mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
ITS#9121 fix memberOf filtering
Replace (memberOf=<groupDN>) filter with expansion of group's URI
This commit is contained in:
parent
015eae8fde
commit
906cab755d
@ -887,9 +887,103 @@ skipit:
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* Dup the filter, no-oping any references to given ad */
|
||||
/* replace a filter clause (memberOf=<groupDN>) with an expansion of
|
||||
* (&(entryDN=<groupURIbase>)<groupURIfilter>)
|
||||
*/
|
||||
static int
|
||||
dynlist_filter_group( Operation *op, Filter *f, Filter *n, AttributeDescription *uri )
|
||||
{
|
||||
slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
|
||||
Entry *e;
|
||||
Attribute *a;
|
||||
Filter *andf = NULL, *dnf, *urif, *orf = NULL;
|
||||
LDAPURLDesc *ludp;
|
||||
struct berval bv, nbase;
|
||||
int i;
|
||||
|
||||
if ( overlay_entry_get_ov( op, &f->f_av_value, NULL, NULL, 0, &e, on ) !=
|
||||
LDAP_SUCCESS || e == NULL ) {
|
||||
return -1;
|
||||
}
|
||||
a = attr_find( e->e_attrs, uri );
|
||||
if ( !a ) {
|
||||
overlay_entry_release_ov( op, e, 0, on );
|
||||
return -1;
|
||||
}
|
||||
for (i=0; i<a->a_numvals; i++) {
|
||||
if ( ldap_url_parse( a->a_vals[i].bv_val, &ludp ) != LDAP_URL_SUCCESS )
|
||||
continue;
|
||||
if (( ludp->lud_host && *ludp->lud_host )
|
||||
|| ludp->lud_attrs
|
||||
|| ludp->lud_exts ) {
|
||||
skip:
|
||||
ldap_free_urldesc( ludp );
|
||||
continue;
|
||||
}
|
||||
ber_str2bv( ludp->lud_dn, 0, 0, &bv );
|
||||
if ( dnNormalize( 0, NULL, NULL, &bv, &nbase, op->o_tmpmemctx ) != LDAP_SUCCESS )
|
||||
goto skip;
|
||||
if ( ludp->lud_filter && *ludp->lud_filter ) {
|
||||
urif = str2filter_x( op, ludp->lud_filter );
|
||||
if ( urif == NULL ) {
|
||||
op->o_tmpfree( nbase.bv_val, op->o_tmpmemctx );
|
||||
goto skip;
|
||||
}
|
||||
}
|
||||
if ( !andf ) {
|
||||
andf = n;
|
||||
} else {
|
||||
if ( !orf ) {
|
||||
andf = op->o_tmpalloc( sizeof(Filter), op->o_tmpmemctx );
|
||||
andf->f_choice = n->f_choice;
|
||||
andf->f_list = n->f_list;
|
||||
orf = n;
|
||||
orf->f_choice = LDAP_FILTER_OR;
|
||||
orf->f_list = andf;
|
||||
}
|
||||
andf->f_next = op->o_tmpalloc( sizeof(Filter), op->o_tmpmemctx );
|
||||
andf = andf->f_next;
|
||||
}
|
||||
dnf = op->o_tmpalloc( sizeof(Filter), op->o_tmpmemctx );
|
||||
andf1->f_choice = LDAP_FILTER_AND;
|
||||
andf1->f_next = NULL;
|
||||
andf1->f_list = dnf;
|
||||
dnf->f_next = urif;
|
||||
if ( ludp->lud_scope == LDAP_SCOPE_BASE ) {
|
||||
dnf->f_choice = LDAP_FILTER_EQUALITY;
|
||||
dnf->f_ava = op->o_tmpalloc( sizeof(AttributeAssertion), op->o_tmpmemctx );
|
||||
dnf->f_av_desc = slap_schema.si_ad_entryDN;
|
||||
dnf->f_av_value = nbase;
|
||||
} else {
|
||||
dnf->f_choice = LDAP_FILTER_EXT;
|
||||
dnf->f_mra = op->o_tmpalloc( sizeof(MatchingRuleAssertion), op->o_tmpmemctx );
|
||||
dnf->f_mr_desc = slap_schema.si_ad_entryDN;
|
||||
dnf->f_mr_value = nbase;
|
||||
dnf->f_mr_dnattrs = 0;
|
||||
switch ( ludp->lud_scope ) {
|
||||
case LDAP_SCOPE_ONELEVEL:
|
||||
dnf->f_mr_rule = slap_schema.si_mr_dnOneLevelMatch;
|
||||
break;
|
||||
case LDAP_SCOPE_SUBTREE:
|
||||
dnf->f_mr_rule = slap_schema.si_mr_dnSubtreeMatch;
|
||||
break;
|
||||
case LDAP_SCOPE_SUBORDINATE:
|
||||
dnf->f_mr_rule = slap_schema.si_mr_dnSubordinateMatch;
|
||||
break;
|
||||
}
|
||||
ber_str2bv( dnf->f_mr_rule->smr_names[0], 0, 0, &dnf->f_mr_rule_text );
|
||||
}
|
||||
ldap_free_urldesc( ludp );
|
||||
}
|
||||
overlay_entry_release_ov( op, e, 0, on );
|
||||
if ( !andf1 )
|
||||
return -1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* Dup the filter, replacing any references to given ad with dyngroup evaluation */
|
||||
static Filter *
|
||||
dynlist_filter_dup( Operation *op, Filter *f, AttributeDescription *ad, int isnot )
|
||||
dynlist_filter_dup( Operation *op, Filter *f, AttributeDescription *ad, AttributeDescription *uri )
|
||||
{
|
||||
Filter *n = NULL;
|
||||
|
||||
@ -905,29 +999,22 @@ dynlist_filter_dup( Operation *op, Filter *f, AttributeDescription *ad, int isno
|
||||
break;
|
||||
|
||||
case LDAP_FILTER_PRESENT:
|
||||
if ( f->f_desc == ad ) {
|
||||
noop:
|
||||
n->f_choice = SLAPD_FILTER_COMPUTED;
|
||||
n->f_result = isnot ? LDAP_COMPARE_FALSE : LDAP_COMPARE_TRUE;
|
||||
} else {
|
||||
n->f_choice = f->f_choice;
|
||||
n->f_desc = f->f_desc;
|
||||
}
|
||||
n->f_choice = f->f_choice;
|
||||
n->f_desc = f->f_desc;
|
||||
break;
|
||||
|
||||
case LDAP_FILTER_EQUALITY:
|
||||
if ( f->f_av_desc == ad && !dynlist_filter_group( op, f, n, uri ))
|
||||
break;
|
||||
/* FALLTHRU */
|
||||
case LDAP_FILTER_GE:
|
||||
case LDAP_FILTER_LE:
|
||||
case LDAP_FILTER_APPROX:
|
||||
if ( f->f_av_desc == ad )
|
||||
goto noop;
|
||||
n->f_choice = f->f_choice;
|
||||
n->f_ava = f->f_ava;
|
||||
break;
|
||||
|
||||
case LDAP_FILTER_SUBSTRINGS:
|
||||
if ( f->f_sub_desc == ad )
|
||||
goto noop;
|
||||
n->f_choice = f->f_choice;
|
||||
n->f_sub_initial = f->f_sub_initial;
|
||||
n->f_sub_final = f->f_sub_final;
|
||||
@ -935,15 +1022,11 @@ noop:
|
||||
break;
|
||||
|
||||
case LDAP_FILTER_EXT:
|
||||
if ( f->f_mr_desc == ad )
|
||||
goto noop;
|
||||
n->f_choice = f->f_choice;
|
||||
n->f_mra = f->f_mra;
|
||||
break;
|
||||
|
||||
case LDAP_FILTER_NOT:
|
||||
isnot ^= 1;
|
||||
/* FALLTHRU */
|
||||
case LDAP_FILTER_AND:
|
||||
case LDAP_FILTER_OR: {
|
||||
Filter **p;
|
||||
@ -951,7 +1034,7 @@ noop:
|
||||
n->f_choice = f->f_choice;
|
||||
|
||||
for ( p = &n->f_list, f = f->f_list; f; f = f->f_next ) {
|
||||
*p = dynlist_filter_dup( op, f, ad, isnot );
|
||||
*p = dynlist_filter_dup( op, f, ad, uri );
|
||||
if ( !*p )
|
||||
continue;
|
||||
p = &(*p)->f_next;
|
||||
@ -1154,7 +1237,7 @@ static void
|
||||
dynlist_fix_filter( Operation *op, AttributeDescription *ad, dynlist_search_t *ds )
|
||||
{
|
||||
Filter *f;
|
||||
f = dynlist_filter_dup( op, op->ors_filter, ad, 0 );
|
||||
f = dynlist_filter_dup( op, op->ors_filter, ad, ds->ds_dli->dli_ad );
|
||||
if ( ds->ds_origfilter ) {
|
||||
dynlist_filter_free( op, op->ors_filter );
|
||||
op->o_tmpfree( op->ors_filterstr.bv_val, op->o_tmpmemctx );
|
||||
@ -1226,7 +1309,7 @@ dynlist_search( Operation *op, SlapReply *rs )
|
||||
(void)o.o_bd->be_search( &o, &r );
|
||||
}
|
||||
/* found a dynamic group */
|
||||
if ( ds->ds_numgroups > prevnum ) {
|
||||
if ( ds->ds_numgroups > prevnum && dlg->dlg_memberOf ) {
|
||||
for ( dlm = dli->dli_dlm; dlm; dlm = dlm->dlm_next ) {
|
||||
if ( dlm->dlm_memberOf_ad && ad_infilter( dlm->dlm_memberOf_ad, op->ors_filter ))
|
||||
dynlist_fix_filter( op, dlm->dlm_memberOf_ad, ds );
|
||||
|
Loading…
Reference in New Issue
Block a user