mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
Reworked fix for ITS#3140 - add access parameter to backend_attribute
This commit is contained in:
parent
d504ae047e
commit
91033d6552
@ -1431,7 +1431,7 @@ dn_match_cleanup:;
|
|||||||
while ( parent_ndn.bv_val != old_parent_ndn.bv_val ){
|
while ( parent_ndn.bv_val != old_parent_ndn.bv_val ){
|
||||||
old_parent_ndn = parent_ndn;
|
old_parent_ndn = parent_ndn;
|
||||||
Debug(LDAP_DEBUG_ACL, "checking ACI of %s\n", parent_ndn.bv_val, 0, 0);
|
Debug(LDAP_DEBUG_ACL, "checking ACI of %s\n", parent_ndn.bv_val, 0, 0);
|
||||||
ret = backend_attribute(op, NULL, &parent_ndn, b->a_aci_at, &bvals);
|
ret = backend_attribute(op, NULL, &parent_ndn, b->a_aci_at, &bvals, ACL_AUTH);
|
||||||
switch(ret){
|
switch(ret){
|
||||||
case LDAP_SUCCESS :
|
case LDAP_SUCCESS :
|
||||||
stop = 0;
|
stop = 0;
|
||||||
@ -1803,7 +1803,7 @@ aci_set_gather (SetCookie *cookie, struct berval *name, struct berval *attr)
|
|||||||
AttributeDescription *desc = NULL;
|
AttributeDescription *desc = NULL;
|
||||||
if (slap_bv2ad(attr, &desc, &text) == LDAP_SUCCESS) {
|
if (slap_bv2ad(attr, &desc, &text) == LDAP_SUCCESS) {
|
||||||
backend_attribute(cp->op,
|
backend_attribute(cp->op,
|
||||||
cp->e, &ndn, desc, &bvals);
|
cp->e, &ndn, desc, &bvals, ACL_NONE);
|
||||||
}
|
}
|
||||||
slap_sl_free(ndn.bv_val, cp->op->o_tmpmemctx);
|
slap_sl_free(ndn.bv_val, cp->op->o_tmpmemctx);
|
||||||
}
|
}
|
||||||
@ -1821,12 +1821,9 @@ aci_match_set (
|
|||||||
struct berval set = BER_BVNULL;
|
struct berval set = BER_BVNULL;
|
||||||
int rc = 0;
|
int rc = 0;
|
||||||
AciSetCookie cookie;
|
AciSetCookie cookie;
|
||||||
Operation op2 = *op;
|
|
||||||
|
|
||||||
op2.o_conn = NULL;
|
|
||||||
|
|
||||||
if (setref == 0) {
|
if (setref == 0) {
|
||||||
ber_dupbv_x( &set, subj, op2.o_tmpmemctx );
|
ber_dupbv_x( &set, subj, op->o_tmpmemctx );
|
||||||
} else {
|
} else {
|
||||||
struct berval subjdn, ndn = BER_BVNULL;
|
struct berval subjdn, ndn = BER_BVNULL;
|
||||||
struct berval setat;
|
struct berval setat;
|
||||||
@ -1848,9 +1845,9 @@ aci_match_set (
|
|||||||
* as the length of the dn to be normalized
|
* as the length of the dn to be normalized
|
||||||
*/
|
*/
|
||||||
if ( slap_bv2ad( &setat, &desc, &text ) == LDAP_SUCCESS ) {
|
if ( slap_bv2ad( &setat, &desc, &text ) == LDAP_SUCCESS ) {
|
||||||
if ( dnNormalize( 0, NULL, NULL, &subjdn, &ndn, op2.o_tmpmemctx ) == LDAP_SUCCESS )
|
if ( dnNormalize( 0, NULL, NULL, &subjdn, &ndn, op->o_tmpmemctx ) == LDAP_SUCCESS )
|
||||||
{
|
{
|
||||||
backend_attribute( &op2, e, &ndn, desc, &bvals );
|
backend_attribute( op, e, &ndn, desc, &bvals, ACL_NONE );
|
||||||
if ( bvals != NULL && !BER_BVISNULL( &bvals[0] ) ) {
|
if ( bvals != NULL && !BER_BVISNULL( &bvals[0] ) ) {
|
||||||
int i;
|
int i;
|
||||||
|
|
||||||
@ -1861,18 +1858,18 @@ aci_match_set (
|
|||||||
bvals[0].bv_val = bvals[i-1].bv_val;
|
bvals[0].bv_val = bvals[i-1].bv_val;
|
||||||
BER_BVZERO( &bvals[i-1] );
|
BER_BVZERO( &bvals[i-1] );
|
||||||
}
|
}
|
||||||
ber_bvarray_free_x( bvals, op2.o_tmpmemctx );
|
ber_bvarray_free_x( bvals, op->o_tmpmemctx );
|
||||||
slap_sl_free( ndn.bv_val, op2.o_tmpmemctx );
|
slap_sl_free( ndn.bv_val, op->o_tmpmemctx );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( !BER_BVISNULL( &set ) ) {
|
if ( !BER_BVISNULL( &set ) ) {
|
||||||
cookie.op = &op2;
|
cookie.op = op;
|
||||||
cookie.e = e;
|
cookie.e = e;
|
||||||
rc = ( slap_set_filter( aci_set_gather, (SetCookie *)&cookie, &set,
|
rc = ( slap_set_filter( aci_set_gather, (SetCookie *)&cookie, &set,
|
||||||
&op2.o_ndn, &e->e_nname, NULL ) > 0 );
|
&op->o_ndn, &e->e_nname, NULL ) > 0 );
|
||||||
slap_sl_free( set.bv_val, op2.o_tmpmemctx );
|
slap_sl_free( set.bv_val, op->o_tmpmemctx );
|
||||||
}
|
}
|
||||||
|
|
||||||
return(rc);
|
return(rc);
|
||||||
|
@ -1483,7 +1483,8 @@ backend_attribute(
|
|||||||
Entry *target,
|
Entry *target,
|
||||||
struct berval *edn,
|
struct berval *edn,
|
||||||
AttributeDescription *entry_at,
|
AttributeDescription *entry_at,
|
||||||
BerVarray *vals )
|
BerVarray *vals,
|
||||||
|
slap_access_t access )
|
||||||
{
|
{
|
||||||
Entry *e;
|
Entry *e;
|
||||||
Attribute *a;
|
Attribute *a;
|
||||||
@ -1504,8 +1505,8 @@ backend_attribute(
|
|||||||
if ( a ) {
|
if ( a ) {
|
||||||
BerVarray v;
|
BerVarray v;
|
||||||
|
|
||||||
if ( op->o_conn && access_allowed( op,
|
if ( op->o_conn && access > ACL_NONE && access_allowed( op,
|
||||||
e, entry_at, NULL, ACL_AUTH,
|
e, entry_at, NULL, access,
|
||||||
&acl_state ) == 0 ) {
|
&acl_state ) == 0 ) {
|
||||||
rc = LDAP_INSUFFICIENT_ACCESS;
|
rc = LDAP_INSUFFICIENT_ACCESS;
|
||||||
goto freeit;
|
goto freeit;
|
||||||
@ -1516,10 +1517,10 @@ backend_attribute(
|
|||||||
v = op->o_tmpalloc( sizeof(struct berval) * (i+1),
|
v = op->o_tmpalloc( sizeof(struct berval) * (i+1),
|
||||||
op->o_tmpmemctx );
|
op->o_tmpmemctx );
|
||||||
for ( i=0,j=0; a->a_vals[i].bv_val; i++ ) {
|
for ( i=0,j=0; a->a_vals[i].bv_val; i++ ) {
|
||||||
if ( op->o_conn && access_allowed( op,
|
if ( op->o_conn && access > ACL_NONE && access_allowed( op,
|
||||||
e, entry_at,
|
e, entry_at,
|
||||||
&a->a_nvals[i],
|
&a->a_nvals[i],
|
||||||
ACL_AUTH, &acl_state ) == 0 ) {
|
access, &acl_state ) == 0 ) {
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
ber_dupbv_x( &v[j],
|
ber_dupbv_x( &v[j],
|
||||||
|
@ -72,7 +72,7 @@ collect_response( Operation *op, SlapReply *rs )
|
|||||||
/* Extract the values of the desired attribute from
|
/* Extract the values of the desired attribute from
|
||||||
* the ancestor entry
|
* the ancestor entry
|
||||||
*/
|
*/
|
||||||
rc = backend_attribute( op, NULL, &ci->ci_dn, ci->ci_ad, &vals );
|
rc = backend_attribute( op, NULL, &ci->ci_dn, ci->ci_ad, &vals, ACL_READ );
|
||||||
|
|
||||||
/* If there are any values, merge them into the
|
/* If there are any values, merge them into the
|
||||||
* current entry
|
* current entry
|
||||||
|
@ -274,7 +274,8 @@ LDAP_SLAPD_F (int) backend_attribute LDAP_P((
|
|||||||
Entry *target,
|
Entry *target,
|
||||||
struct berval *entry_ndn,
|
struct berval *entry_ndn,
|
||||||
AttributeDescription *entry_at,
|
AttributeDescription *entry_at,
|
||||||
BerVarray *vals
|
BerVarray *vals,
|
||||||
|
slap_access_t access
|
||||||
));
|
));
|
||||||
|
|
||||||
LDAP_SLAPD_F (int) backend_operational LDAP_P((
|
LDAP_SLAPD_F (int) backend_operational LDAP_P((
|
||||||
|
@ -1112,7 +1112,7 @@ slap_sasl_check_authz( Operation *op,
|
|||||||
assertDN->bv_val, ad->ad_cname.bv_val, searchDN->bv_val);
|
assertDN->bv_val, ad->ad_cname.bv_val, searchDN->bv_val);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
rc = backend_attribute( op, NULL, searchDN, ad, &vals );
|
rc = backend_attribute( op, NULL, searchDN, ad, &vals, ACL_AUTH );
|
||||||
if( rc != LDAP_SUCCESS ) goto COMPLETE;
|
if( rc != LDAP_SUCCESS ) goto COMPLETE;
|
||||||
|
|
||||||
/* Check if the *assertDN matches any *vals */
|
/* Check if the *assertDN matches any *vals */
|
||||||
|
@ -344,7 +344,7 @@ do_syncrep1(
|
|||||||
|
|
||||||
/* read stored cookie if it exists */
|
/* read stored cookie if it exists */
|
||||||
backend_attribute( op, NULL, &op->o_req_ndn,
|
backend_attribute( op, NULL, &op->o_req_ndn,
|
||||||
slap_schema.si_ad_syncreplCookie, &cookie );
|
slap_schema.si_ad_syncreplCookie, &cookie, ACL_READ );
|
||||||
|
|
||||||
if ( !cookie ) {
|
if ( !cookie ) {
|
||||||
/* no stored cookie */
|
/* no stored cookie */
|
||||||
@ -399,7 +399,7 @@ do_syncrep1(
|
|||||||
struct berval cookie_bv;
|
struct berval cookie_bv;
|
||||||
/* try to read stored cookie */
|
/* try to read stored cookie */
|
||||||
backend_attribute( op, NULL, &op->o_req_ndn,
|
backend_attribute( op, NULL, &op->o_req_ndn,
|
||||||
slap_schema.si_ad_syncreplCookie, &cookie );
|
slap_schema.si_ad_syncreplCookie, &cookie, ACL_READ );
|
||||||
if ( cookie ) {
|
if ( cookie ) {
|
||||||
ber_dupbv( &cookie_bv, &cookie[0] );
|
ber_dupbv( &cookie_bv, &cookie[0] );
|
||||||
ber_bvarray_add( &si->si_syncCookie.octet_str, &cookie_bv );
|
ber_bvarray_add( &si->si_syncCookie.octet_str, &cookie_bv );
|
||||||
|
Loading…
Reference in New Issue
Block a user