mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
More "entry" level ACLs for entry add, delete, and rename.
This commit is contained in:
parent
880eced255
commit
cb73d243fb
@ -226,6 +226,7 @@ retry: /* transaction retry */
|
||||
0, 0, 0 );
|
||||
#endif
|
||||
rc = LDAP_INSUFFICIENT_ACCESS;
|
||||
text = "no write access to parent";
|
||||
goto return_results;;
|
||||
}
|
||||
|
||||
@ -326,6 +327,7 @@ retry: /* transaction retry */
|
||||
0, 0, 0 );
|
||||
#endif
|
||||
rc = LDAP_INSUFFICIENT_ACCESS;
|
||||
text = "no write access to parent";
|
||||
goto return_results;;
|
||||
}
|
||||
|
||||
@ -387,6 +389,7 @@ retry: /* transaction retry */
|
||||
0, 0, 0 );
|
||||
#endif
|
||||
rc = LDAP_INSUFFICIENT_ACCESS;
|
||||
text = "no write access to entry";
|
||||
goto return_results;;
|
||||
}
|
||||
|
||||
|
@ -166,13 +166,14 @@ retry: /* transaction retry */
|
||||
if ( !rc ) {
|
||||
#ifdef NEW_LOGGING
|
||||
LDAP_LOG ( OPERATION, DETAIL1,
|
||||
"<=- bdb_delete: no access to parent\n", 0, 0, 0 );
|
||||
"<=- bdb_delete: no write access to parent\n", 0, 0, 0 );
|
||||
#else
|
||||
Debug( LDAP_DEBUG_TRACE,
|
||||
"<=- bdb_delete: no access to parent\n",
|
||||
"<=- bdb_delete: no write access to parent\n",
|
||||
0, 0, 0 );
|
||||
#endif
|
||||
rc = LDAP_INSUFFICIENT_ACCESS;
|
||||
text = "no write access to parent";
|
||||
goto return_results;
|
||||
}
|
||||
|
||||
@ -205,6 +206,7 @@ retry: /* transaction retry */
|
||||
"to parent\n", 0, 0, 0 );
|
||||
#endif
|
||||
rc = LDAP_INSUFFICIENT_ACCESS;
|
||||
text = "no write access to parent";
|
||||
goto return_results;
|
||||
}
|
||||
|
||||
@ -300,13 +302,14 @@ retry: /* transaction retry */
|
||||
if ( !rc ) {
|
||||
#ifdef NEW_LOGGING
|
||||
LDAP_LOG ( OPERATION, DETAIL1,
|
||||
"<=- bdb_delete: no access to entry\n", 0, 0, 0 );
|
||||
"<=- bdb_delete: no write access to entry\n", 0, 0, 0 );
|
||||
#else
|
||||
Debug( LDAP_DEBUG_TRACE,
|
||||
"<=- bdb_delete: no access to entry\n",
|
||||
"<=- bdb_delete: no write access to entry\n",
|
||||
0, 0, 0 );
|
||||
#endif
|
||||
rc = LDAP_INSUFFICIENT_ACCESS;
|
||||
text = "no write access to entry";
|
||||
goto return_results;
|
||||
}
|
||||
|
||||
|
@ -31,6 +31,7 @@ ldbm_back_add(
|
||||
ID id = NOID;
|
||||
const char *text = NULL;
|
||||
AttributeDescription *children = slap_schema.si_ad_children;
|
||||
AttributeDescription *entry = slap_schema.si_ad_entry;
|
||||
char textbuf[SLAP_TEXT_BUFLEN];
|
||||
size_t textlen = sizeof textbuf;
|
||||
|
||||
@ -40,23 +41,8 @@ ldbm_back_add(
|
||||
Debug(LDAP_DEBUG_ARGS, "==> ldbm_back_add: %s\n", e->e_dn, 0, 0);
|
||||
#endif
|
||||
|
||||
/* grab giant lock for writing */
|
||||
ldap_pvt_thread_rdwr_wlock(&li->li_giant_rwlock);
|
||||
|
||||
if ( ( rc = dn2id( be, &e->e_nname, &id ) ) || id != NOID ) {
|
||||
/* if (rc) something bad happened to ldbm cache */
|
||||
ldap_pvt_thread_rdwr_wunlock(&li->li_giant_rwlock);
|
||||
send_ldap_result( conn, op,
|
||||
rc ? LDAP_OTHER : LDAP_ALREADY_EXISTS,
|
||||
NULL, NULL, NULL, NULL );
|
||||
return( -1 );
|
||||
}
|
||||
|
||||
rc = entry_schema_check( be, e, NULL, &text, textbuf, textlen );
|
||||
|
||||
if ( rc != LDAP_SUCCESS ) {
|
||||
ldap_pvt_thread_rdwr_wunlock(&li->li_giant_rwlock);
|
||||
|
||||
#ifdef NEW_LOGGING
|
||||
LDAP_LOG( BACK_LDBM, ERR,
|
||||
"ldbm_back_add: entry (%s) failed schema check.\n", e->e_dn, 0, 0 );
|
||||
@ -70,6 +56,36 @@ ldbm_back_add(
|
||||
return( -1 );
|
||||
}
|
||||
|
||||
if ( ! access_allowed( be, conn, op, e,
|
||||
entry, NULL, ACL_WRITE, NULL ) )
|
||||
{
|
||||
#ifdef NEW_LOGGING
|
||||
LDAP_LOG( BACK_LDBM, ERR,
|
||||
"ldbm_back_add: No write access to entry (%s).\n",
|
||||
e->e_dn, 0, 0 );
|
||||
#else
|
||||
Debug( LDAP_DEBUG_TRACE, "no write access to entry\n", 0,
|
||||
0, 0 );
|
||||
#endif
|
||||
|
||||
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
|
||||
NULL, "no write access to entry", NULL, NULL );
|
||||
|
||||
return -1;
|
||||
}
|
||||
|
||||
/* grab giant lock for writing */
|
||||
ldap_pvt_thread_rdwr_wlock(&li->li_giant_rwlock);
|
||||
|
||||
if ( ( rc = dn2id( be, &e->e_nname, &id ) ) || id != NOID ) {
|
||||
/* if (rc) something bad happened to ldbm cache */
|
||||
ldap_pvt_thread_rdwr_wunlock(&li->li_giant_rwlock);
|
||||
send_ldap_result( conn, op,
|
||||
rc ? LDAP_OTHER : LDAP_ALREADY_EXISTS,
|
||||
NULL, NULL, NULL, NULL );
|
||||
return( -1 );
|
||||
}
|
||||
|
||||
/*
|
||||
* Get the parent dn and see if the corresponding entry exists.
|
||||
* If the parent does not exist, only allow the "root" user to
|
||||
|
@ -32,6 +32,7 @@ ldbm_back_delete(
|
||||
int rc = -1;
|
||||
int manageDSAit = get_manageDSAit( op );
|
||||
AttributeDescription *children = slap_schema.si_ad_children;
|
||||
AttributeDescription *entry = slap_schema.si_ad_entry;
|
||||
|
||||
#ifdef NEW_LOGGING
|
||||
LDAP_LOG( BACK_LDBM, ENTRY, "ldbm_back_delete: %s\n", dn->bv_val, 0, 0 );
|
||||
@ -78,6 +79,27 @@ ldbm_back_delete(
|
||||
return( -1 );
|
||||
}
|
||||
|
||||
/* check entry for "entry" acl */
|
||||
if ( ! access_allowed( be, conn, op, e,
|
||||
entry, NULL, ACL_WRITE, NULL ) )
|
||||
{
|
||||
#ifdef NEW_LOGGING
|
||||
LDAP_LOG( BACK_LDBM, ERR,
|
||||
"ldbm_back_delete: no write access to entry of (%s)\n",
|
||||
dn->bv_val, 0, 0 );
|
||||
#else
|
||||
Debug( LDAP_DEBUG_TRACE,
|
||||
"<=- ldbm_back_delete: no write access to entry\n", 0,
|
||||
0, 0 );
|
||||
#endif
|
||||
|
||||
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
|
||||
NULL, "no write access to entry", NULL, NULL );
|
||||
|
||||
rc = 1;
|
||||
goto return_results;
|
||||
}
|
||||
|
||||
if ( !manageDSAit && is_entry_referral( e ) ) {
|
||||
/* parent is a referral, don't allow add */
|
||||
/* parent is an alias, don't allow add */
|
||||
@ -101,7 +123,6 @@ ldbm_back_delete(
|
||||
goto return_results;
|
||||
}
|
||||
|
||||
|
||||
if ( has_children( be, e ) ) {
|
||||
#ifdef NEW_LOGGING
|
||||
LDAP_LOG( BACK_LDBM, ERR,
|
||||
@ -149,7 +170,7 @@ ldbm_back_delete(
|
||||
#endif
|
||||
|
||||
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
|
||||
NULL, NULL, NULL, NULL );
|
||||
NULL, "no write access to parent", NULL, NULL );
|
||||
goto return_results;
|
||||
}
|
||||
|
||||
@ -175,9 +196,8 @@ ldbm_back_delete(
|
||||
"access to parent\n", 0, 0, 0 );
|
||||
#endif
|
||||
|
||||
send_ldap_result( conn, op,
|
||||
LDAP_INSUFFICIENT_ACCESS,
|
||||
NULL, NULL, NULL, NULL );
|
||||
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
|
||||
NULL, "no write access to parent", NULL, NULL );
|
||||
goto return_results;
|
||||
}
|
||||
|
||||
|
@ -47,6 +47,7 @@ ldbm_back_modrdn(
|
||||
)
|
||||
{
|
||||
AttributeDescription *children = slap_schema.si_ad_children;
|
||||
AttributeDescription *entry = slap_schema.si_ad_entry;
|
||||
struct ldbminfo *li = (struct ldbminfo *) be->be_private;
|
||||
struct berval p_dn, p_ndn;
|
||||
struct berval new_dn = { 0, NULL}, new_ndn = { 0, NULL };
|
||||
@ -115,6 +116,26 @@ ldbm_back_modrdn(
|
||||
return( -1 );
|
||||
}
|
||||
|
||||
/* check entry for "entry" acl */
|
||||
if ( ! access_allowed( be, conn, op, e,
|
||||
entry, NULL, ACL_WRITE, NULL ) )
|
||||
{
|
||||
#ifdef NEW_LOGGING
|
||||
LDAP_LOG( BACK_LDBM, ERR,
|
||||
"ldbm_back_modrdn: no write access to entry of (%s)\n",
|
||||
dn->bv_val, 0, 0 );
|
||||
#else
|
||||
Debug( LDAP_DEBUG_TRACE,
|
||||
"<=- ldbm_back_modrdn: no write access to entry\n", 0,
|
||||
0, 0 );
|
||||
#endif
|
||||
|
||||
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
|
||||
NULL, "no write access to entry", NULL, NULL );
|
||||
|
||||
goto return_results;
|
||||
}
|
||||
|
||||
if (!manageDSAit && is_entry_referral( e ) ) {
|
||||
/* parent is a referral, don't allow add */
|
||||
/* parent is an alias, don't allow add */
|
||||
|
@ -24,6 +24,7 @@ shell_back_add(
|
||||
)
|
||||
{
|
||||
struct shellinfo *si = (struct shellinfo *) be->be_private;
|
||||
AttributeDescription *entry = slap_schema.si_ad_entry;
|
||||
FILE *rfp, *wfp;
|
||||
int len;
|
||||
|
||||
@ -33,6 +34,14 @@ shell_back_add(
|
||||
return( -1 );
|
||||
}
|
||||
|
||||
if ( ! access_allowed( be, conn, op, e,
|
||||
entry, NULL, ACL_WRITE, NULL ) )
|
||||
{
|
||||
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
|
||||
NULL, NULL, NULL, NULL );
|
||||
return -1;
|
||||
}
|
||||
|
||||
if ( (op->o_private = (void *) forkandexec( si->si_add, &rfp, &wfp )) == (void *) -1 ) {
|
||||
send_ldap_result( conn, op, LDAP_OTHER, NULL,
|
||||
"could not fork/exec", NULL, NULL );
|
||||
|
@ -25,6 +25,8 @@ shell_back_delete(
|
||||
)
|
||||
{
|
||||
struct shellinfo *si = (struct shellinfo *) be->be_private;
|
||||
AttributeDescription *entry = slap_schema.si_ad_entry;
|
||||
Entry e;
|
||||
FILE *rfp, *wfp;
|
||||
|
||||
if ( IS_NULLCMD( si->si_delete ) ) {
|
||||
@ -33,6 +35,23 @@ shell_back_delete(
|
||||
return( -1 );
|
||||
}
|
||||
|
||||
e.e_id = NOID;
|
||||
e.e_name = *dn;
|
||||
e.e_nname = *ndn;
|
||||
e.e_attrs = NULL;
|
||||
e.e_ocflags = 0;
|
||||
e.e_bv.bv_len = 0;
|
||||
e.e_bv.bv_val = NULL;
|
||||
e.e_private = NULL;
|
||||
|
||||
if ( ! access_allowed( be, conn, op, &e,
|
||||
entry, NULL, ACL_WRITE, NULL ) )
|
||||
{
|
||||
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
|
||||
NULL, NULL, NULL, NULL );
|
||||
return -1;
|
||||
}
|
||||
|
||||
if ( (op->o_private = (void *) forkandexec( si->si_delete, &rfp, &wfp ))
|
||||
== (void *) -1 ) {
|
||||
send_ldap_result( conn, op, LDAP_OTHER, NULL,
|
||||
|
@ -43,6 +43,8 @@ shell_back_modrdn(
|
||||
)
|
||||
{
|
||||
struct shellinfo *si = (struct shellinfo *) be->be_private;
|
||||
AttributeDescription *entry = slap_schema.si_ad_entry;
|
||||
Entry e;
|
||||
FILE *rfp, *wfp;
|
||||
|
||||
if ( IS_NULLCMD( si->si_modrdn ) ) {
|
||||
@ -51,6 +53,23 @@ shell_back_modrdn(
|
||||
return( -1 );
|
||||
}
|
||||
|
||||
e.e_id = NOID;
|
||||
e.e_name = *dn;
|
||||
e.e_nname = *ndn;
|
||||
e.e_attrs = NULL;
|
||||
e.e_ocflags = 0;
|
||||
e.e_bv.bv_len = 0;
|
||||
e.e_bv.bv_val = NULL;
|
||||
e.e_private = NULL;
|
||||
|
||||
if ( ! access_allowed( be, conn, op, &e,
|
||||
entry, NULL, ACL_WRITE, NULL ) )
|
||||
{
|
||||
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
|
||||
NULL, NULL, NULL, NULL );
|
||||
return -1;
|
||||
}
|
||||
|
||||
if ( (op->o_private = (void *) forkandexec( si->si_modrdn, &rfp, &wfp ))
|
||||
== (void *) -1 ) {
|
||||
send_ldap_result( conn, op, LDAP_OTHER, NULL,
|
||||
|
Loading…
Reference in New Issue
Block a user