ITS#5572 from Rein

servers/slapd/acl.c

@@ -138,6 +138,7 @@ slap_access_allowed(
 	slap_access_t			access_level;
 	const char			*attr;
 	regmatch_t			matches[MAXREMATCHES];
+	AccessControlState	acl_state = ACL_STATE_INIT;
 
 	assert( op != NULL );
 	assert( e != NULL );
@@ -179,7 +180,7 @@ slap_access_allowed(
 	}
 
 	/* use backend default access if no backend acls */
-	if ( op->o_bd->be_acl == NULL ) {
+	if ( op->o_bd->be_acl == NULL && frontendDB->be_acl == NULL ) {
 		int	i;
 
 		Debug( LDAP_DEBUG_ACL,
@@ -201,15 +202,22 @@ slap_access_allowed(
 	ret = 0;
 	control = ACL_BREAK;
 
-	if ( state && state->as_vd_ad == desc ) {
+	if ( state == NULL )
+		state = &acl_state;
+	if ( state->as_vd_ad == desc ) {
 		a = state->as_vd_acl;
 		count = state->as_vd_acl_count;
-
+		if ( state->as_fe_done )
+			state->as_fe_done--;
 	} else {
-		if ( state ) state->as_vi_acl = NULL;
+		state->as_vi_acl = NULL;
+
 		a = NULL;
 		count = 0;
 	}
+	if ( a == NULL )
+		state->as_fe_done = 0;
+
 	ACL_PRIV_ASSIGN( mask, *maskp );
 	memset( matches, '\0', sizeof( matches ) );
 
@@ -476,13 +484,14 @@ slap_acl_get(
 	assert( e != NULL );
 	assert( count != NULL );
 	assert( desc != NULL );
+	assert( state != NULL );
 
 	attr = desc->ad_cname.bv_val;
 
 	assert( attr != NULL );
 
 	if( a == NULL ) {
-		if( op->o_bd == NULL ) {
+		if( op->o_bd == NULL || op->o_bd->be_acl == NULL ) {
 			a = frontendDB->be_acl;
 		} else {
 			a = op->o_bd->be_acl;
@@ -490,7 +499,8 @@ slap_acl_get(
 		prev = NULL;
 
 		assert( a != NULL );
-
+		if ( a == frontendDB->be_acl )
+			state->as_fe_done = 1;
 	} else {
 		prev = a;
 		a = a->acl_next;
@@ -498,9 +508,13 @@ slap_acl_get(
 
 	dnlen = e->e_nname.bv_len;
 
+ retry:
 	for ( ; a != NULL; prev = a, a = a->acl_next ) {
 		(*count) ++;
 
+		if ( a != frontendDB->be_acl && state->as_fe_done )
+			state->as_fe_done++;
+
 		if ( a->acl_dn_pat.bv_len || ( a->acl_dn_style != ACL_STYLE_REGEX )) {
 			if ( a->acl_dn_style == ACL_STYLE_REGEX ) {
 				Debug( LDAP_DEBUG_ACL, "=> dnpat: [%d] %s nsub: %d\n", 
@@ -567,7 +581,7 @@ slap_acl_get(
 				continue;
 			}
 
-			if( state && !( state->as_recorded & ACL_STATE_RECORDED_VD )) {
+			if( !( state->as_recorded & ACL_STATE_RECORDED_VD )) {
 				state->as_recorded |= ACL_STATE_RECORDED_VD;
 				state->as_vd_acl = prev;
 				state->as_vd_acl_count = *count - 1;
@@ -649,6 +663,12 @@ slap_acl_get(
 		return a;
 	}
 
+	if ( !state->as_fe_done ) {
+		state->as_fe_done = 1;
+		a = frontendDB->be_acl;
+		goto retry;
+	}
+
 	Debug( LDAP_DEBUG_ACL, "<= acl_get: done.\n", 0, 0, 0 );
 	return( NULL );
 }
@@ -1856,7 +1876,7 @@ acl_check_modlist(
 	}
 
 	/* use backend default access if no backend acls */
-	if( op->o_bd != NULL && op->o_bd->be_acl == NULL ) {
+	if( op->o_bd != NULL && op->o_bd->be_acl == NULL && frontendDB->be_acl == NULL ) {
 		Debug( LDAP_DEBUG_ACL,
 			"=> access_allowed: backend default %s access %s to \"%s\"\n",
 			access2str( ACL_WRITE ),

servers/slapd/backend.c

@@ -261,8 +261,6 @@ int backend_startup(Backend *be)
 				return rc;
 			}
 		}
-		/* append global access controls */
-		acl_append( &be->be_acl, frontendDB->be_acl, -1 );
 
 		return backend_startup_one( be, &cr );
 	}
@@ -310,8 +308,6 @@ int backend_startup(Backend *be)
 				"has no suffix\n",
 				i, be->bd_info->bi_type, 0 );
 		}
-		/* append global access controls */
-		acl_append( &be->be_acl, frontendDB->be_acl, -1 );
 
 		rc = backend_startup_one( be, &cr );
 

servers/slapd/slap.h

@@ -1542,9 +1542,10 @@ typedef struct AccessControlState {
 	slap_acl_state_t as_recorded;
 	int as_vd_acl_count;
 	int as_result;
+	int as_fe_done;
 } AccessControlState;
 #define ACL_STATE_INIT { NULL, NULL, NULL, \
-	ACL_STATE_NOT_RECORDED, 0, 0 }
+	ACL_STATE_NOT_RECORDED, 0, 0, 0 }
 
 /*
  * Backend-info