diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c index 475826cc87..a1dfd1f147 100644 --- a/servers/slapd/acl.c +++ b/servers/slapd/acl.c @@ -1431,7 +1431,7 @@ dn_match_cleanup:; while ( parent_ndn.bv_val != old_parent_ndn.bv_val ){ old_parent_ndn = parent_ndn; Debug(LDAP_DEBUG_ACL, "checking ACI of %s\n", parent_ndn.bv_val, 0, 0); - ret = backend_attribute(op, NULL, &parent_ndn, b->a_aci_at, &bvals); + ret = backend_attribute(op, NULL, &parent_ndn, b->a_aci_at, &bvals, ACL_AUTH); switch(ret){ case LDAP_SUCCESS : stop = 0; @@ -1803,7 +1803,7 @@ aci_set_gather (SetCookie *cookie, struct berval *name, struct berval *attr) AttributeDescription *desc = NULL; if (slap_bv2ad(attr, &desc, &text) == LDAP_SUCCESS) { backend_attribute(cp->op, - cp->e, &ndn, desc, &bvals); + cp->e, &ndn, desc, &bvals, ACL_NONE); } slap_sl_free(ndn.bv_val, cp->op->o_tmpmemctx); } @@ -1821,12 +1821,9 @@ aci_match_set ( struct berval set = BER_BVNULL; int rc = 0; AciSetCookie cookie; - Operation op2 = *op; - - op2.o_conn = NULL; if (setref == 0) { - ber_dupbv_x( &set, subj, op2.o_tmpmemctx ); + ber_dupbv_x( &set, subj, op->o_tmpmemctx ); } else { struct berval subjdn, ndn = BER_BVNULL; struct berval setat; @@ -1848,9 +1845,9 @@ aci_match_set ( * as the length of the dn to be normalized */ if ( slap_bv2ad( &setat, &desc, &text ) == LDAP_SUCCESS ) { - if ( dnNormalize( 0, NULL, NULL, &subjdn, &ndn, op2.o_tmpmemctx ) == LDAP_SUCCESS ) + if ( dnNormalize( 0, NULL, NULL, &subjdn, &ndn, op->o_tmpmemctx ) == LDAP_SUCCESS ) { - backend_attribute( &op2, e, &ndn, desc, &bvals ); + backend_attribute( op, e, &ndn, desc, &bvals, ACL_NONE ); if ( bvals != NULL && !BER_BVISNULL( &bvals[0] ) ) { int i; @@ -1861,18 +1858,18 @@ aci_match_set ( bvals[0].bv_val = bvals[i-1].bv_val; BER_BVZERO( &bvals[i-1] ); } - ber_bvarray_free_x( bvals, op2.o_tmpmemctx ); - slap_sl_free( ndn.bv_val, op2.o_tmpmemctx ); + ber_bvarray_free_x( bvals, op->o_tmpmemctx ); + slap_sl_free( ndn.bv_val, op->o_tmpmemctx ); } } } if ( !BER_BVISNULL( &set ) ) { - cookie.op = &op2; + cookie.op = op; cookie.e = e; rc = ( slap_set_filter( aci_set_gather, (SetCookie *)&cookie, &set, - &op2.o_ndn, &e->e_nname, NULL ) > 0 ); - slap_sl_free( set.bv_val, op2.o_tmpmemctx ); + &op->o_ndn, &e->e_nname, NULL ) > 0 ); + slap_sl_free( set.bv_val, op->o_tmpmemctx ); } return(rc); diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c index 768a2e340e..3489730dd2 100644 --- a/servers/slapd/backend.c +++ b/servers/slapd/backend.c @@ -1483,7 +1483,8 @@ backend_attribute( Entry *target, struct berval *edn, AttributeDescription *entry_at, - BerVarray *vals ) + BerVarray *vals, + slap_access_t access ) { Entry *e; Attribute *a; @@ -1504,8 +1505,8 @@ backend_attribute( if ( a ) { BerVarray v; - if ( op->o_conn && access_allowed( op, - e, entry_at, NULL, ACL_AUTH, + if ( op->o_conn && access > ACL_NONE && access_allowed( op, + e, entry_at, NULL, access, &acl_state ) == 0 ) { rc = LDAP_INSUFFICIENT_ACCESS; goto freeit; @@ -1516,10 +1517,10 @@ backend_attribute( v = op->o_tmpalloc( sizeof(struct berval) * (i+1), op->o_tmpmemctx ); for ( i=0,j=0; a->a_vals[i].bv_val; i++ ) { - if ( op->o_conn && access_allowed( op, + if ( op->o_conn && access > ACL_NONE && access_allowed( op, e, entry_at, &a->a_nvals[i], - ACL_AUTH, &acl_state ) == 0 ) { + access, &acl_state ) == 0 ) { continue; } ber_dupbv_x( &v[j], diff --git a/servers/slapd/overlays/collect.c b/servers/slapd/overlays/collect.c index 9cd0a34426..32e474118d 100644 --- a/servers/slapd/overlays/collect.c +++ b/servers/slapd/overlays/collect.c @@ -72,7 +72,7 @@ collect_response( Operation *op, SlapReply *rs ) /* Extract the values of the desired attribute from * the ancestor entry */ - rc = backend_attribute( op, NULL, &ci->ci_dn, ci->ci_ad, &vals ); + rc = backend_attribute( op, NULL, &ci->ci_dn, ci->ci_ad, &vals, ACL_READ ); /* If there are any values, merge them into the * current entry diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h index 2f33629110..acd8e3ed9e 100644 --- a/servers/slapd/proto-slap.h +++ b/servers/slapd/proto-slap.h @@ -274,7 +274,8 @@ LDAP_SLAPD_F (int) backend_attribute LDAP_P(( Entry *target, struct berval *entry_ndn, AttributeDescription *entry_at, - BerVarray *vals + BerVarray *vals, + slap_access_t access )); LDAP_SLAPD_F (int) backend_operational LDAP_P(( diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c index 035a3ee0b5..e178192b26 100644 --- a/servers/slapd/saslauthz.c +++ b/servers/slapd/saslauthz.c @@ -1112,7 +1112,7 @@ slap_sasl_check_authz( Operation *op, assertDN->bv_val, ad->ad_cname.bv_val, searchDN->bv_val); #endif - rc = backend_attribute( op, NULL, searchDN, ad, &vals ); + rc = backend_attribute( op, NULL, searchDN, ad, &vals, ACL_AUTH ); if( rc != LDAP_SUCCESS ) goto COMPLETE; /* Check if the *assertDN matches any *vals */ diff --git a/servers/slapd/syncrepl.c b/servers/slapd/syncrepl.c index c6ed3ec6ca..ec6a067c8c 100644 --- a/servers/slapd/syncrepl.c +++ b/servers/slapd/syncrepl.c @@ -344,7 +344,7 @@ do_syncrep1( /* read stored cookie if it exists */ backend_attribute( op, NULL, &op->o_req_ndn, - slap_schema.si_ad_syncreplCookie, &cookie ); + slap_schema.si_ad_syncreplCookie, &cookie, ACL_READ ); if ( !cookie ) { /* no stored cookie */ @@ -399,7 +399,7 @@ do_syncrep1( struct berval cookie_bv; /* try to read stored cookie */ backend_attribute( op, NULL, &op->o_req_ndn, - slap_schema.si_ad_syncreplCookie, &cookie ); + slap_schema.si_ad_syncreplCookie, &cookie, ACL_READ ); if ( cookie ) { ber_dupbv( &cookie_bv, &cookie[0] ); ber_bvarray_add( &si->si_syncCookie.octet_str, &cookie_bv );