From f93d4a31e81e9d4ac3878ebe11cdd3601e41aecd Mon Sep 17 00:00:00 2001
From: Pierangelo Masarati <ando@openldap.org>
Date: Sat, 20 Nov 2004 14:07:07 +0000
Subject: [PATCH] allow a "users" type in ACI

---
 servers/slapd/acl.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c
index 8709dae10e..5f31a8ce5e 100644
--- a/servers/slapd/acl.c
+++ b/servers/slapd/acl.c
@@ -2416,11 +2416,18 @@ aci_mask(
 		oid # scope # action;rights;attr;rights;attr 
 			$ action;rights;attr;rights;attr # type # subject
 
+	   [NOTE: the following comment is very outdated,
+	   as the draft version it refers to (Ando, 2004-11-20)].
+
 	   See draft-ietf-ldapext-aci-model-04.txt section 9.1 for
 	   a full description of the format for this attribute.
 	   Differences: "this" in the draft is "self" here, and
 	   "self" and "public" is in the position of type.
 
+	   <scope> = {entry|children|subtree}
+	   <type> = {public|users|access-id|subtree|onelevel|children|
+	             self|dnattr|group|role|set|set-ref}
+
 	   This routine now supports scope={ENTRY,CHILDREN}
 	   with the semantics:
 	     - ENTRY applies to "entry" and "subtree";
@@ -2491,6 +2498,11 @@ aci_mask(
 		return 0;
 	}
 
+	/* see if we have a users access */
+	if ( ber_bvstrcasecmp( &aci_bv_users, &type ) == 0 ) {
+		return 1;
+	}
+	
 	/* NOTE: this may fail if a DN contains a valid '#' (unescaped);
 	 * just grab all the berval up to its end (ITS#3303).
 	 * NOTE: the problem could be solved by providing the DN with
-- 
2.39.5