mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
Support for ACL plugins
This commit is contained in:
parent
d649ae0808
commit
0edb270b9e
@ -174,6 +174,14 @@ access_allowed(
|
|||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifdef LDAP_SLAPI
|
||||||
|
ret = slapi_x_access_allowed( op, e, desc, val, access, state );
|
||||||
|
if ( ret == 0 ) {
|
||||||
|
/* ACL plugin denied access */
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
#endif /* LDAP_SLAPI */
|
||||||
|
|
||||||
be = op->o_bd;
|
be = op->o_bd;
|
||||||
if ( be == NULL ) {
|
if ( be == NULL ) {
|
||||||
be = &backends[0];
|
be = &backends[0];
|
||||||
|
@ -220,6 +220,8 @@ extern int compute_evaluator(computed_attr_context *c, char *type, Slapi_Entry *
|
|||||||
extern int slapi_x_compute_output_ber(computed_attr_context *c, Slapi_Attr *a, Slapi_Entry *e);
|
extern int slapi_x_compute_output_ber(computed_attr_context *c, Slapi_Attr *a, Slapi_Entry *e);
|
||||||
extern int slapi_x_compute_get_pblock(computed_attr_context *c, Slapi_PBlock **pb);
|
extern int slapi_x_compute_get_pblock(computed_attr_context *c, Slapi_PBlock **pb);
|
||||||
|
|
||||||
|
extern int slapi_x_access_allowed(Operation *op, Entry *entry, AttributeDescription *desc, struct berval *val, slap_access_t access, AccessControlState *state);
|
||||||
|
|
||||||
extern ldap_pvt_thread_mutex_t slapi_hn_mutex;
|
extern ldap_pvt_thread_mutex_t slapi_hn_mutex;
|
||||||
extern ldap_pvt_thread_mutex_t slapi_time_mutex;
|
extern ldap_pvt_thread_mutex_t slapi_time_mutex;
|
||||||
extern ldap_pvt_thread_mutex_t slapi_printmessage_mutex;
|
extern ldap_pvt_thread_mutex_t slapi_printmessage_mutex;
|
||||||
|
@ -398,6 +398,12 @@ extern Backend * slapi_cl_get_be(char *dn);
|
|||||||
#define SLAPI_PLUGIN_SYNTAX_FLAGS 707
|
#define SLAPI_PLUGIN_SYNTAX_FLAGS 707
|
||||||
#define SLAPI_PLUGIN_SYNTAX_COMPARE 708
|
#define SLAPI_PLUGIN_SYNTAX_COMPARE 708
|
||||||
|
|
||||||
|
#define SLAPI_PLUGIN_ACL_INIT 730
|
||||||
|
#define SLAPI_PLUGIN_ACL_SYNTAX_CHECK 731
|
||||||
|
#define SLAPI_PLUGIN_ACL_ALLOW_ACCESS 732
|
||||||
|
#define SLAPI_PLUGIN_ACL_MODS_ALLOWED 733
|
||||||
|
#define SLAPI_PLUGIN_ACL_MODS_UPDATE 734
|
||||||
|
|
||||||
#define SLAPI_OPERATION_AUTHTYPE 741
|
#define SLAPI_OPERATION_AUTHTYPE 741
|
||||||
#define SLAPI_OPERATION_ID 742
|
#define SLAPI_OPERATION_ID 742
|
||||||
#define SLAPI_CONN_CERT 743
|
#define SLAPI_CONN_CERT 743
|
||||||
|
@ -203,6 +203,7 @@ isOkNetscapeParam( int param )
|
|||||||
case SLAPI_RESULT_MATCHED:
|
case SLAPI_RESULT_MATCHED:
|
||||||
case SLAPI_PLUGIN_COMPUTE_EVALUATOR_FN:
|
case SLAPI_PLUGIN_COMPUTE_EVALUATOR_FN:
|
||||||
case SLAPI_PLUGIN_COMPUTE_SEARCH_REWRITER_FN:
|
case SLAPI_PLUGIN_COMPUTE_SEARCH_REWRITER_FN:
|
||||||
|
case SLAPI_PLUGIN_ACL_ALLOW_ACCESS:
|
||||||
return LDAP_SUCCESS;
|
return LDAP_SUCCESS;
|
||||||
default:
|
default:
|
||||||
return INVALID_PARAM;
|
return INVALID_PARAM;
|
||||||
|
@ -3734,3 +3734,66 @@ int slapi_notify_condvar( Slapi_CondVar *cvar, int notify_all )
|
|||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
|
int slapi_x_access_allowed( Operation *op,
|
||||||
|
Entry *entry,
|
||||||
|
AttributeDescription *desc,
|
||||||
|
struct berval *val,
|
||||||
|
slap_access_t access,
|
||||||
|
AccessControlState *state )
|
||||||
|
{
|
||||||
|
#ifdef LDAP_SLAPI
|
||||||
|
int rc, slap_access = 0;
|
||||||
|
slapi_acl_callback_t *pGetPlugin, *tmpPlugin;
|
||||||
|
|
||||||
|
if ( op->o_pb == NULL ) {
|
||||||
|
/* internal operation */
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
slapi_x_pblock_set_operation( op->o_pb, op );
|
||||||
|
|
||||||
|
switch ( access ) {
|
||||||
|
case ACL_WRITE:
|
||||||
|
slap_access |= SLAPI_ACL_ADD | SLAPI_ACL_DELETE | SLAPI_ACL_WRITE;
|
||||||
|
break;
|
||||||
|
case ACL_READ:
|
||||||
|
slap_access |= SLAPI_ACL_READ;
|
||||||
|
break;
|
||||||
|
case ACL_SEARCH:
|
||||||
|
slap_access |= SLAPI_ACL_SEARCH;
|
||||||
|
break;
|
||||||
|
case ACL_COMPARE:
|
||||||
|
slap_access = ACL_COMPARE;
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
rc = getAllPluginFuncs( NULL, SLAPI_PLUGIN_ACL_ALLOW_ACCESS, (SLAPI_FUNC **)&tmpPlugin );
|
||||||
|
if ( rc != LDAP_SUCCESS || tmpPlugin == NULL ) {
|
||||||
|
/* nothing to do; allowed access */
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
rc = 1; /* default allow policy */
|
||||||
|
|
||||||
|
for ( pGetPlugin = tmpPlugin; *pGetPlugin != NULL; pGetPlugin++ ) {
|
||||||
|
/*
|
||||||
|
* 0 access denied
|
||||||
|
* 1 access granted
|
||||||
|
*/
|
||||||
|
rc = (*pGetPlugin)( op->o_pb, entry, desc->ad_cname.bv_val,
|
||||||
|
val, slap_access, (void *)state );
|
||||||
|
if ( rc == 0 ) {
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
slapi_ch_free( (void **)&tmpPlugin );
|
||||||
|
|
||||||
|
return rc;
|
||||||
|
#else
|
||||||
|
return 1;
|
||||||
|
#endif /* LDAP_SLAPI */
|
||||||
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user