Additional manageDIT changes.

Now require be_isroot() instead of "manage".
2025-02-11 13:50:39 +08:00 · 2005-05-13 21:09:26 +00:00 · 2005-05-13 21:09:26 +00:00 · 31727f0f4d
commit 31727f0f4d
parent d508114a9e
7 changed files with 36 additions and 36 deletions
--- a/servers/slapd/back-bdb/add.c
+++ b/servers/slapd/back-bdb/add.c
@ -52,8 +52,8 @@ bdb_add(Operation *op, SlapReply *rs )
 	ctrls[num_ctrls] = 0;

 	/* check entry's schema */
-	rs->sr_err = entry_schema_check( op->o_bd, op->oq_add.rs_e, NULL, 0,
-		&rs->sr_text, textbuf, textlen );
+	rs->sr_err = entry_schema_check( op->o_bd, op->oq_add.rs_e, NULL,
+		get_manageDIT(op), &rs->sr_text, textbuf, textlen );
 	if ( rs->sr_err != LDAP_SUCCESS ) {
 		Debug( LDAP_DEBUG_TRACE,
 			LDAP_XSTRING(bdb_add) ": entry failed schema check: "
--- a/servers/slapd/back-bdb/init.c
+++ b/servers/slapd/back-bdb/init.c
@ -650,7 +650,6 @@ bdb_back_initialize(
 	static char *controls[] = {
 		LDAP_CONTROL_ASSERT,
 		LDAP_CONTROL_MANAGEDSAIT,
-		LDAP_CONTROL_MANAGEDIT,
 		LDAP_CONTROL_NOOP,
 		LDAP_CONTROL_PAGEDRESULTS,
 #ifdef LDAP_CONTROL_SUBENTRIES
--- a/servers/slapd/back-bdb/modify.c
+++ b/servers/slapd/back-bdb/modify.c
@ -42,21 +42,10 @@ int bdb_modify_internal(
 	Attribute	*save_attrs;
 	Attribute 	*ap;
 	int			glue_attr_delete = 0;
-	int	manage=0;

 	Debug( LDAP_DEBUG_TRACE, "bdb_modify_internal: 0x%08lx: %s\n",
 		e->e_id, e->e_dn, 0);

-	if( get_manageDIT(op) ) {
-		AttributeDescription *entry = slap_schema.si_ad_entry;
-		if( !access_allowed( op, e, entry, NULL, ACL_MANAGE, NULL )) {
-			*text = "not authorized to manage entry";
-			return LDAP_INSUFFICIENT_ACCESS;
-		}
-
-		manage = 1;
-	}
-
 	if ( !acl_check_modlist( op, e, modlist )) {
 		return LDAP_INSUFFICIENT_ACCESS;
 	}
@ -207,7 +196,7 @@ int bdb_modify_internal(
 	}

 	/* check that the entry still obeys the schema */
-	rc = entry_schema_check( op->o_bd, e, save_attrs, manage,
+	rc = entry_schema_check( op->o_bd, e, save_attrs, get_manageDIT(op),
 		text, textbuf, textlen );
 	if ( rc != LDAP_SUCCESS || op->o_noop ) {
 		attrs_free( e->e_attrs );
--- a/servers/slapd/backend.c
+++ b/servers/slapd/backend.c
@ -98,8 +98,7 @@ int backend_init(void)
 		return -1;
 	}

-	for( bi=slap_binfo; bi->bi_type != NULL; bi++,nBackendInfo++ )
-	{
+	for( bi=slap_binfo; bi->bi_type != NULL; bi++,nBackendInfo++ ) {
 		assert( bi->bi_init );

 		rc = bi->bi_init( bi );
@ -855,6 +854,12 @@ backend_check_controls(
 		}
 	}

+	/* check should be generalized */
+	if( get_manageDIT(op) && !be_isroot(op)) {
+		rs->sr_text = "requires manager authorization";
+		rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
+	}
+
 done:;
 	return rs->sr_err;
 }
--- a/servers/slapd/controls.c
+++ b/servers/slapd/controls.c
@ -164,7 +164,7 @@ static struct slap_control control_defs[] = {
 #endif
 	{ LDAP_CONTROL_MANAGEDIT,
 		(int)offsetof(struct slap_control_ids, sc_manageDIT),
-		SLAP_CTRL_ACCESS, NULL,
+		SLAP_CTRL_GLOBAL|SLAP_CTRL_UPDATE, NULL,
 		parseManageDIT, LDAP_SLIST_ENTRY_INITIALIZER(next) },
 	{ LDAP_CONTROL_MANAGEDSAIT,
 		(int)offsetof(struct slap_control_ids, sc_manageDSAit),
@ -410,8 +410,8 @@ slap_global_control( Operation *op, const char *oid, int *cid )
 	if ( cid ) *cid = ctrl->sc_cid;

 	if ( ( ctrl->sc_mask & SLAP_CTRL_GLOBAL ) ||
-			( ( op->o_tag & LDAP_REQ_SEARCH ) &&
-			( ctrl->sc_mask & SLAP_CTRL_GLOBAL_SEARCH ) ) )
+		( ( op->o_tag & LDAP_REQ_SEARCH ) &&
+		( ctrl->sc_mask & SLAP_CTRL_GLOBAL_SEARCH ) ) )
 	{
 		return LDAP_COMPARE_TRUE;
 	}
--- a/servers/slapd/schema_prep.c
+++ b/servers/slapd/schema_prep.c
@ -449,7 +449,7 @@ static struct slap_schema_ad_map {
 			"EQUALITY objectIdentifierMatch "
 			"SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 "
 			"SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )",
-		NULL, 0,
+		NULL, SLAP_AT_MANAGEABLE,
 		oidValidate, objectClassPretty,
 		NULL, NULL, objectSubClassMatch,
 			objectSubClassIndexer, objectSubClassFilter,
@ -460,7 +460,7 @@ static struct slap_schema_ad_map {
 			"ORDERING generalizedTimeOrderingMatch "
 			"SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 "
 			"SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )",
-		NULL, 0,
+		NULL, SLAP_AT_MANAGEABLE,
 		NULL, NULL,
 		NULL, NULL, NULL, NULL, NULL,
 		offsetof(struct slap_internal_schema, si_ad_createTimestamp) },
@ -470,7 +470,7 @@ static struct slap_schema_ad_map {
 			"ORDERING generalizedTimeOrderingMatch "
 			"SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 "
 			"SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )",
-		NULL, 0,
+		NULL, SLAP_AT_MANAGEABLE,
 		NULL, NULL,
 		NULL, NULL, NULL, NULL, NULL,
 		offsetof(struct slap_internal_schema, si_ad_modifyTimestamp) },
@ -479,7 +479,7 @@ static struct slap_schema_ad_map {
 			"EQUALITY distinguishedNameMatch "
 			"SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 "
 			"SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )",
-		NULL, 0,
+		NULL, SLAP_AT_MANAGEABLE,
 		NULL, NULL,
 		NULL, NULL, NULL, NULL, NULL,
 		offsetof(struct slap_internal_schema, si_ad_creatorsName) },
@ -488,7 +488,7 @@ static struct slap_schema_ad_map {
 			"EQUALITY distinguishedNameMatch "
 			"SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 "
 			"SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )",
-		NULL, 0,
+		NULL, SLAP_AT_MANAGEABLE,
 		NULL, NULL,
 		NULL, NULL, NULL, NULL, NULL,
 		offsetof(struct slap_internal_schema, si_ad_modifiersName) },
@ -845,6 +845,8 @@ static struct slap_schema_ad_map {
 		NULL, NULL,
 		NULL, NULL, NULL, NULL, NULL,
 		offsetof(struct slap_internal_schema, si_ad_children) },
+
+	/* access control externals */
 	{ "authzTo", "( 1.3.6.1.4.1.4203.666.1.8 "
 			"NAME ( 'authzTo' 'saslAuthzTo' ) "
 			"DESC 'proxy authorization targets' "
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@ -658,20 +658,23 @@ typedef struct slap_attribute_type {
 	AttributeTypeSchemaCheckFN	*sat_check;
 	char					*sat_oidmacro;

-#define SLAP_AT_NONE		0x0000U
-#define SLAP_AT_ABSTRACT	0x0100U /* cannot be instantiated */
-#define SLAP_AT_FINAL		0x0200U /* cannot be subtyped */
+#define SLAP_AT_NONE			0x0000U
+#define SLAP_AT_ABSTRACT		0x0100U /* cannot be instantiated */
+#define SLAP_AT_FINAL			0x0200U /* cannot be subtyped */
 #ifdef LDAP_DEVEL
-#define SLAP_AT_HIDE		0x0000U /* publish everything */
+#define SLAP_AT_HIDE			0x0000U /* publish everything */
 #else
-#define SLAP_AT_HIDE		0x8000U /* hide attribute */
+#define SLAP_AT_HIDE			0x8000U /* hide attribute */
 #endif
-#define	SLAP_AT_DYNAMIC		0x0400U	/* dynamically generated */
+#define	SLAP_AT_DYNAMIC			0x0400U	/* dynamically generated */
+
+#define SLAP_AT_MANAGEABLE		0x0800U	/* no-user-mod can be by-passed */

 #define	SLAP_AT_ORDERED_VAL		0x0001U /* values are ordered */
 #define	SLAP_AT_ORDERED_SIB		0x0002U /* siblings are ordered */
-#define	SLAP_AT_ORDERED		0x0003U /* value has order index */
-#define	SLAP_AT_HARDCODE	0x10000U	/* This is hardcoded schema */
+#define	SLAP_AT_ORDERED			0x0003U /* value has order index */
+
+#define	SLAP_AT_HARDCODE	0x10000U	/* hardcoded schema */

 	slap_mask_t					sat_flags;

@ -2354,6 +2357,9 @@ typedef struct slap_op {
 	char o_do_not_cache;	/* don't cache groups from this op */
 	char o_is_auth_check;	/* authorization in progress */

+	char o_nocaching;
+	char o_delete_glue_parent;
+
 #define SLAP_CONTROL_NONE	0
 #define SLAP_CONTROL_IGNORED	1
 #define SLAP_CONTROL_NONCRITICAL 2
@ -2445,9 +2451,6 @@ typedef struct slap_op {

 	LDAP_STAILQ_ENTRY(slap_op)	o_next;	/* next operation in list	  */

-	int o_nocaching;
-	int	o_delete_glue_parent;
-
 } Operation;
 #define	OPERATION_BUFFER_SIZE	(sizeof(Operation)+sizeof(Opheader)+SLAP_MAX_CIDS*sizeof(void *))

@ -2672,6 +2675,8 @@ typedef struct slap_counters_t {
 #define SLAP_CTRL_HIDE				0x80000000U
 #endif

+#define SLAP_CTRL_REQUIRES_ROOT		0x40000000U /* for ManageDIT */
+
 #define SLAP_CTRL_GLOBAL			0x00800000U
 #define SLAP_CTRL_GLOBAL_SEARCH		0x00010000U	/* for NOOP */