harmonize back-ldbm and back-bdb handling of searchBase disclose access; fixes ITS#3964, ITS#3963 still open

servers/slapd/back-bdb/search.c

@@ -477,7 +477,7 @@ dn2entry_retry:
 			bdb_cache_return_entry_r(bdb->bi_dbenv, &bdb->bi_cache, e, &lock);
 		}
 		send_ldap_result( op, rs );
-		return 1;
+		return rs->sr_err;
 	}
 #endif /* SLAP_ACL_HONOR_DISCLOSE */
 

servers/slapd/back-ldbm/search.c

@@ -47,6 +47,9 @@ ldbm_back_search(
 	Entry	*matched = NULL;
 	struct berval	realbase = BER_BVNULL;
 	int		manageDSAit = get_manageDSAit( op );
+#ifdef SLAP_ACL_HONOR_DISCLOSE
+	slap_mask_t	mask;
+#endif
 
 	Debug(LDAP_DEBUG_TRACE, "=> ldbm_back_search\n", 0, 0, 0);
 
@@ -130,10 +133,16 @@ ldbm_back_search(
 	}
 
 #ifdef SLAP_ACL_HONOR_DISCLOSE
-	if ( ! access_allowed( op, e, slap_schema.si_ad_entry,
-				NULL, ACL_DISCLOSE, NULL ) )
+	/* NOTE: __NEW__ "search" access is required
+	 * on searchBase object */
+	if ( ! access_allowed_mask( op, e, slap_schema.si_ad_entry,
+				NULL, ACL_SEARCH, NULL, &mask ) )
 	{
-		rs->sr_err = LDAP_NO_SUCH_OBJECT;
+		if ( !ACL_GRANT( mask, ACL_DISCLOSE ) ) {
+			rs->sr_err = LDAP_NO_SUCH_OBJECT;
+		} else {
+			rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
+		}
 
 		cache_return_entry_r( &li->li_cache, e );
 		ldap_pvt_thread_rdwr_runlock(&li->li_giant_rwlock);

tests/scripts/test041-aci

@@ -136,9 +136,9 @@ $LDAPSEARCH -s base -b "$BASEDN" -h $LOCALHOST -p $PORT1 \
 	'(objectclass=*)' >> $SEARCHOUT 2>> $TESTOUT
 RC=$?
 if test $RC != 0 ; then
-	echo "ldapsearch failed ($RC)!"
-	echo "IGNORED"
-	### TEMPORARILY DISABLED
+	### TEMPORARY (see ITS#3963)
+	echo "ldapsearch failed ($RC)! IGNORED..."
+	###echo "ldapsearch failed ($RC)!"
 	###test $KILLSERVERS != no && kill -HUP $KILLPIDS
 	###exit $RC
 fi