More "entry" level ACLs for entry add, delete, and rename.

This commit is contained in:
Kurt Zeilenga 2002-10-07 19:19:29 +00:00
parent 880eced255
commit cb73d243fb
8 changed files with 134 additions and 24 deletions

View File

@ -226,6 +226,7 @@ retry: /* transaction retry */
0, 0, 0 );
#endif
rc = LDAP_INSUFFICIENT_ACCESS;
text = "no write access to parent";
goto return_results;;
}
@ -326,6 +327,7 @@ retry: /* transaction retry */
0, 0, 0 );
#endif
rc = LDAP_INSUFFICIENT_ACCESS;
text = "no write access to parent";
goto return_results;;
}
@ -387,6 +389,7 @@ retry: /* transaction retry */
0, 0, 0 );
#endif
rc = LDAP_INSUFFICIENT_ACCESS;
text = "no write access to entry";
goto return_results;;
}

View File

@ -166,13 +166,14 @@ retry: /* transaction retry */
if ( !rc ) {
#ifdef NEW_LOGGING
LDAP_LOG ( OPERATION, DETAIL1,
"<=- bdb_delete: no access to parent\n", 0, 0, 0 );
"<=- bdb_delete: no write access to parent\n", 0, 0, 0 );
#else
Debug( LDAP_DEBUG_TRACE,
"<=- bdb_delete: no access to parent\n",
"<=- bdb_delete: no write access to parent\n",
0, 0, 0 );
#endif
rc = LDAP_INSUFFICIENT_ACCESS;
text = "no write access to parent";
goto return_results;
}
@ -205,6 +206,7 @@ retry: /* transaction retry */
"to parent\n", 0, 0, 0 );
#endif
rc = LDAP_INSUFFICIENT_ACCESS;
text = "no write access to parent";
goto return_results;
}
@ -300,13 +302,14 @@ retry: /* transaction retry */
if ( !rc ) {
#ifdef NEW_LOGGING
LDAP_LOG ( OPERATION, DETAIL1,
"<=- bdb_delete: no access to entry\n", 0, 0, 0 );
"<=- bdb_delete: no write access to entry\n", 0, 0, 0 );
#else
Debug( LDAP_DEBUG_TRACE,
"<=- bdb_delete: no access to entry\n",
"<=- bdb_delete: no write access to entry\n",
0, 0, 0 );
#endif
rc = LDAP_INSUFFICIENT_ACCESS;
text = "no write access to entry";
goto return_results;
}

View File

@ -31,6 +31,7 @@ ldbm_back_add(
ID id = NOID;
const char *text = NULL;
AttributeDescription *children = slap_schema.si_ad_children;
AttributeDescription *entry = slap_schema.si_ad_entry;
char textbuf[SLAP_TEXT_BUFLEN];
size_t textlen = sizeof textbuf;
@ -40,23 +41,8 @@ ldbm_back_add(
Debug(LDAP_DEBUG_ARGS, "==> ldbm_back_add: %s\n", e->e_dn, 0, 0);
#endif
/* grab giant lock for writing */
ldap_pvt_thread_rdwr_wlock(&li->li_giant_rwlock);
if ( ( rc = dn2id( be, &e->e_nname, &id ) ) || id != NOID ) {
/* if (rc) something bad happened to ldbm cache */
ldap_pvt_thread_rdwr_wunlock(&li->li_giant_rwlock);
send_ldap_result( conn, op,
rc ? LDAP_OTHER : LDAP_ALREADY_EXISTS,
NULL, NULL, NULL, NULL );
return( -1 );
}
rc = entry_schema_check( be, e, NULL, &text, textbuf, textlen );
if ( rc != LDAP_SUCCESS ) {
ldap_pvt_thread_rdwr_wunlock(&li->li_giant_rwlock);
#ifdef NEW_LOGGING
LDAP_LOG( BACK_LDBM, ERR,
"ldbm_back_add: entry (%s) failed schema check.\n", e->e_dn, 0, 0 );
@ -70,6 +56,36 @@ ldbm_back_add(
return( -1 );
}
if ( ! access_allowed( be, conn, op, e,
entry, NULL, ACL_WRITE, NULL ) )
{
#ifdef NEW_LOGGING
LDAP_LOG( BACK_LDBM, ERR,
"ldbm_back_add: No write access to entry (%s).\n",
e->e_dn, 0, 0 );
#else
Debug( LDAP_DEBUG_TRACE, "no write access to entry\n", 0,
0, 0 );
#endif
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
NULL, "no write access to entry", NULL, NULL );
return -1;
}
/* grab giant lock for writing */
ldap_pvt_thread_rdwr_wlock(&li->li_giant_rwlock);
if ( ( rc = dn2id( be, &e->e_nname, &id ) ) || id != NOID ) {
/* if (rc) something bad happened to ldbm cache */
ldap_pvt_thread_rdwr_wunlock(&li->li_giant_rwlock);
send_ldap_result( conn, op,
rc ? LDAP_OTHER : LDAP_ALREADY_EXISTS,
NULL, NULL, NULL, NULL );
return( -1 );
}
/*
* Get the parent dn and see if the corresponding entry exists.
* If the parent does not exist, only allow the "root" user to

View File

@ -32,6 +32,7 @@ ldbm_back_delete(
int rc = -1;
int manageDSAit = get_manageDSAit( op );
AttributeDescription *children = slap_schema.si_ad_children;
AttributeDescription *entry = slap_schema.si_ad_entry;
#ifdef NEW_LOGGING
LDAP_LOG( BACK_LDBM, ENTRY, "ldbm_back_delete: %s\n", dn->bv_val, 0, 0 );
@ -78,6 +79,27 @@ ldbm_back_delete(
return( -1 );
}
/* check entry for "entry" acl */
if ( ! access_allowed( be, conn, op, e,
entry, NULL, ACL_WRITE, NULL ) )
{
#ifdef NEW_LOGGING
LDAP_LOG( BACK_LDBM, ERR,
"ldbm_back_delete: no write access to entry of (%s)\n",
dn->bv_val, 0, 0 );
#else
Debug( LDAP_DEBUG_TRACE,
"<=- ldbm_back_delete: no write access to entry\n", 0,
0, 0 );
#endif
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
NULL, "no write access to entry", NULL, NULL );
rc = 1;
goto return_results;
}
if ( !manageDSAit && is_entry_referral( e ) ) {
/* parent is a referral, don't allow add */
/* parent is an alias, don't allow add */
@ -101,7 +123,6 @@ ldbm_back_delete(
goto return_results;
}
if ( has_children( be, e ) ) {
#ifdef NEW_LOGGING
LDAP_LOG( BACK_LDBM, ERR,
@ -149,7 +170,7 @@ ldbm_back_delete(
#endif
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
NULL, NULL, NULL, NULL );
NULL, "no write access to parent", NULL, NULL );
goto return_results;
}
@ -175,9 +196,8 @@ ldbm_back_delete(
"access to parent\n", 0, 0, 0 );
#endif
send_ldap_result( conn, op,
LDAP_INSUFFICIENT_ACCESS,
NULL, NULL, NULL, NULL );
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
NULL, "no write access to parent", NULL, NULL );
goto return_results;
}

View File

@ -47,6 +47,7 @@ ldbm_back_modrdn(
)
{
AttributeDescription *children = slap_schema.si_ad_children;
AttributeDescription *entry = slap_schema.si_ad_entry;
struct ldbminfo *li = (struct ldbminfo *) be->be_private;
struct berval p_dn, p_ndn;
struct berval new_dn = { 0, NULL}, new_ndn = { 0, NULL };
@ -115,6 +116,26 @@ ldbm_back_modrdn(
return( -1 );
}
/* check entry for "entry" acl */
if ( ! access_allowed( be, conn, op, e,
entry, NULL, ACL_WRITE, NULL ) )
{
#ifdef NEW_LOGGING
LDAP_LOG( BACK_LDBM, ERR,
"ldbm_back_modrdn: no write access to entry of (%s)\n",
dn->bv_val, 0, 0 );
#else
Debug( LDAP_DEBUG_TRACE,
"<=- ldbm_back_modrdn: no write access to entry\n", 0,
0, 0 );
#endif
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
NULL, "no write access to entry", NULL, NULL );
goto return_results;
}
if (!manageDSAit && is_entry_referral( e ) ) {
/* parent is a referral, don't allow add */
/* parent is an alias, don't allow add */

View File

@ -24,6 +24,7 @@ shell_back_add(
)
{
struct shellinfo *si = (struct shellinfo *) be->be_private;
AttributeDescription *entry = slap_schema.si_ad_entry;
FILE *rfp, *wfp;
int len;
@ -33,6 +34,14 @@ shell_back_add(
return( -1 );
}
if ( ! access_allowed( be, conn, op, e,
entry, NULL, ACL_WRITE, NULL ) )
{
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
NULL, NULL, NULL, NULL );
return -1;
}
if ( (op->o_private = (void *) forkandexec( si->si_add, &rfp, &wfp )) == (void *) -1 ) {
send_ldap_result( conn, op, LDAP_OTHER, NULL,
"could not fork/exec", NULL, NULL );

View File

@ -25,6 +25,8 @@ shell_back_delete(
)
{
struct shellinfo *si = (struct shellinfo *) be->be_private;
AttributeDescription *entry = slap_schema.si_ad_entry;
Entry e;
FILE *rfp, *wfp;
if ( IS_NULLCMD( si->si_delete ) ) {
@ -33,6 +35,23 @@ shell_back_delete(
return( -1 );
}
e.e_id = NOID;
e.e_name = *dn;
e.e_nname = *ndn;
e.e_attrs = NULL;
e.e_ocflags = 0;
e.e_bv.bv_len = 0;
e.e_bv.bv_val = NULL;
e.e_private = NULL;
if ( ! access_allowed( be, conn, op, &e,
entry, NULL, ACL_WRITE, NULL ) )
{
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
NULL, NULL, NULL, NULL );
return -1;
}
if ( (op->o_private = (void *) forkandexec( si->si_delete, &rfp, &wfp ))
== (void *) -1 ) {
send_ldap_result( conn, op, LDAP_OTHER, NULL,

View File

@ -43,6 +43,8 @@ shell_back_modrdn(
)
{
struct shellinfo *si = (struct shellinfo *) be->be_private;
AttributeDescription *entry = slap_schema.si_ad_entry;
Entry e;
FILE *rfp, *wfp;
if ( IS_NULLCMD( si->si_modrdn ) ) {
@ -51,6 +53,23 @@ shell_back_modrdn(
return( -1 );
}
e.e_id = NOID;
e.e_name = *dn;
e.e_nname = *ndn;
e.e_attrs = NULL;
e.e_ocflags = 0;
e.e_bv.bv_len = 0;
e.e_bv.bv_val = NULL;
e.e_private = NULL;
if ( ! access_allowed( be, conn, op, &e,
entry, NULL, ACL_WRITE, NULL ) )
{
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
NULL, NULL, NULL, NULL );
return -1;
}
if ( (op->o_private = (void *) forkandexec( si->si_modrdn, &rfp, &wfp ))
== (void *) -1 ) {
send_ldap_result( conn, op, LDAP_OTHER, NULL,