diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c index f924da1a8e..5030a20e0a 100644 --- a/servers/slapd/acl.c +++ b/servers/slapd/acl.c @@ -174,6 +174,14 @@ access_allowed( goto done; } +#ifdef LDAP_SLAPI + ret = slapi_x_access_allowed( op, e, desc, val, access, state ); + if ( ret == 0 ) { + /* ACL plugin denied access */ + goto done; + } +#endif /* LDAP_SLAPI */ + be = op->o_bd; if ( be == NULL ) { be = &backends[0]; diff --git a/servers/slapd/slapi/proto-slapi.h b/servers/slapd/slapi/proto-slapi.h index 6b1c35c885..f607a17d63 100644 --- a/servers/slapd/slapi/proto-slapi.h +++ b/servers/slapd/slapi/proto-slapi.h @@ -220,6 +220,8 @@ extern int compute_evaluator(computed_attr_context *c, char *type, Slapi_Entry * extern int slapi_x_compute_output_ber(computed_attr_context *c, Slapi_Attr *a, Slapi_Entry *e); extern int slapi_x_compute_get_pblock(computed_attr_context *c, Slapi_PBlock **pb); +extern int slapi_x_access_allowed(Operation *op, Entry *entry, AttributeDescription *desc, struct berval *val, slap_access_t access, AccessControlState *state); + extern ldap_pvt_thread_mutex_t slapi_hn_mutex; extern ldap_pvt_thread_mutex_t slapi_time_mutex; extern ldap_pvt_thread_mutex_t slapi_printmessage_mutex; diff --git a/servers/slapd/slapi/slapi.h b/servers/slapd/slapi/slapi.h index bf1e0953ed..7b7c1fedc8 100644 --- a/servers/slapd/slapi/slapi.h +++ b/servers/slapd/slapi/slapi.h @@ -398,6 +398,12 @@ extern Backend * slapi_cl_get_be(char *dn); #define SLAPI_PLUGIN_SYNTAX_FLAGS 707 #define SLAPI_PLUGIN_SYNTAX_COMPARE 708 +#define SLAPI_PLUGIN_ACL_INIT 730 +#define SLAPI_PLUGIN_ACL_SYNTAX_CHECK 731 +#define SLAPI_PLUGIN_ACL_ALLOW_ACCESS 732 +#define SLAPI_PLUGIN_ACL_MODS_ALLOWED 733 +#define SLAPI_PLUGIN_ACL_MODS_UPDATE 734 + #define SLAPI_OPERATION_AUTHTYPE 741 #define SLAPI_OPERATION_ID 742 #define SLAPI_CONN_CERT 743 diff --git a/servers/slapd/slapi/slapi_pblock.c b/servers/slapd/slapi/slapi_pblock.c index a366859f65..546a241581 100644 --- a/servers/slapd/slapi/slapi_pblock.c +++ b/servers/slapd/slapi/slapi_pblock.c @@ -203,6 +203,7 @@ isOkNetscapeParam( int param ) case SLAPI_RESULT_MATCHED: case SLAPI_PLUGIN_COMPUTE_EVALUATOR_FN: case SLAPI_PLUGIN_COMPUTE_SEARCH_REWRITER_FN: + case SLAPI_PLUGIN_ACL_ALLOW_ACCESS: return LDAP_SUCCESS; default: return INVALID_PARAM; diff --git a/servers/slapd/slapi/slapi_utils.c b/servers/slapd/slapi/slapi_utils.c index f53ebd1874..b19bafaaa4 100644 --- a/servers/slapd/slapi/slapi_utils.c +++ b/servers/slapd/slapi/slapi_utils.c @@ -3734,3 +3734,66 @@ int slapi_notify_condvar( Slapi_CondVar *cvar, int notify_all ) #endif } +int slapi_x_access_allowed( Operation *op, + Entry *entry, + AttributeDescription *desc, + struct berval *val, + slap_access_t access, + AccessControlState *state ) +{ +#ifdef LDAP_SLAPI + int rc, slap_access = 0; + slapi_acl_callback_t *pGetPlugin, *tmpPlugin; + + if ( op->o_pb == NULL ) { + /* internal operation */ + return 1; + } + + slapi_x_pblock_set_operation( op->o_pb, op ); + + switch ( access ) { + case ACL_WRITE: + slap_access |= SLAPI_ACL_ADD | SLAPI_ACL_DELETE | SLAPI_ACL_WRITE; + break; + case ACL_READ: + slap_access |= SLAPI_ACL_READ; + break; + case ACL_SEARCH: + slap_access |= SLAPI_ACL_SEARCH; + break; + case ACL_COMPARE: + slap_access = ACL_COMPARE; + break; + default: + break; + } + + rc = getAllPluginFuncs( NULL, SLAPI_PLUGIN_ACL_ALLOW_ACCESS, (SLAPI_FUNC **)&tmpPlugin ); + if ( rc != LDAP_SUCCESS || tmpPlugin == NULL ) { + /* nothing to do; allowed access */ + return 1; + } + + rc = 1; /* default allow policy */ + + for ( pGetPlugin = tmpPlugin; *pGetPlugin != NULL; pGetPlugin++ ) { + /* + * 0 access denied + * 1 access granted + */ + rc = (*pGetPlugin)( op->o_pb, entry, desc->ad_cname.bv_val, + val, slap_access, (void *)state ); + if ( rc == 0 ) { + break; + } + } + + slapi_ch_free( (void **)&tmpPlugin ); + + return rc; +#else + return 1; +#endif /* LDAP_SLAPI */ +} +