry; + Entry e; FILE *rfp, *wfp; if ( IS_NULLCMD( si->si_modrdn ) ) { @@ -51,6 +53,23 @@ shell_back_modrdn( return( -1 ); } + e.e_id = NOID; + e.e_name = *dn; + e.e_nname = *ndn; + e.e_attrs = NULL; + e.e_ocflags = 0; + e.e_bv.bv_len = 0; + e.e_bv.bv_val = NULL; + e.e_private = NULL; + + if ( ! access_allowed( be, conn, op, &e, + entry, NULL, ACL_WRITE, NULL ) ) + { + send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS, + NULL, NULL, NULL, NULL ); + return -1; + } + if ( (op->o_private = (void *) forkandexec( si->si_modrdn, &rfp, &wfp )) == (void *) -1 ) { send_ldap_result( conn, op, LDAP_OTHER, NULL, -- 2.39.5