Now require be_isroot() instead of "manage".
ctrls[num_ctrls] = 0;
/* check entry's schema */
- rs->sr_err = entry_schema_check( op->o_bd, op->oq_add.rs_e, NULL, 0,
- &rs->sr_text, textbuf, textlen );
+ rs->sr_err = entry_schema_check( op->o_bd, op->oq_add.rs_e, NULL,
+ get_manageDIT(op), &rs->sr_text, textbuf, textlen );
if ( rs->sr_err != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_TRACE,
LDAP_XSTRING(bdb_add) ": entry failed schema check: "
static char *controls[] = {
LDAP_CONTROL_ASSERT,
LDAP_CONTROL_MANAGEDSAIT,
- LDAP_CONTROL_MANAGEDIT,
LDAP_CONTROL_NOOP,
LDAP_CONTROL_PAGEDRESULTS,
#ifdef LDAP_CONTROL_SUBENTRIES
Attribute *save_attrs;
Attribute *ap;
int glue_attr_delete = 0;
- int manage=0;
Debug( LDAP_DEBUG_TRACE, "bdb_modify_internal: 0x%08lx: %s\n",
e->e_id, e->e_dn, 0);
- if( get_manageDIT(op) ) {
- AttributeDescription *entry = slap_schema.si_ad_entry;
- if( !access_allowed( op, e, entry, NULL, ACL_MANAGE, NULL )) {
- *text = "not authorized to manage entry";
- return LDAP_INSUFFICIENT_ACCESS;
- }
-
- manage = 1;
- }
-
if ( !acl_check_modlist( op, e, modlist )) {
return LDAP_INSUFFICIENT_ACCESS;
}
}
/* check that the entry still obeys the schema */
- rc = entry_schema_check( op->o_bd, e, save_attrs, manage,
+ rc = entry_schema_check( op->o_bd, e, save_attrs, get_manageDIT(op),
text, textbuf, textlen );
if ( rc != LDAP_SUCCESS || op->o_noop ) {
attrs_free( e->e_attrs );
return -1;
}
- for( bi=slap_binfo; bi->bi_type != NULL; bi++,nBackendInfo++ )
- {
+ for( bi=slap_binfo; bi->bi_type != NULL; bi++,nBackendInfo++ ) {
assert( bi->bi_init );
rc = bi->bi_init( bi );
}
}
+ /* check should be generalized */
+ if( get_manageDIT(op) && !be_isroot(op)) {
+ rs->sr_text = "requires manager authorization";
+ rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
+ }
+
done:;
return rs->sr_err;
}
#endif
{ LDAP_CONTROL_MANAGEDIT,
(int)offsetof(struct slap_control_ids, sc_manageDIT),
- SLAP_CTRL_ACCESS, NULL,
+ SLAP_CTRL_GLOBAL|SLAP_CTRL_UPDATE, NULL,
parseManageDIT, LDAP_SLIST_ENTRY_INITIALIZER(next) },
{ LDAP_CONTROL_MANAGEDSAIT,
(int)offsetof(struct slap_control_ids, sc_manageDSAit),
if ( cid ) *cid = ctrl->sc_cid;
if ( ( ctrl->sc_mask & SLAP_CTRL_GLOBAL ) ||
- ( ( op->o_tag & LDAP_REQ_SEARCH ) &&
- ( ctrl->sc_mask & SLAP_CTRL_GLOBAL_SEARCH ) ) )
+ ( ( op->o_tag & LDAP_REQ_SEARCH ) &&
+ ( ctrl->sc_mask & SLAP_CTRL_GLOBAL_SEARCH ) ) )
{
return LDAP_COMPARE_TRUE;
}
"EQUALITY objectIdentifierMatch "
"SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 "
"SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )",
- NULL, 0,
+ NULL, SLAP_AT_MANAGEABLE,
oidValidate, objectClassPretty,
NULL, NULL, objectSubClassMatch,
objectSubClassIndexer, objectSubClassFilter,
"ORDERING generalizedTimeOrderingMatch "
"SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 "
"SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )",
- NULL, 0,
+ NULL, SLAP_AT_MANAGEABLE,
NULL, NULL,
NULL, NULL, NULL, NULL, NULL,
offsetof(struct slap_internal_schema, si_ad_createTimestamp) },
"ORDERING generalizedTimeOrderingMatch "
"SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 "
"SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )",
- NULL, 0,
+ NULL, SLAP_AT_MANAGEABLE,
NULL, NULL,
NULL, NULL, NULL, NULL, NULL,
offsetof(struct slap_internal_schema, si_ad_modifyTimestamp) },
"EQUALITY distinguishedNameMatch "
"SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 "
"SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )",
- NULL, 0,
+ NULL, SLAP_AT_MANAGEABLE,
NULL, NULL,
NULL, NULL, NULL, NULL, NULL,
offsetof(struct slap_internal_schema, si_ad_creatorsName) },
"EQUALITY distinguishedNameMatch "
"SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 "
"SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )",
- NULL, 0,
+ NULL, SLAP_AT_MANAGEABLE,
NULL, NULL,
NULL, NULL, NULL, NULL, NULL,
offsetof(struct slap_internal_schema, si_ad_modifiersName) },
NULL, NULL,
NULL, NULL, NULL, NULL, NULL,
offsetof(struct slap_internal_schema, si_ad_children) },
+
+ /* access control externals */
{ "authzTo", "( 1.3.6.1.4.1.4203.666.1.8 "
"NAME ( 'authzTo' 'saslAuthzTo' ) "
"DESC 'proxy authorization targets' "
AttributeTypeSchemaCheckFN *sat_check;
char *sat_oidmacro;
-#define SLAP_AT_NONE 0x0000U
-#define SLAP_AT_ABSTRACT 0x0100U /* cannot be instantiated */
-#define SLAP_AT_FINAL 0x0200U /* cannot be subtyped */
+#define SLAP_AT_NONE 0x0000U
+#define SLAP_AT_ABSTRACT 0x0100U /* cannot be instantiated */
+#define SLAP_AT_FINAL 0x0200U /* cannot be subtyped */
#ifdef LDAP_DEVEL
-#define SLAP_AT_HIDE 0x0000U /* publish everything */
+#define SLAP_AT_HIDE 0x0000U /* publish everything */
#else
-#define SLAP_AT_HIDE 0x8000U /* hide attribute */
+#define SLAP_AT_HIDE 0x8000U /* hide attribute */
#endif
-#define SLAP_AT_DYNAMIC 0x0400U /* dynamically generated */
+#define SLAP_AT_DYNAMIC 0x0400U /* dynamically generated */
+
+#define SLAP_AT_MANAGEABLE 0x0800U /* no-user-mod can be by-passed */
#define SLAP_AT_ORDERED_VAL 0x0001U /* values are ordered */
#define SLAP_AT_ORDERED_SIB 0x0002U /* siblings are ordered */
-#define SLAP_AT_ORDERED 0x0003U /* value has order index */
-#define SLAP_AT_HARDCODE 0x10000U /* This is hardcoded schema */
+#define SLAP_AT_ORDERED 0x0003U /* value has order index */
+
+#define SLAP_AT_HARDCODE 0x10000U /* hardcoded schema */
slap_mask_t sat_flags;
char o_do_not_cache; /* don't cache groups from this op */
char o_is_auth_check; /* authorization in progress */
+ char o_nocaching;
+ char o_delete_glue_parent;
+
#define SLAP_CONTROL_NONE 0
#define SLAP_CONTROL_IGNORED 1
#define SLAP_CONTROL_NONCRITICAL 2
LDAP_STAILQ_ENTRY(slap_op) o_next; /* next operation in list */
- int o_nocaching;
- int o_delete_glue_parent;
-
} Operation;
#define OPERATION_BUFFER_SIZE (sizeof(Operation)+sizeof(Opheader)+SLAP_MAX_CIDS*sizeof(void *))
#define SLAP_CTRL_HIDE 0x80000000U
#endif
+#define SLAP_CTRL_REQUIRES_ROOT 0x40000000U /* for ManageDIT */
+
#define SLAP_CTRL_GLOBAL 0x00800000U
#define SLAP_CTRL_GLOBAL_SEARCH 0x00010000U /* for NOOP */
projects / openldap / commitdiff