Apply ACLs to front end objects (root DSE, subschema) consistently

servers/slapd/acl.c

@@ -103,11 +103,18 @@ access_allowed(
 		e->e_dn, attr );
 #endif
 
-	assert( be != NULL );
 	assert( e != NULL );
 	assert( attr != NULL );
 	assert( access > ACL_NONE );
 
+	if ( op == NULL ) {
+		/* no-op call */
+		return 1;
+	}
+
+	if ( be == NULL ) be = &backends[0];
+	assert( be != NULL );
+
 	/* grant database root access */
 	if ( be != NULL && be_isroot( be, op->o_ndn ) ) {
 #ifdef NEW_LOGGING

servers/slapd/filterentry.c

@@ -234,7 +234,7 @@ test_ava_filter(
 	int		i;
 	Attribute	*a;
 
-	if ( be != NULL && ! access_allowed( be, conn, op, e,
+	if ( !access_allowed( be, conn, op, e,
 		ava->aa_desc, ava->aa_value, ACL_SEARCH ) )
 	{
 		return LDAP_INSUFFICIENT_ACCESS;
@@ -319,8 +319,7 @@ test_presence_filter(
 	AttributeDescription *desc
 )
 {
-	if ( be != NULL && ! access_allowed( be, conn, op, e,
+	if ( !access_allowed( be, conn, op, e, desc, NULL, ACL_SEARCH ) )
-		desc, NULL, ACL_SEARCH ) )
 	{
 		return LDAP_INSUFFICIENT_ACCESS;
 	}
@@ -440,7 +439,7 @@ test_substrings_filter(
 #endif
 
 
-	if ( be != NULL && ! access_allowed( be, conn, op, e,
+	if ( !access_allowed( be, conn, op, e,
 		f->f_sub_desc, NULL, ACL_SEARCH ) )
 	{
 		return LDAP_INSUFFICIENT_ACCESS;