mirror of
https://git.openldap.org/openldap/openldap.git
synced 2025-01-06 10:46:21 +08:00
Support for ACL plugins
This commit is contained in:
parent
d649ae0808
commit
0edb270b9e
@ -174,6 +174,14 @@ access_allowed(
|
||||
goto done;
|
||||
}
|
||||
|
||||
#ifdef LDAP_SLAPI
|
||||
ret = slapi_x_access_allowed( op, e, desc, val, access, state );
|
||||
if ( ret == 0 ) {
|
||||
/* ACL plugin denied access */
|
||||
goto done;
|
||||
}
|
||||
#endif /* LDAP_SLAPI */
|
||||
|
||||
be = op->o_bd;
|
||||
if ( be == NULL ) {
|
||||
be = &backends[0];
|
||||
|
@ -220,6 +220,8 @@ extern int compute_evaluator(computed_attr_context *c, char *type, Slapi_Entry *
|
||||
extern int slapi_x_compute_output_ber(computed_attr_context *c, Slapi_Attr *a, Slapi_Entry *e);
|
||||
extern int slapi_x_compute_get_pblock(computed_attr_context *c, Slapi_PBlock **pb);
|
||||
|
||||
extern int slapi_x_access_allowed(Operation *op, Entry *entry, AttributeDescription *desc, struct berval *val, slap_access_t access, AccessControlState *state);
|
||||
|
||||
extern ldap_pvt_thread_mutex_t slapi_hn_mutex;
|
||||
extern ldap_pvt_thread_mutex_t slapi_time_mutex;
|
||||
extern ldap_pvt_thread_mutex_t slapi_printmessage_mutex;
|
||||
|
@ -398,6 +398,12 @@ extern Backend * slapi_cl_get_be(char *dn);
|
||||
#define SLAPI_PLUGIN_SYNTAX_FLAGS 707
|
||||
#define SLAPI_PLUGIN_SYNTAX_COMPARE 708
|
||||
|
||||
#define SLAPI_PLUGIN_ACL_INIT 730
|
||||
#define SLAPI_PLUGIN_ACL_SYNTAX_CHECK 731
|
||||
#define SLAPI_PLUGIN_ACL_ALLOW_ACCESS 732
|
||||
#define SLAPI_PLUGIN_ACL_MODS_ALLOWED 733
|
||||
#define SLAPI_PLUGIN_ACL_MODS_UPDATE 734
|
||||
|
||||
#define SLAPI_OPERATION_AUTHTYPE 741
|
||||
#define SLAPI_OPERATION_ID 742
|
||||
#define SLAPI_CONN_CERT 743
|
||||
|
@ -203,6 +203,7 @@ isOkNetscapeParam( int param )
|
||||
case SLAPI_RESULT_MATCHED:
|
||||
case SLAPI_PLUGIN_COMPUTE_EVALUATOR_FN:
|
||||
case SLAPI_PLUGIN_COMPUTE_SEARCH_REWRITER_FN:
|
||||
case SLAPI_PLUGIN_ACL_ALLOW_ACCESS:
|
||||
return LDAP_SUCCESS;
|
||||
default:
|
||||
return INVALID_PARAM;
|
||||
|
@ -3734,3 +3734,66 @@ int slapi_notify_condvar( Slapi_CondVar *cvar, int notify_all )
|
||||
#endif
|
||||
}
|
||||
|
||||
int slapi_x_access_allowed( Operation *op,
|
||||
Entry *entry,
|
||||
AttributeDescription *desc,
|
||||
struct berval *val,
|
||||
slap_access_t access,
|
||||
AccessControlState *state )
|
||||
{
|
||||
#ifdef LDAP_SLAPI
|
||||
int rc, slap_access = 0;
|
||||
slapi_acl_callback_t *pGetPlugin, *tmpPlugin;
|
||||
|
||||
if ( op->o_pb == NULL ) {
|
||||
/* internal operation */
|
||||
return 1;
|
||||
}
|
||||
|
||||
slapi_x_pblock_set_operation( op->o_pb, op );
|
||||
|
||||
switch ( access ) {
|
||||
case ACL_WRITE:
|
||||
slap_access |= SLAPI_ACL_ADD | SLAPI_ACL_DELETE | SLAPI_ACL_WRITE;
|
||||
break;
|
||||
case ACL_READ:
|
||||
slap_access |= SLAPI_ACL_READ;
|
||||
break;
|
||||
case ACL_SEARCH:
|
||||
slap_access |= SLAPI_ACL_SEARCH;
|
||||
break;
|
||||
case ACL_COMPARE:
|
||||
slap_access = ACL_COMPARE;
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
||||
rc = getAllPluginFuncs( NULL, SLAPI_PLUGIN_ACL_ALLOW_ACCESS, (SLAPI_FUNC **)&tmpPlugin );
|
||||
if ( rc != LDAP_SUCCESS || tmpPlugin == NULL ) {
|
||||
/* nothing to do; allowed access */
|
||||
return 1;
|
||||
}
|
||||
|
||||
rc = 1; /* default allow policy */
|
||||
|
||||
for ( pGetPlugin = tmpPlugin; *pGetPlugin != NULL; pGetPlugin++ ) {
|
||||
/*
|
||||
* 0 access denied
|
||||
* 1 access granted
|
||||
*/
|
||||
rc = (*pGetPlugin)( op->o_pb, entry, desc->ad_cname.bv_val,
|
||||
val, slap_access, (void *)state );
|
||||
if ( rc == 0 ) {
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
slapi_ch_free( (void **)&tmpPlugin );
|
||||
|
||||
return rc;
|
||||
#else
|
||||
return 1;
|
||||
#endif /* LDAP_SLAPI */
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user