From: Howard Chu <hyc@openldap.org>
Date: Thu, 9 Jun 2011 22:25:32 +0000 (-0700)
Subject: ITS#6688 enforce search ACL in back-perl
X-Git-Url: https://git.sur5r.net/?p=openldap;a=commitdiff_plain;h=53bb95a2e3456806b503415fb745eae1146c0627

ITS#6688 enforce search ACL in back-perl
---

diff --git a/servers/slapd/back-perl/search.c b/servers/slapd/back-perl/search.c
index 9d209ebd98..e50fa0c128 100644
--- a/servers/slapd/back-perl/search.c
+++ b/servers/slapd/back-perl/search.c
@@ -35,6 +35,27 @@ perl_back_search(
 	int i;
 
 	PERL_SET_CONTEXT( PERL_INTERPRETER );
+
+	{
+		Entry base = {0};
+		slap_mask_t mask;
+		/* Require search access to base */
+		base.e_name = op->o_req_dn;
+		base.e_nname = op->o_req_ndn;
+		if ( !access_allowed_mask( op, &base, slap_schema.si_ad_entry,
+					NULL, ACL_SEARCH, NULL, &mask ))
+		{
+			if ( !ACL_GRANT( mask, ACL_DISCLOSE )) {
+				rs->sr_err = LDAP_NO_SUCH_OBJECT;
+			} else {
+				rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
+			}
+
+			send_ldap_result( op, rs );
+			return rs->sr_err;
+		}
+	}
+
 	ldap_pvt_thread_mutex_lock( &perl_interpreter_mutex );	
 
 	{