mirror of
https://git.openldap.org/openldap/openldap.git
synced 2025-02-17 14:00:30 +08:00
Add code to handle operational attributes via new schema codes
behind -USLAPD_SCHEMA_COMPAT.
This commit is contained in:
Kurt Zeilenga
parent
df712b8597
commit
434e7229ac
@ -103,7 +103,7 @@ access_allowed(
|
||||
* by ACL_WRITE checking as any found here are not provided
|
||||
* by the user
|
||||
*/
|
||||
if ( access >= ACL_WRITE && oc_check_no_usermod_attr( attr ) ) {
|
||||
if ( access >= ACL_WRITE && oc_check_op_no_usermod_attr( attr ) ) {
|
||||
Debug( LDAP_DEBUG_ACL, "NoUserMod Operational attribute:"
|
||||
" %s access granted\n",
|
||||
attr, 0, 0 );
|
||||
@ -632,7 +632,7 @@ acl_check_modlist(
|
||||
* by ACL_WRITE checking as any found here are not provided
|
||||
* by the user
|
||||
*/
|
||||
if ( oc_check_no_usermod_attr( mlist->ml_type ) ) {
|
||||
if ( oc_check_op_no_usermod_attr( mlist->ml_type ) ) {
|
||||
Debug( LDAP_DEBUG_ACL, "NoUserMod Operational attribute:"
|
||||
" modify access granted\n",
|
||||
mlist->ml_type, 0, 0 );
|
||||
|
||||
@ -242,7 +242,7 @@ add_created_attrs( Operation *op, Entry *e )
|
||||
|
||||
/* return error on any attempts by the user to add these attrs */
|
||||
for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
|
||||
if ( oc_check_no_usermod_attr( a->a_type ) ) {
|
||||
if ( oc_check_op_no_usermod_attr( a->a_type ) ) {
|
||||
return LDAP_CONSTRAINT_VIOLATION;
|
||||
}
|
||||
}
|
||||
|
||||
@ -272,7 +272,7 @@ add_modified_attrs( Operation *op, LDAPModList **modlist )
|
||||
|
||||
/* remove any attempts by the user to modify these attrs */
|
||||
for ( m = *modlist; m != NULL; m = m->ml_next ) {
|
||||
if ( oc_check_no_usermod_attr( m->ml_type ) ) {
|
||||
if ( oc_check_op_no_usermod_attr( m->ml_type ) ) {
|
||||
return LDAP_CONSTRAINT_VIOLATION;
|
||||
}
|
||||
}
|
||||
|
||||
@ -439,9 +439,9 @@ LIBSLAPD_F (int) sasl_bind LDAP_P((Backend *,
|
||||
*/
|
||||
|
||||
LIBSLAPD_F (int) oc_schema_check LDAP_P(( Entry *e ));
|
||||
LIBSLAPD_F (int) oc_check_operational_attr LDAP_P(( const char *type ));
|
||||
LIBSLAPD_F (int) oc_check_usermod_attr LDAP_P(( const char *type ));
|
||||
LIBSLAPD_F (int) oc_check_no_usermod_attr LDAP_P(( const char *type ));
|
||||
LIBSLAPD_F (int) oc_check_op_attr LDAP_P(( const char *type ));
|
||||
LIBSLAPD_F (int) oc_check_op_usermod_attr LDAP_P(( const char *type ));
|
||||
LIBSLAPD_F (int) oc_check_op_no_usermod_attr LDAP_P(( const char *type ));
|
||||
LIBSLAPD_F (ObjectClass *) oc_find LDAP_P((const char *ocname));
|
||||
LIBSLAPD_F (int) oc_add LDAP_P((LDAP_OBJECT_CLASS *oc, const char **err));
|
||||
|
||||
|
||||
@ -661,13 +661,13 @@ send_search_entry(
|
||||
for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
|
||||
if ( attrs == NULL ) {
|
||||
/* all addrs request, skip operational attributes */
|
||||
if( !opattrs && oc_check_operational_attr( a->a_type ) ) {
|
||||
if( !opattrs && oc_check_op_attr( a->a_type ) ) {
|
||||
continue;
|
||||
}
|
||||
|
||||
} else {
|
||||
/* specific addrs requested */
|
||||
if ( oc_check_operational_attr( a->a_type ) ) {
|
||||
if ( oc_check_op_attr( a->a_type ) ) {
|
||||
if( !opattrs && !charray_inlist( attrs, a->a_type ) )
|
||||
{
|
||||
continue;
|
||||
@ -735,13 +735,13 @@ send_search_entry(
|
||||
do {
|
||||
if ( attrs == NULL ) {
|
||||
/* all addrs request, skip operational attributes */
|
||||
if( !opattrs && oc_check_operational_attr( a->a_type ) ) {
|
||||
if( !opattrs && oc_check_op_attr( a->a_type ) ) {
|
||||
continue;
|
||||
}
|
||||
|
||||
} else {
|
||||
/* specific addrs requested */
|
||||
if ( oc_check_operational_attr( a->a_type ) ) {
|
||||
if ( oc_check_op_attr( a->a_type ) ) {
|
||||
if( !opattrs && !charray_inlist( attrs, a->a_type ) )
|
||||
{
|
||||
continue;
|
||||
|
||||
@ -138,15 +138,22 @@ oc_check_required( Entry *e, char *ocname )
|
||||
return( NULL );
|
||||
}
|
||||
|
||||
static char *oc_usermod_attrs[] = {
|
||||
#ifdef SLAPD_SCHEMA_COMPAT
|
||||
/* these shouldn't be hardcoded */
|
||||
|
||||
static char *oc_op_usermod_attrs[] = {
|
||||
/*
|
||||
* OpenLDAP doesn't support any user modification of
|
||||
* operational attributes.
|
||||
* these are operational attributes which are
|
||||
* not defined as NO-USER_MODIFICATION and
|
||||
* which slapd supports modification of.
|
||||
*
|
||||
* Currently none.
|
||||
* Likely candidate, "aci"
|
||||
*/
|
||||
NULL
|
||||
};
|
||||
|
||||
static char *oc_operational_attrs[] = {
|
||||
static char *oc_op_attrs[] = {
|
||||
/*
|
||||
* these are operational attributes
|
||||
* most could be user modifiable
|
||||
@ -171,7 +178,7 @@ static char *oc_operational_attrs[] = {
|
||||
};
|
||||
|
||||
/* this list should be extensible */
|
||||
static char *oc_no_usermod_attrs[] = {
|
||||
static char *oc_op_no_usermod_attrs[] = {
|
||||
/*
|
||||
* Operational and 'no user modification' attributes
|
||||
* which are STORED in the directory server.
|
||||
@ -185,35 +192,57 @@ static char *oc_no_usermod_attrs[] = {
|
||||
|
||||
NULL
|
||||
};
|
||||
#endif
|
||||
|
||||
|
||||
/*
|
||||
* check to see if attribute is 'operational' or not.
|
||||
*/
|
||||
int
|
||||
oc_check_operational_attr( const char *type )
|
||||
oc_check_op_attr( const char *type )
|
||||
{
|
||||
return charray_inlist( oc_operational_attrs, type )
|
||||
|| charray_inlist( oc_usermod_attrs, type )
|
||||
|| charray_inlist( oc_no_usermod_attrs, type );
|
||||
#ifdef SLAPD_SCHEMA_COMPAT
|
||||
return charray_inlist( oc_op_attrs, type )
|
||||
|| charray_inlist( oc_op_usermod_attrs, type )
|
||||
|| charray_inlist( oc_op_no_usermod_attrs, type );
|
||||
#else
|
||||
AttributeType *at = at_find( type );
|
||||
|
||||
if( at == NULL ) return 0;
|
||||
|
||||
return at->sat_usage != 0;
|
||||
#endif
|
||||
}
|
||||
|
||||
/*
|
||||
* check to see if attribute can be user modified or not.
|
||||
*/
|
||||
int
|
||||
oc_check_usermod_attr( const char *type )
|
||||
oc_check_op_usermod_attr( const char *type )
|
||||
{
|
||||
return charray_inlist( oc_usermod_attrs, type );
|
||||
#ifdef SLAPD_SCHEMA_COMPAT
|
||||
return charray_inlist( oc_op_usermod_attrs, type );
|
||||
#else
|
||||
/* not (yet) in schema */
|
||||
return 0;
|
||||
#endif
|
||||
}
|
||||
|
||||
/*
|
||||
* check to see if attribute is 'no user modification' or not.
|
||||
*/
|
||||
int
|
||||
oc_check_no_usermod_attr( const char *type )
|
||||
oc_check_op_no_usermod_attr( const char *type )
|
||||
{
|
||||
return charray_inlist( oc_no_usermod_attrs, type );
|
||||
#ifdef SLAPD_SCHEMA_COMPAT
|
||||
return charray_inlist( oc_op_no_usermod_attrs, type );
|
||||
#else
|
||||
AttributeType *at = at_find( type );
|
||||
|
||||
if( at == NULL ) return 0;
|
||||
|
||||
return at->sat_no_user_mod;
|
||||
#endif
|
||||
}
|
||||
|
||||
|
||||
@ -234,15 +263,6 @@ oc_check_allowed( char *type, struct berval **ocl )
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
/*
|
||||
* All operational attributions are allowed by schema rules.
|
||||
* However, we only check attributions which are stored in the
|
||||
* the directory regardless if they are user or non-user modified.
|
||||
*/
|
||||
if ( oc_check_usermod_attr( type ) || oc_check_no_usermod_attr( type ) ) {
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
/*
|
||||
* The "type" we have received is actually an AttributeDescription.
|
||||
* Let's find out the corresponding type.
|
||||
@ -260,6 +280,13 @@ oc_check_allowed( char *type, struct berval **ocl )
|
||||
t = type;
|
||||
}
|
||||
|
||||
/*
|
||||
* All operational attributions are allowed by schema rules.
|
||||
*/
|
||||
if ( oc_check_op_attr( t ) ) {
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
/* check that the type appears as req or opt in at least one oc */
|
||||
for ( i = 0; ocl[i] != NULL; i++ ) {
|
||||
/* if we know about the oc */
|
||||
|
||||
Loading…
Reference in New Issue
Block a user