internal SASL searches need to be checked for "auth" access,

author Kurt Zeilenga <kurt@openldap.org>

Wed, 12 Mar 2003 21:58:18 +0000 (21:58 +0000)

committer Kurt Zeilenga <kurt@openldap.org>

Wed, 12 Mar 2003 21:58:18 +0000 (21:58 +0000)
author Kurt Zeilenga <kurt@openldap.org>
Wed, 12 Mar 2003 21:58:18 +0000 (21:58 +0000)
committer Kurt Zeilenga <kurt@openldap.org>
Wed, 12 Mar 2003 21:58:18 +0000 (21:58 +0000)
diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c

index 20935cad3d863989b83aeecb664ea5fc80394b5e..b62b61c9a7d1477a35ae95978f961b9f58121b48 100644 (file)
--- a/servers/slapd/acl.c
+++ b/servers/slapd/acl.c
@@ -142,6 +142,9 @@ access_allowed(
  
         assert( attr != NULL );
  
+       if( op && op->o_is_auth_check && (access == ACL_SEARCH || access == ACL_READ)) {
+               access = ACL_AUTH;
+       }
         if( state && state->as_recorded && state->as_vd_ad==desc) { 
                 if( state->as_recorded & ACL_STATE_RECORDED_NV &&
                         val == NULL )
diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c

index 355a5c3c0bd8cf4b5c6798f00e9b3088ec2fd840..257689a1ef507829058d56b3f8f3470375f51be4 100644 (file)
--- a/servers/slapd/sasl.c
+++ b/servers/slapd/sasl.c
@@ -438,6 +438,7 @@ slap_auxprop_lookup(
                         op.o_callback = &cb;
                         op.o_time = slap_get_time();
                         op.o_do_not_cache = 1;
+                       op.o_is_auth_check = 1;
                         op.o_threadctx = conn->c_sasl_bindop->o_threadctx;
  
                         (*be->be_search)( be, conn, &op, NULL, &dn,
@@ -563,6 +564,7 @@ slap_sasl_checkpass(
                 op.o_callback = &cb;
                 op.o_time = slap_get_time();
                 op.o_do_not_cache = 1;
+               op.o_is_auth_check = 1;
                 op.o_threadctx = conn->c_sasl_bindop->o_threadctx;
  
                 (*be->be_search)( be, conn, &op, NULL, &dn,
diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c

index 763094d714918d7849c7f9b4ca6ea74788cf7f50..50c6b5fd67b0ecf5f4ab2cf3d8d6b19e5c5b7a46 100644 (file)
--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -474,6 +474,7 @@ int slap_sasl_match(Connection *conn, struct berval *rule, struct berval *assert
         op.o_callback = &cb;
         op.o_time = slap_get_time();
         op.o_do_not_cache = 1;
+       op.o_is_auth_check = 1;
         op.o_threadctx = conn->c_sasl_bindop->o_threadctx;
  
         (*be->be_search)( be, conn, &op, /*base=*/NULL, &searchbase,
@@ -634,6 +635,7 @@ void slap_sasl2dn( Connection *conn,
         op.o_callback = &cb;
         op.o_time = slap_get_time();
         op.o_do_not_cache = 1;
+       op.o_is_auth_check = 1;
         op.o_threadctx = conn->c_sasl_bindop->o_threadctx;
  
         (*be->be_search)( be, conn, &op, NULL, &dn,
diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h

index c4722208c225fa0cbc712f7adae6d9b5beebbc7e..aae80c7b3bdb94daad9f1dabd0226b56b34368f7 100644 (file)
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@@ -1681,6 +1681,7 @@ typedef struct slap_op {
  #define SLAP_CANCEL_DONE                               0x03
  
         char o_do_not_cache;    /* don't cache from this op */
+       char o_is_auth_check;   /* authorization in progress */
  
  #define SLAP_NO_CONTROL 0
  #define SLAP_NONCRITICAL_CONTROL 1
author	Kurt Zeilenga <kurt@openldap.org>
	Wed, 12 Mar 2003 21:58:18 +0000 (21:58 +0000)
committer	Kurt Zeilenga <kurt@openldap.org>
	Wed, 12 Mar 2003 21:58:18 +0000 (21:58 +0000)
servers/slapd/acl.c		patch \| blob \| history
servers/slapd/sasl.c		patch \| blob \| history
servers/slapd/saslauthz.c		patch \| blob \| history
servers/slapd/slap.h		patch \| blob \| history