From 40c0d3bfa33d9e5102da75e5ab148df237df3be7 Mon Sep 17 00:00:00 2001 From: Pierangelo Masarati Date: Tue, 23 Aug 2005 17:38:50 +0000 Subject: [PATCH] harmonize back-ldbm and back-bdb handling of searchBase disclose access; fixes ITS#3964, ITS#3963 still open --- servers/slapd/back-bdb/search.c | 2 +- servers/slapd/back-ldbm/search.c | 15 ++++++++++++--- tests/scripts/test041-aci | 6 +++--- 3 files changed, 16 insertions(+), 7 deletions(-) diff --git a/servers/slapd/back-bdb/search.c b/servers/slapd/back-bdb/search.c index 12d7ea3eb6..f05b725b26 100644 --- a/servers/slapd/back-bdb/search.c +++ b/servers/slapd/back-bdb/search.c @@ -477,7 +477,7 @@ dn2entry_retry: bdb_cache_return_entry_r(bdb->bi_dbenv, &bdb->bi_cache, e, &lock); } send_ldap_result( op, rs ); - return 1; + return rs->sr_err; } #endif /* SLAP_ACL_HONOR_DISCLOSE */ diff --git a/servers/slapd/back-ldbm/search.c b/servers/slapd/back-ldbm/search.c index 94dd13553f..47e7886ee1 100644 --- a/servers/slapd/back-ldbm/search.c +++ b/servers/slapd/back-ldbm/search.c @@ -47,6 +47,9 @@ ldbm_back_search( Entry *matched = NULL; struct berval realbase = BER_BVNULL; int manageDSAit = get_manageDSAit( op ); +#ifdef SLAP_ACL_HONOR_DISCLOSE + slap_mask_t mask; +#endif Debug(LDAP_DEBUG_TRACE, "=> ldbm_back_search\n", 0, 0, 0); @@ -130,10 +133,16 @@ ldbm_back_search( } #ifdef SLAP_ACL_HONOR_DISCLOSE - if ( ! access_allowed( op, e, slap_schema.si_ad_entry, - NULL, ACL_DISCLOSE, NULL ) ) + /* NOTE: __NEW__ "search" access is required + * on searchBase object */ + if ( ! access_allowed_mask( op, e, slap_schema.si_ad_entry, + NULL, ACL_SEARCH, NULL, &mask ) ) { - rs->sr_err = LDAP_NO_SUCH_OBJECT; + if ( !ACL_GRANT( mask, ACL_DISCLOSE ) ) { + rs->sr_err = LDAP_NO_SUCH_OBJECT; + } else { + rs->sr_err = LDAP_INSUFFICIENT_ACCESS; + } cache_return_entry_r( &li->li_cache, e ); ldap_pvt_thread_rdwr_runlock(&li->li_giant_rwlock); diff --git a/tests/scripts/test041-aci b/tests/scripts/test041-aci index 5e6ec138bb..0329c5ccae 100755 --- a/tests/scripts/test041-aci +++ b/tests/scripts/test041-aci @@ -136,9 +136,9 @@ $LDAPSEARCH -s base -b "$BASEDN" -h $LOCALHOST -p $PORT1 \ '(objectclass=*)' >> $SEARCHOUT 2>> $TESTOUT RC=$? if test $RC != 0 ; then - echo "ldapsearch failed ($RC)!" - echo "IGNORED" - ### TEMPORARILY DISABLED + ### TEMPORARY (see ITS#3963) + echo "ldapsearch failed ($RC)! IGNORED..." + ###echo "ldapsearch failed ($RC)!" ###test $KILLSERVERS != no && kill -HUP $KILLPIDS ###exit $RC fi