more on ITS#3652

servers/slapd/acl.c

@@ -173,7 +173,7 @@ slap_access_always_allowed(
 	return 1;
 }
 
-static int
+int
 slap_access_allowed(
 	Operation		*op,
 	Entry			*e,
@@ -441,13 +441,11 @@ access_allowed_mask(
 	}
 	assert( op->o_bd != NULL );
 
+	/* this is enforced in backend_add() */
+	assert( op->o_bd->bd_info->bi_access_allowed );
+
 	/* delegate to backend */
-	if ( op->o_bd->bd_info->bi_access_allowed != NULL ) {
-		bi_access_allowed = op->o_bd->bd_info->bi_access_allowed;
-	} else {
-		bi_access_allowed = slap_access_allowed;
-	}
-	ret = bi_access_allowed( op, e, desc, val, access, state, &mask );
+	ret = op->o_bd->bd_info->bi_access_allowed( op, e, desc, val, access, state, &mask );
 	if ( !ret ) {
 		if ( ACL_IS_INVALID( mask ) ) {
 			Debug( LDAP_DEBUG_ACL,

servers/slapd/backend.c

@@ -122,6 +122,13 @@ int backend_init(void)
 			}
 			return rc;
 		}
+
+#ifdef SLAP_OVERLAY_ACCESS
+		if ( bi->bi_access_allowed == NULL ) {
+			bi->bi_access_allowed = slap_access_allowed;
+		}
+#endif /* SLAP_OVERLAY_ACCESS */
+
 		LDAP_STAILQ_INSERT_TAIL(&backendInfo, bi, bi_next);
 	}
 
@@ -160,6 +167,12 @@ int backend_add(BackendInfo *aBackendInfo)
 		return rc;
 	}
 
+#ifdef SLAP_OVERLAY_ACCESS
+	if ( aBackendInfo->bi_access_allowed == NULL ) {
+		aBackendInfo->bi_access_allowed = slap_access_allowed;
+	}
+#endif /* SLAP_OVERLAY_ACCESS */
+
 	(void)backend_init_controls( aBackendInfo );
 
 	/* now add the backend type to the Backend Info List */

servers/slapd/backover.c

@@ -288,18 +288,12 @@ over_access_allowed(
 	}
 
 	if ( rc == SLAP_CB_CONTINUE && oi->oi_orig->bi_access_allowed ) {
-		/* NOTE: do not copy the structure until requiredy */
-		/* NOTE: by default, oi->oi_orig->bi_access_allowed == NULL;
-		 * only backends that implement a specific hook
-		 * should store it there; by default, slap_access_allowed()
-		 * is invoked if oi->oi_orig->bi_access_allowed == NULL */
-		if ( !SLAP_ISOVERLAY( op->o_bd ) ) {
- 			db = *op->o_bd;
-			db.be_flags |= SLAP_DBFLAG_OVERLAY;
-			op->o_bd = &db;
+		/* if the database structure was changed, o_bd points to a
+		 * copy of the structure; put the original bd_info in place */
+		if ( SLAP_ISOVERLAY( op->o_bd ) ) {
+			op->o_bd->bd_info = oi->oi_orig;
 		}
 
-		op->o_bd->bd_info = oi->oi_orig;
 		rc = oi->oi_orig->bi_access_allowed( op, e,
 			desc, val, access, state, maskp );
 	}

servers/slapd/bconfig.c

@@ -4127,6 +4127,10 @@ config_back_initialize( BackendInfo *bi )
 
 	bi->bi_chk_referrals = 0;
 
+#ifdef SLAP_OVERLAY_ACCESS
+	bi->bi_access_allowed = slap_access_always_allowed;
+#endif /* SLAP_OVERLAY_ACCESS */
+
 	bi->bi_connection_init = 0;
 	bi->bi_connection_destroy = 0;
 

servers/slapd/frontend.c

@@ -117,6 +117,10 @@ frontend_init( void )
 	frontendDB->bd_info->bi_op_search = fe_op_search;
 	frontendDB->bd_info->bi_extended = fe_extended;
 
+#ifdef SLAP_OVERLAY_ACCESS
+	frontendDB->bd_info->bi_access_allowed = slap_access_allowed;
+#endif /* SLAP_OVERLAY_ACCESS */
+
 #if 0
 	/* FIXME: is this too early? */
 	return backend_startup_one( frontendDB );

servers/slapd/proto-slap.h

@@ -42,6 +42,14 @@ LDAP_SLAPD_F (int) access_allowed_mask LDAP_P((
 	slap_mask_t *mask ));
 #define access_allowed(op,e,desc,val,access,state) access_allowed_mask(op,e,desc,val,access,state,NULL)
 #ifdef SLAP_OVERLAY_ACCESS
+LDAP_SLAPD_F (int) slap_access_allowed LDAP_P((
+	Operation		*op,
+	Entry			*e,
+	AttributeDescription	*desc,
+	struct berval		*val,
+	slap_access_t		access,
+	AccessControlState	*state,
+	slap_mask_t		*maskp ));
 LDAP_SLAPD_F (int) slap_access_always_allowed LDAP_P((
 	Operation		*op,
 	Entry			*e,