From fbb5d5b79b681738379472a1b91950b2691690fc Mon Sep 17 00:00:00 2001 From: Ralf Haferkamp Date: Thu, 20 Oct 2011 11:07:01 +0200 Subject: [PATCH] ITS#7066 Reworked fix Seems simpler this way. No need for a back-config specific bi_access_allowed() handler. --- servers/slapd/bconfig.c | 60 +++++++++++++++++------------------------ 1 file changed, 25 insertions(+), 35 deletions(-) diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c index 9f68fdbc02..c7b87b9951 100644 --- a/servers/slapd/bconfig.c +++ b/servers/slapd/bconfig.c @@ -84,6 +84,7 @@ static char *logfileName; #ifdef SLAP_AUTH_REWRITE static BerVarray authz_rewrites; #endif +static AccessControl *defacl_parsed = NULL; static struct berval cfdir; @@ -1297,6 +1298,12 @@ config_generic(ConfigArgs *c) { *prev = a->acl_next; acl_free( a ); } + if ( SLAP_CONFIG( c->be ) && !c->be->be_acl ) { + Debug( LDAP_DEBUG_CONFIG, "config_generic (CFG_ACL): " + "Last explicit ACL for back-config removed. " + "Using hardcoded default\n", 0, 0, 0 ); + c->be->be_acl = defacl_parsed; + } break; case CFG_OC: { @@ -1792,6 +1799,9 @@ sortval_reject: break; case CFG_ACL: + if ( SLAP_CONFIG( c->be ) && c->be->be_acl == defacl_parsed) { + c->be->be_acl = NULL; + } /* Don't append to the global ACL if we're on a specific DB */ i = c->valx; if ( c->valx == -1 ) { @@ -1801,6 +1811,9 @@ sortval_reject: i++; } if ( parse_acl(c->be, c->fname, c->lineno, c->argc, c->argv, i ) ) { + if ( SLAP_CONFIG( c->be ) && !c->be->be_acl) { + c->be->be_acl = defacl_parsed; + } return 1; } break; @@ -6227,35 +6240,6 @@ int config_back_entry_get( return rc; } -static AccessControl *defacl_parsed = NULL; - -int config_back_access_allowed( - Operation *op, - Entry *e, - AttributeDescription *desc, - struct berval *val, - slap_access_t access, - AccessControlState *state, - slap_mask_t *maskp ) -{ - int result; - BackendDB *be_orig = op->o_bd, db = *op->o_bd; - - /* If we have no explicitly configured ACLs, don't just use - * the global ACLs. Explicitly deny access to everything. - */ - if ( ! db.be_acl ) { - Debug( LDAP_DEBUG_ACL, "=> config_back_access_allowed: " - "No explicit ACL for back-config configured, " - "using hardcoded default\n", 0, 0, 0 ); - db.be_acl = defacl_parsed; - op->o_bd = &db; - } - result = slap_access_allowed( op, e , desc, val, access, state, maskp ); - op->o_bd = be_orig; - return result; -} - static int config_build_attrs( Entry *e, AttributeType **at, AttributeDescription *ad, ConfigTable *ct, ConfigArgs *c ) @@ -6630,14 +6614,20 @@ config_back_db_open( BackendDB *be, ConfigReply *cr ) Debug( LDAP_DEBUG_TRACE, "config_back_db_open\n", 0, 0, 0); - /* prepare a hardcoded default ACL which is used when no - * explicit ACL is defined for this database. See also: - * config_back_access_allowed() */ + /* If we have no explicitly configured ACLs, don't just use + * the global ACLs. Explicitly deny access to everything. + */ save_access = be->bd_self->be_acl; be->bd_self->be_acl = NULL; parse_acl(be->bd_self, "config_back_db_open", 0, 6, (char **)defacl, 0 ); defacl_parsed = be->bd_self->be_acl; - be->bd_self->be_acl = save_access; + if ( save_access ) { + be->bd_self->be_acl = save_access; + } else { + Debug( LDAP_DEBUG_CONFIG, "config_back_db_open: " + "No explicit ACL for back-config configured. " + "Using hardcoded default\n", 0, 0, 0 ); + } thrctx = ldap_pvt_thread_pool_context(); connection_fake_init( &conn, &opbuf, thrctx ); @@ -6881,7 +6871,7 @@ config_back_db_close( BackendDB *be, ConfigReply *cr ) backend_shutdown( &cfb->cb_db ); } - if ( defacl_parsed ) { + if ( defacl_parsed && be->be_acl != defacl_parsed ) { acl_free( defacl_parsed ); defacl_parsed = NULL; } @@ -7281,7 +7271,7 @@ config_back_initialize( BackendInfo *bi ) bi->bi_chk_referrals = 0; - bi->bi_access_allowed = config_back_access_allowed; + bi->bi_access_allowed = slap_access_allowed; bi->bi_connection_init = 0; bi->bi_connection_destroy = 0; -- 2.39.5