mirror/openldap
2
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2025-03-07 14:18:15 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix listener mod handling

Browse Source
This commit is contained in:
Pierangelo Masarati 2003-04-02 20:27:58 +00:00
parent a571001ffa
commit a67b41eb69
3 changed files with 13 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
doc/man/man8/slapd.8
View File

@ -128,13 +128,21 @@ extension to indicate the permissions of the underlying socket, on those
OSes that honor them. Support for the
latter two schemes depends on selected configuration options. Hosts
may be specified by name or IPv4 and IPv6 address formats.
Ports, if specfied, must be numeric. The default ldap:// port is 389
Ports, if specified, must be numeric. The default ldap:// port is 389
and the default ldaps:// port is 636.
The socket permissions for LDAP over IPC are indicated by
"x-mod=-rwxrwxrwx", "x-mod=0777" or "x-mod=777", where any
of the "rwx" can be "-" to suppress the related permission (note,
however, that sockets only honor the "w" permission), while any
of the "7" can be any legal octal digit, according to chmod(1).
The usage is a bit awkward: since on some systems write permission
("w") is required to be able to operate on the socket, it must always
be set to allow operations on the socket. As a consequence,
the meaning of the "r" field is to negate write access if present;
e.g., "x-mod=--wx---rw-" means "owner" can access read/write even
without binding (and subject to regular ACLs), while for "others"
bind is required, and the listener is read-only. "Group" permissions
are not considered at present.
.TP
.BI \-r " directory"
Specifies a chroot "jail" directory. slapd will

14
servers/slapd/backend.c
View File

@ -957,8 +957,9 @@ backend_check_restrictions(
}
#ifdef SLAP_X_LISTENER_MOD
if ( op->o_conn->c_listener && ! ( op->o_conn->c_listener->sl_perms & S_IWUSR ) ) {
/* no "w" mode means readonly */
if ( op->o_conn->c_listener && ( op->o_conn->c_listener->sl_perms & S_IRUSR ) ) {
/* "r" mode means readonly ( "w" is required
* to operate on a socket ...) */
rs->sr_text = "modifications not allowed on this listener";
rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
return rs->sr_err;
@ -1029,15 +1030,6 @@ backend_check_restrictions(
return rs->sr_err;
}
}
if ( !starttls && !updateop ) {
if ( op->o_conn->c_listener && ! ( op->o_conn->c_listener->sl_perms & S_IRUSR ) ) {
/* no "r" mode means no read */
rs->sr_text = "read not allowed on this listener";
rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
return rs->sr_err;
}
}
#endif /* SLAP_X_LISTENER_MOD */
}

2
servers/slapd/daemon.c
View File

@ -679,7 +679,7 @@ static int slap_open_listener(
if ( lud->lud_exts ) {
err = get_url_perms( lud->lud_exts, &l.sl_perms, &crit );
} else {
l.sl_perms = S_IRWXU;
l.sl_perms = S_IWUSR | S_IXUSR; /* "r" means readonly ... */
}
#endif /* LDAP_PF_LOCAL || SLAP_X_LISTENER_MOD */