mirror of
https://git.openldap.org/openldap/openldap.git
synced 2025-12-20 22:59:34 -05:00
back_attribute() should use ACL_AUTH not ACL_READ (at
least for current callers, may need to pass it the permission level)
This commit is contained in:
Kurt Zeilenga
parent
f0a3a7bb47
commit
ab80b03057
4 changed files with 22 additions and 29 deletions
10
configure
vendored
10
configure
vendored
|
|
@ -1,6 +1,6 @@
|
|||
#! /bin/sh
|
||||
# $OpenLDAP$
|
||||
# from OpenLDAP: pkg/ldap/configure.in,v 1.428 2002/08/28 05:12:22 hyc Exp
|
||||
# from OpenLDAP: pkg/ldap/configure.in,v 1.430 2002/09/04 08:58:25 hyc Exp
|
||||
|
||||
# Copyright 1998-2002 The OpenLDAP Foundation. All Rights Reserved.
|
||||
#
|
||||
|
|
@ -23128,6 +23128,12 @@ else
|
|||
PLAT=UNIX
|
||||
fi
|
||||
|
||||
if test -z "$SLAPD_STATIC_BACKENDS"; then
|
||||
SLAPD_NO_STATIC='#'
|
||||
else
|
||||
SLAPD_NO_STATIC=
|
||||
fi
|
||||
|
||||
|
||||
|
||||
|
||||
|
|
@ -23192,6 +23198,7 @@ fi
|
|||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
# Check whether --with-xxinstall or --without-xxinstall was given.
|
||||
|
|
@ -23423,6 +23430,7 @@ s%@WRAP_LIBS@%$WRAP_LIBS%g
|
|||
s%@MOD_TCL_LIB@%$MOD_TCL_LIB%g
|
||||
s%@SLAPD_MODULES_CPPFLAGS@%$SLAPD_MODULES_CPPFLAGS%g
|
||||
s%@SLAPD_MODULES_LDFLAGS@%$SLAPD_MODULES_LDFLAGS%g
|
||||
s%@SLAPD_NO_STATIC@%$SLAPD_NO_STATIC%g
|
||||
s%@SLAPD_STATIC_BACKENDS@%$SLAPD_STATIC_BACKENDS%g
|
||||
s%@SLAPD_DYNAMIC_BACKENDS@%$SLAPD_DYNAMIC_BACKENDS%g
|
||||
s%@PERL_CPPFLAGS@%$PERL_CPPFLAGS%g
|
||||
|
|
|
|||
|
|
@ -91,7 +91,6 @@ bdb_attribute(
|
|||
entry_ndn->bv_val, 0, 0 );
|
||||
#endif
|
||||
|
||||
|
||||
} else {
|
||||
dn2entry_retry:
|
||||
/* can we find entry */
|
||||
|
|
@ -165,14 +164,6 @@ dn2entry_retry:
|
|||
goto return_results;
|
||||
}
|
||||
|
||||
if (conn != NULL && op != NULL
|
||||
&& access_allowed( be, conn, op, e, slap_schema.si_ad_entry,
|
||||
NULL, ACL_READ, &acl_state ) == 0 )
|
||||
{
|
||||
rc = LDAP_INSUFFICIENT_ACCESS;
|
||||
goto return_results;
|
||||
}
|
||||
|
||||
if ((attr = attr_find(e->e_attrs, entry_at)) == NULL) {
|
||||
#ifdef NEW_LOGGING
|
||||
LDAP_LOG( BACK_BDB, INFO,
|
||||
|
|
@ -187,8 +178,8 @@ dn2entry_retry:
|
|||
}
|
||||
|
||||
if (conn != NULL && op != NULL
|
||||
&& access_allowed( be, conn, op, e, entry_at, NULL, ACL_READ,
|
||||
&acl_state ) == 0 )
|
||||
&& access_allowed( be, conn, op, e, entry_at, NULL,
|
||||
ACL_AUTH, &acl_state ) == 0 )
|
||||
{
|
||||
rc = LDAP_INSUFFICIENT_ACCESS;
|
||||
goto return_results;
|
||||
|
|
@ -204,7 +195,7 @@ dn2entry_retry:
|
|||
if( conn != NULL
|
||||
&& op != NULL
|
||||
&& access_allowed(be, conn, op, e, entry_at,
|
||||
&attr->a_vals[i], ACL_READ, &acl_state ) == 0)
|
||||
&attr->a_vals[i], ACL_AUTH, &acl_state ) == 0)
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -128,14 +128,6 @@ ldbm_back_attribute(
|
|||
goto return_results;
|
||||
}
|
||||
|
||||
if (conn != NULL && op != NULL
|
||||
&& access_allowed( be, conn, op, e, slap_schema.si_ad_entry,
|
||||
NULL, ACL_READ, NULL ) == 0)
|
||||
{
|
||||
rc = LDAP_INSUFFICIENT_ACCESS;
|
||||
goto return_results;
|
||||
}
|
||||
|
||||
if ((attr = attr_find(e->e_attrs, entry_at)) == NULL) {
|
||||
#ifdef NEW_LOGGING
|
||||
LDAP_LOG( BACK_LDBM, INFO,
|
||||
|
|
@ -152,7 +144,7 @@ ldbm_back_attribute(
|
|||
|
||||
if (conn != NULL && op != NULL
|
||||
&& access_allowed( be, conn, op, e, entry_at, NULL,
|
||||
ACL_READ, &acl_state ) == 0)
|
||||
ACL_AUTH, &acl_state ) == 0)
|
||||
{
|
||||
rc = LDAP_INSUFFICIENT_ACCESS;
|
||||
goto return_results;
|
||||
|
|
@ -168,7 +160,7 @@ ldbm_back_attribute(
|
|||
if( conn != NULL
|
||||
&& op != NULL
|
||||
&& access_allowed( be, conn, op, e, entry_at,
|
||||
iv, ACL_READ, &acl_state ) == 0)
|
||||
iv, ACL_AUTH, &acl_state ) == 0)
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -616,15 +616,16 @@ slap_sasl_check_authz( Connection *conn,
|
|||
|
||||
#ifdef NEW_LOGGING
|
||||
LDAP_LOG( TRANSPORT, ENTRY,
|
||||
"slap_sasl_check_authz: does %s match %s rule in %s?\n",
|
||||
assertDN->bv_val, ad->ad_cname.bv_val, searchDN->bv_val);
|
||||
"slap_sasl_check_authz: does %s match %s rule in %s?\n",
|
||||
assertDN->bv_val, ad->ad_cname.bv_val, searchDN->bv_val);
|
||||
#else
|
||||
Debug( LDAP_DEBUG_TRACE,
|
||||
"==>slap_sasl_check_authz: does %s match %s rule in %s?\n",
|
||||
assertDN->bv_val, ad->ad_cname.bv_val, searchDN->bv_val);
|
||||
#endif
|
||||
|
||||
rc = backend_attribute( NULL, NULL, conn->c_sasl_bindop, NULL, searchDN, ad, &vals );
|
||||
rc = backend_attribute( NULL, NULL, conn->c_sasl_bindop, NULL,
|
||||
searchDN, ad, &vals );
|
||||
if( rc != LDAP_SUCCESS )
|
||||
goto COMPLETE;
|
||||
|
||||
|
|
@ -641,11 +642,12 @@ COMPLETE:
|
|||
|
||||
#ifdef NEW_LOGGING
|
||||
LDAP_LOG( TRANSPORT, RESULTS,
|
||||
"slap_sasl_check_authz: %s check returning %s\n",
|
||||
ad->ad_cname.bv_val, rc, 0 );
|
||||
"slap_sasl_check_authz: %s check returning %s\n",
|
||||
ad->ad_cname.bv_val, rc, 0 );
|
||||
#else
|
||||
Debug( LDAP_DEBUG_TRACE,
|
||||
"<==slap_sasl_check_authz: %s check returning %d\n", ad->ad_cname.bv_val, rc, 0);
|
||||
"<==slap_sasl_check_authz: %s check returning %d\n",
|
||||
ad->ad_cname.bv_val, rc, 0);
|
||||
#endif
|
||||
|
||||
return( rc );
|
||||
|
|
|
|||
Loading…
Reference in a new issue