From e929220951d2811f5211571b1878826cce7de30c Mon Sep 17 00:00:00 2001 From: Quanah Gibson-Mount Date: Mon, 10 Nov 2008 22:48:23 +0000 Subject: [PATCH] ITS#4556,ITS#5723 --- CHANGES | 2 ++ servers/slapd/back-bdb/add.c | 18 ++++++++++++++++++ servers/slapd/back-ndb/add.cpp | 13 +++++++++++++ servers/slapd/bconfig.c | 9 +++++++++ tests/data/slapd-acl.conf | 1 + tests/data/slapd-dds.conf | 14 ++++++++------ 6 files changed, 51 insertions(+), 6 deletions(-) diff --git a/CHANGES b/CHANGES index 72088270df..1eb0c99912 100644 --- a/CHANGES +++ b/CHANGES @@ -5,6 +5,8 @@ OpenLDAP 2.4.13 Engineering Fixed liblutil hex conversion (ITS#5699) Fixed liblutil returning undefined data (ITS#5748) Fixed libldap error code return (ITS#5762) + Fixed slapd acl checks on ADD (ITS#4556,ITS#5723) + Added slapd keyword add_content_acl for add checks (ITS#4556,ITS#5723) Fixed slapd config backend olcLogFile support (ITS#5765) Added slapd dn.this search limits (ITS#5734) Fixed slapd nameUIDPretty bitstring parsing (ITS#5750) diff --git a/servers/slapd/back-bdb/add.c b/servers/slapd/back-bdb/add.c index cea8a0be4c..402c837b9c 100644 --- a/servers/slapd/back-bdb/add.c +++ b/servers/slapd/back-bdb/add.c @@ -299,6 +299,24 @@ retry: /* transaction retry */ goto return_results;; } + /* + * Check ACL for attribute write access + */ + if (!acl_check_modlist(op, oe, op->ora_modlist)) { + switch( opinfo.boi_err ) { + case DB_LOCK_DEADLOCK: + case DB_LOCK_NOTGRANTED: + goto retry; + } + + Debug( LDAP_DEBUG_TRACE, + LDAP_XSTRING(bdb_add) ": no write access to attribute\n", + 0, 0, 0 ); + rs->sr_err = LDAP_INSUFFICIENT_ACCESS; + rs->sr_text = "no write access to attribute"; + goto return_results;; + } + if ( eid == NOID ) { rs->sr_err = bdb_next_id( op->o_bd, &eid ); if( rs->sr_err != 0 ) { diff --git a/servers/slapd/back-ndb/add.cpp b/servers/slapd/back-ndb/add.cpp index 8a5ca68fec..cd7bffe129 100644 --- a/servers/slapd/back-ndb/add.cpp +++ b/servers/slapd/back-ndb/add.cpp @@ -223,6 +223,19 @@ is_ref: p.e_attrs = NULL; goto return_results;; } + /* + * Check ACL for attribute write access + */ + if (!acl_check_modlist(op, op->ora_e, op->ora_modlist)) { + Debug( LDAP_DEBUG_TRACE, + LDAP_XSTRING(bdb_add) ": no write access to attribute\n", + 0, 0, 0 ); + rs->sr_err = LDAP_INSUFFICIENT_ACCESS; + rs->sr_text = "no write access to attribute"; + goto return_results;; + } + + /* acquire entry ID */ if ( op->ora_e->e_id == NOID ) { rs->sr_err = ndb_next_id( op->o_bd, NA.ndb, &op->ora_e->e_id ); diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c index 615526ba4f..aeba5c405d 100644 --- a/servers/slapd/bconfig.c +++ b/servers/slapd/bconfig.c @@ -4651,6 +4651,15 @@ config_back_add( Operation *op, SlapReply *rs ) goto out; } + /* + * Check for attribute ACL + */ + if ( !acl_check_modlist( op, op->ora_e, op->orm_modlist )) { + rs->sr_err = LDAP_INSUFFICIENT_ACCESS; + rs->sr_text = "no write access to attribute"; + goto out; + } + cfb = (CfBackInfo *)op->o_bd->be_private; /* add opattrs for syncprov */ diff --git a/tests/data/slapd-acl.conf b/tests/data/slapd-acl.conf index bfcabfc491..64cde948c7 100644 --- a/tests/data/slapd-acl.conf +++ b/tests/data/slapd-acl.conf @@ -55,6 +55,7 @@ rootpw secret #access to attrs=objectclass dn.subtree="dc=example,dc=com" access to attrs=objectclass + by dn.exact="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" add by * =rsc stop #access to filter="(objectclass=person)" attrs=userpassword dn.subtree="dc=example,dc=com" diff --git a/tests/data/slapd-dds.conf b/tests/data/slapd-dds.conf index eacc2ec8ad..bb9ebbf10d 100644 --- a/tests/data/slapd-dds.conf +++ b/tests/data/slapd-dds.conf @@ -66,19 +66,21 @@ access to dn.base="ou=Groups,dc=example,dc=com" by users write access to dn.onelevel="ou=Groups,dc=example,dc=com" - attrs=entry - by dnattr=creatorsName write + attrs=entryTtl + by dnattr=member manage by * read access to dn.onelevel="ou=Groups,dc=example,dc=com" - attrs=member by dnattr=creatorsName write - by users selfwrite + by * break + +access to dn.onelevel="ou=Groups,dc=example,dc=com" + attrs=entry by * read access to dn.onelevel="ou=Groups,dc=example,dc=com" - attrs=entryTtl - by dnattr=member manage + attrs=member + by users selfwrite by * read access to * -- 2.39.5