Support for global ACL overlays, corresponding SLAPI support

diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c
index 7572598beff5f1b2b6d9dd048126d30355311e95..e7dcc18ccdbed1d35aa990cb4d9abeed1b028e4c 100644 (file)
--- a/servers/slapd/acl.c
+++ b/servers/slapd/acl.c
@@ -359,6 +359,7 @@ access_allowed_mask(
        const char                      *attr;
        int                             st_same_attr = 0;
        static AccessControlState       state_init = ACL_STATE_INIT;
+       BackendDB                       *be_orig;
 
        assert( e != NULL );
        assert( desc != NULL );
@@ -432,8 +433,12 @@ access_allowed_mask(
                ret = op->o_bd->bd_info->bi_access_allowed( op, e, desc, val, access, state, &mask );
 
        } else {
-               /* use default */
-               ret = slap_access_allowed( op, e, desc, val, access, state, &mask );
+               /* use default (but pass through frontend for global ACL overlays) */
+               be_orig = op->o_bd;
+
+               op->o_bd = frontendDB;
+               ret = frontendDB->bd_info->bi_access_allowed( op, e, desc, val, access, state, &mask );
+               op->o_bd = be_orig;
        }
 
        if ( !ret ) {

diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c
index a12bc48fed306bc8d2768531c343cb1beb17fbf4..e7fe8934c487d7e437c317ef4d62952643badfa5 100644 (file)
--- a/servers/slapd/backend.c
+++ b/servers/slapd/backend.c
@@ -1182,7 +1182,7 @@ be_entry_get_rw(
 }
 
 int 
-backend_group(
+fe_acl_group(
        Operation *op,
        Entry   *target,
        struct berval *gr_ndn,
@@ -1196,8 +1196,6 @@ backend_group(
        GroupAssertion *g;
        Backend *be = op->o_bd;
 
-       if ( op->o_abandon ) return SLAPD_ABANDON;
-
        op->o_bd = select_backend( gr_ndn, 0, 0 );
 
        for ( g = op->o_groups; g; g = g->ga_next ) {
@@ -1350,7 +1348,32 @@ done:
 }
 
 int 
-backend_attribute(
+backend_group(
+       Operation *op,
+       Entry   *target,
+       struct berval *gr_ndn,
+       struct berval *op_ndn,
+       ObjectClass *group_oc,
+       AttributeDescription *group_at )
+{
+       int                     rc;
+       BackendDB               *be_orig;
+
+       if ( op->o_abandon ) {
+               return SLAPD_ABANDON;
+       }
+
+       be_orig = op->o_bd;
+       op->o_bd = frontendDB;
+       rc = frontendDB->be_group( op, target, gr_ndn,
+               op_ndn, group_oc, group_at );
+       op->o_bd = be_orig;
+
+       return rc;
+}
+
+int 
+fe_acl_attribute(
        Operation *op,
        Entry   *target,
        struct berval   *edn,
@@ -1457,6 +1480,27 @@ freeit:          if ( e != target ) {
        return rc;
 }
 
+int 
+backend_attribute(
+       Operation *op,
+       Entry   *target,
+       struct berval   *edn,
+       AttributeDescription *entry_at,
+       BerVarray *vals,
+       slap_access_t access )
+{
+       int                     rc;
+       BackendDB               *be_orig;
+
+       be_orig = op->o_bd;
+       op->o_bd = frontendDB;
+       rc = frontendDB->be_attribute( op, target, edn,
+               entry_at, vals, access );
+       op->o_bd = be_orig;
+
+       return rc;
+}
+
 int 
 backend_access(
        Operation               *op,
@@ -1563,9 +1607,9 @@ fe_aux_operational(
        Operation *op,
        SlapReply *rs )
 {
-       Attribute       **ap;
-       int             rc = 0;
-       BackendDB       *be_orig;
+       Attribute               **ap;
+       int                     rc = 0;
+       BackendDB               *be_orig;
 
        for ( ap = &rs->sr_operational_attrs; *ap; ap = &(*ap)->a_next )
                /* just count them */ ;

diff --git a/servers/slapd/frontend.c b/servers/slapd/frontend.c
index d97e050889572b9706be0b310e68b044fe9f9493..3ea31ac49184a5770a9c4532116fb53fc8122457 100644 (file)
--- a/servers/slapd/frontend.c
+++ b/servers/slapd/frontend.c
@@ -115,6 +115,15 @@ frontend_init( void )
        frontendDB->bd_info->bi_op_search = fe_op_search;
        frontendDB->bd_info->bi_extended = fe_extended;
        frontendDB->bd_info->bi_operational = fe_aux_operational;
+#if 0
+       frontendDB->bd_info->bi_entry_get_rw = fe_entry_get_rw;
+       frontendDB->bd_info->bi_entry_release_rw = fe_entry_release_rw;
+#endif
+#ifdef SLAP_OVERLAY_ACCESS
+       frontendDB->bd_info->bi_access_allowed = slap_access_allowed;
+       frontendDB->bd_info->bi_acl_group = fe_acl_group;
+       frontendDB->bd_info->bi_acl_attribute = fe_acl_attribute;
+#endif /* SLAP_OVERLAY_ACCESS */
 
 #if 0
        /* FIXME: is this too early? */

diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h
index 04b46116d2500beba47e9cbe06b19abadaf83d59..68c227d887edb6e60e6bbd50ce9d7ffce78b6351 100644 (file)
--- a/servers/slapd/proto-slap.h
+++ b/servers/slapd/proto-slap.h
@@ -1639,6 +1639,20 @@ LDAP_SLAPD_F (int) fe_aux_operational LDAP_P((Operation *op, SlapReply *rs));
 LDAP_SLAPD_F (int) fe_op_unbind LDAP_P((Operation *op, SlapReply *rs));
 #endif
 LDAP_SLAPD_F (int) fe_extended LDAP_P((Operation *op, SlapReply *rs));
+LDAP_SLAPD_F (int) fe_acl_group LDAP_P((
+       Operation *op,
+       Entry   *target,
+       struct berval *gr_ndn,
+       struct berval *op_ndn,
+       ObjectClass *group_oc,
+       AttributeDescription *group_at ));
+LDAP_SLAPD_F (int) fe_acl_attribute LDAP_P((
+       Operation *op,
+       Entry   *target,
+       struct berval   *edn,
+       AttributeDescription *entry_at,
+       BerVarray *vals,
+       slap_access_t access ));
 
 /* NOTE: this macro assumes that bv has been allocated
  * by ber_* malloc functions or is { 0L, NULL } */

diff --git a/servers/slapd/slapi/slapi_overlay.c b/servers/slapd/slapi/slapi_overlay.c
index 227131ec139c19aa220f5428e4a122777e300c52..1aac1c105c4db3d9a989573a89261da0c475d53b 100644 (file)
--- a/servers/slapd/slapi/slapi_overlay.c
+++ b/servers/slapd/slapi/slapi_overlay.c
@@ -822,13 +822,28 @@ slapi_over_acl_group(
        Slapi_Entry             *e;
        int                     rc;
        Slapi_PBlock            *pb = op->o_pb;
+       BackendDB               *be = NULL;
+       BackendDB               *be_orig = op->o_bd;
 
        if ( pb == NULL ) {
                return SLAP_CB_CONTINUE;
        }
 
-       rc = be_entry_get_rw( op, gr_ndn, group_oc, group_at, 0, &e );
-       if ( e == NULL ) {
+       if ( target != NULL && dn_match( &target->e_nname, gr_ndn ) ) {
+               e = target;
+               rc = 0;
+       } else {
+               be = select_backend( gr_ndn, 0, 0 );
+               if ( be == NULL ) {
+                       rc = LDAP_NO_SUCH_OBJECT;
+               } else {
+                       op->o_bd = be;
+                       rc = be_entry_get_rw( op, gr_ndn, group_oc, group_at, 0, &e );
+                       op->o_bd = be_orig;
+               }
+       }
+
+       if ( rc ) {
                return SLAP_CB_CONTINUE;
        }
 
@@ -848,8 +863,11 @@ slapi_over_acl_group(
        slapi_pblock_set( pb, SLAPI_X_GROUP_ATTRIBUTE,     NULL );
        slapi_pblock_set( pb, SLAPI_X_GROUP_TARGET_ENTRY,  NULL );
 
-       if ( e != target )
+       if ( e != target ) {
+               op->o_bd = be;
                be_entry_release_r( op, e );
+               op->o_bd = be_orig;
+       }
 
        /*
         * XXX don't call POST_GROUP_FN, I have no idea what the point of
@@ -858,33 +876,6 @@ slapi_over_acl_group(
        return rc;
 }
 
-#if 0
-static int
-slapi_over_compute_output_attr_access(computed_attr_context *c, Slapi_Attr *a, Slapi_Entry *e)
-{
-       struct berval   *nval = (struct berval *)c->cac_private;
-
-       return access_allowed( c->cac_op, e, a->a_desc, nval, ACL_AUTH, NULL ) == 0;
-}
-
-static int
-slapi_over_acl_attribute(
-       Operation               *op,
-       Entry                   *target,
-       struct berval           *entry_ndn,
-       AttributeDescription    *entry_at,
-       BerVarray               *vals,
-       slap_access_t           access )
-{
-       computed_attr_context   ctx;
-
-       ctx.cac_pb = op->o_pb;
-       ctx.cac_op = op;
-       ctx.cac_acl_state = NULL;
-       ctx.cac_private = nval;
-}
-#endif
-
 int
 slapi_int_overlay_init()
 {
@@ -906,6 +897,7 @@ slapi_int_overlay_init()
        slapi.on_bi.bi_extended = slapi_over_extended;
        slapi.on_bi.bi_access_allowed = slapi_over_access_allowed;
        slapi.on_bi.bi_operational = slapi_over_aux_operational;
+       slapi.on_bi.bi_acl_group = slapi_over_acl_group;
 
        return overlay_register( &slapi );
 }