upstream/openldap
1
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2025-12-22 07:39:35 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

More "entry" level ACLs for entry add, delete, and rename.

Browse source
This commit is contained in:
Kurt Zeilenga 2002-10-07 19:19:29 +00:00
parent 880eced255
commit cb73d243fb
8 changed files with 134 additions and 24 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
servers/slapd/back-bdb/add.c
View file

@ -226,6 +226,7 @@ retry: /* transaction retry */
0, 0, 0 ); 0, 0, 0 );
#endif #endif
rc = LDAP_INSUFFICIENT_ACCESS; rc = LDAP_INSUFFICIENT_ACCESS;
text = "no write access to parent";
goto return_results;; goto return_results;;
} }
@ -326,6 +327,7 @@ retry: /* transaction retry */
0, 0, 0 ); 0, 0, 0 );
#endif #endif
rc = LDAP_INSUFFICIENT_ACCESS; rc = LDAP_INSUFFICIENT_ACCESS;
text = "no write access to parent";
goto return_results;; goto return_results;;
} }
@ -387,6 +389,7 @@ retry: /* transaction retry */
0, 0, 0 ); 0, 0, 0 );
#endif #endif
rc = LDAP_INSUFFICIENT_ACCESS; rc = LDAP_INSUFFICIENT_ACCESS;
text = "no write access to entry";
goto return_results;; goto return_results;;
} }

11
servers/slapd/back-bdb/delete.c
View file

@ -166,13 +166,14 @@ retry: /* transaction retry */
if ( !rc ) { if ( !rc ) {
#ifdef NEW_LOGGING #ifdef NEW_LOGGING
LDAP_LOG ( OPERATION, DETAIL1, LDAP_LOG ( OPERATION, DETAIL1,
"<=- bdb_delete: no access to parent\n", 0, 0, 0 ); "<=- bdb_delete: no write access to parent\n", 0, 0, 0 );
#else #else
Debug( LDAP_DEBUG_TRACE, Debug( LDAP_DEBUG_TRACE,
"<=- bdb_delete: no access to parent\n", "<=- bdb_delete: no write access to parent\n",
0, 0, 0 ); 0, 0, 0 );
#endif #endif
rc = LDAP_INSUFFICIENT_ACCESS; rc = LDAP_INSUFFICIENT_ACCESS;
text = "no write access to parent";
goto return_results; goto return_results;
} }
@ -205,6 +206,7 @@ retry: /* transaction retry */
"to parent\n", 0, 0, 0 ); "to parent\n", 0, 0, 0 );
#endif #endif
rc = LDAP_INSUFFICIENT_ACCESS; rc = LDAP_INSUFFICIENT_ACCESS;
text = "no write access to parent";
goto return_results; goto return_results;
} }
@ -300,13 +302,14 @@ retry: /* transaction retry */
if ( !rc ) { if ( !rc ) {
#ifdef NEW_LOGGING #ifdef NEW_LOGGING
LDAP_LOG ( OPERATION, DETAIL1, LDAP_LOG ( OPERATION, DETAIL1,
"<=- bdb_delete: no access to entry\n", 0, 0, 0 ); "<=- bdb_delete: no write access to entry\n", 0, 0, 0 );
#else #else
Debug( LDAP_DEBUG_TRACE, Debug( LDAP_DEBUG_TRACE,
"<=- bdb_delete: no access to entry\n", "<=- bdb_delete: no write access to entry\n",
0, 0, 0 ); 0, 0, 0 );
#endif #endif
rc = LDAP_INSUFFICIENT_ACCESS; rc = LDAP_INSUFFICIENT_ACCESS;
text = "no write access to entry";
goto return_results; goto return_results;
} }

46
servers/slapd/back-ldbm/add.c
View file

@ -31,6 +31,7 @@ ldbm_back_add(
ID id = NOID; ID id = NOID;
const char *text = NULL; const char *text = NULL;
AttributeDescription *children = slap_schema.si_ad_children; AttributeDescription *children = slap_schema.si_ad_children;
AttributeDescription *entry = slap_schema.si_ad_entry;
char textbuf[SLAP_TEXT_BUFLEN]; char textbuf[SLAP_TEXT_BUFLEN];
size_t textlen = sizeof textbuf; size_t textlen = sizeof textbuf;
@ -40,23 +41,8 @@ ldbm_back_add(
Debug(LDAP_DEBUG_ARGS, "==> ldbm_back_add: %s\n", e->e_dn, 0, 0); Debug(LDAP_DEBUG_ARGS, "==> ldbm_back_add: %s\n", e->e_dn, 0, 0);
#endif #endif
/* grab giant lock for writing */
ldap_pvt_thread_rdwr_wlock(&li->li_giant_rwlock);
if ( ( rc = dn2id( be, &e->e_nname, &id ) ) || id != NOID ) {
/* if (rc) something bad happened to ldbm cache */
ldap_pvt_thread_rdwr_wunlock(&li->li_giant_rwlock);
send_ldap_result( conn, op,
rc ? LDAP_OTHER : LDAP_ALREADY_EXISTS,
NULL, NULL, NULL, NULL );
return( -1 );
}
rc = entry_schema_check( be, e, NULL, &text, textbuf, textlen ); rc = entry_schema_check( be, e, NULL, &text, textbuf, textlen );
if ( rc != LDAP_SUCCESS ) { if ( rc != LDAP_SUCCESS ) {
ldap_pvt_thread_rdwr_wunlock(&li->li_giant_rwlock);
#ifdef NEW_LOGGING #ifdef NEW_LOGGING
LDAP_LOG( BACK_LDBM, ERR, LDAP_LOG( BACK_LDBM, ERR,
"ldbm_back_add: entry (%s) failed schema check.\n", e->e_dn, 0, 0 ); "ldbm_back_add: entry (%s) failed schema check.\n", e->e_dn, 0, 0 );
@ -70,6 +56,36 @@ ldbm_back_add(
return( -1 ); return( -1 );
} }
if ( ! access_allowed( be, conn, op, e,
entry, NULL, ACL_WRITE, NULL ) )
{
#ifdef NEW_LOGGING
LDAP_LOG( BACK_LDBM, ERR,
"ldbm_back_add: No write access to entry (%s).\n",
e->e_dn, 0, 0 );
#else
Debug( LDAP_DEBUG_TRACE, "no write access to entry\n", 0,
0, 0 );
#endif
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
NULL, "no write access to entry", NULL, NULL );
return -1;
}
/* grab giant lock for writing */
ldap_pvt_thread_rdwr_wlock(&li->li_giant_rwlock);
if ( ( rc = dn2id( be, &e->e_nname, &id ) ) || id != NOID ) {
/* if (rc) something bad happened to ldbm cache */
ldap_pvt_thread_rdwr_wunlock(&li->li_giant_rwlock);
send_ldap_result( conn, op,
rc ? LDAP_OTHER : LDAP_ALREADY_EXISTS,
NULL, NULL, NULL, NULL );
return( -1 );
}
/* /*
* Get the parent dn and see if the corresponding entry exists. * Get the parent dn and see if the corresponding entry exists.
* If the parent does not exist, only allow the "root" user to * If the parent does not exist, only allow the "root" user to

30
servers/slapd/back-ldbm/delete.c
View file

@ -32,6 +32,7 @@ ldbm_back_delete(
int rc = -1; int rc = -1;
int manageDSAit = get_manageDSAit( op ); int manageDSAit = get_manageDSAit( op );
AttributeDescription *children = slap_schema.si_ad_children; AttributeDescription *children = slap_schema.si_ad_children;
AttributeDescription *entry = slap_schema.si_ad_entry;
#ifdef NEW_LOGGING #ifdef NEW_LOGGING
LDAP_LOG( BACK_LDBM, ENTRY, "ldbm_back_delete: %s\n", dn->bv_val, 0, 0 ); LDAP_LOG( BACK_LDBM, ENTRY, "ldbm_back_delete: %s\n", dn->bv_val, 0, 0 );
@ -78,6 +79,27 @@ ldbm_back_delete(
return( -1 ); return( -1 );
} }
/* check entry for "entry" acl */
if ( ! access_allowed( be, conn, op, e,
entry, NULL, ACL_WRITE, NULL ) )
{
#ifdef NEW_LOGGING
LDAP_LOG( BACK_LDBM, ERR,
"ldbm_back_delete: no write access to entry of (%s)\n",
dn->bv_val, 0, 0 );
#else
Debug( LDAP_DEBUG_TRACE,
"<=- ldbm_back_delete: no write access to entry\n", 0,
0, 0 );
#endif
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
NULL, "no write access to entry", NULL, NULL );
rc = 1;
goto return_results;
}
if ( !manageDSAit && is_entry_referral( e ) ) { if ( !manageDSAit && is_entry_referral( e ) ) {
/* parent is a referral, don't allow add */ /* parent is a referral, don't allow add */
/* parent is an alias, don't allow add */ /* parent is an alias, don't allow add */
@ -101,7 +123,6 @@ ldbm_back_delete(
goto return_results; goto return_results;
} }
if ( has_children( be, e ) ) { if ( has_children( be, e ) ) {
#ifdef NEW_LOGGING #ifdef NEW_LOGGING
LDAP_LOG( BACK_LDBM, ERR, LDAP_LOG( BACK_LDBM, ERR,
@ -149,7 +170,7 @@ ldbm_back_delete(
#endif #endif
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS, send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
NULL, NULL, NULL, NULL ); NULL, "no write access to parent", NULL, NULL );
goto return_results; goto return_results;
} }
@ -175,9 +196,8 @@ ldbm_back_delete(
"access to parent\n", 0, 0, 0 ); "access to parent\n", 0, 0, 0 );
#endif #endif
send_ldap_result( conn, op, send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
LDAP_INSUFFICIENT_ACCESS, NULL, "no write access to parent", NULL, NULL );
NULL, NULL, NULL, NULL );
goto return_results; goto return_results;
} }

21
servers/slapd/back-ldbm/modrdn.c
View file

@ -47,6 +47,7 @@ ldbm_back_modrdn(
) )
{ {
AttributeDescription *children = slap_schema.si_ad_children; AttributeDescription *children = slap_schema.si_ad_children;
AttributeDescription *entry = slap_schema.si_ad_entry;
struct ldbminfo *li = (struct ldbminfo *) be->be_private; struct ldbminfo *li = (struct ldbminfo *) be->be_private;
struct berval p_dn, p_ndn; struct berval p_dn, p_ndn;
struct berval new_dn = { 0, NULL}, new_ndn = { 0, NULL }; struct berval new_dn = { 0, NULL}, new_ndn = { 0, NULL };
@ -115,6 +116,26 @@ ldbm_back_modrdn(
return( -1 ); return( -1 );
} }
/* check entry for "entry" acl */
if ( ! access_allowed( be, conn, op, e,
entry, NULL, ACL_WRITE, NULL ) )
{
#ifdef NEW_LOGGING
LDAP_LOG( BACK_LDBM, ERR,
"ldbm_back_modrdn: no write access to entry of (%s)\n",
dn->bv_val, 0, 0 );
#else
Debug( LDAP_DEBUG_TRACE,
"<=- ldbm_back_modrdn: no write access to entry\n", 0,
0, 0 );
#endif
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
NULL, "no write access to entry", NULL, NULL );
goto return_results;
}
if (!manageDSAit && is_entry_referral( e ) ) { if (!manageDSAit && is_entry_referral( e ) ) {
/* parent is a referral, don't allow add */ /* parent is a referral, don't allow add */
/* parent is an alias, don't allow add */ /* parent is an alias, don't allow add */

9
servers/slapd/back-shell/add.c
View file

@ -24,6 +24,7 @@ shell_back_add(
) )
{ {
struct shellinfo *si = (struct shellinfo *) be->be_private; struct shellinfo *si = (struct shellinfo *) be->be_private;
AttributeDescription *entry = slap_schema.si_ad_entry;
FILE *rfp, *wfp; FILE *rfp, *wfp;
int len; int len;
@ -33,6 +34,14 @@ shell_back_add(
return( -1 ); return( -1 );
} }
if ( ! access_allowed( be, conn, op, e,
entry, NULL, ACL_WRITE, NULL ) )
{
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
NULL, NULL, NULL, NULL );
return -1;
}
if ( (op->o_private = (void *) forkandexec( si->si_add, &rfp, &wfp )) == (void *) -1 ) { if ( (op->o_private = (void *) forkandexec( si->si_add, &rfp, &wfp )) == (void *) -1 ) {
send_ldap_result( conn, op, LDAP_OTHER, NULL, send_ldap_result( conn, op, LDAP_OTHER, NULL,
"could not fork/exec", NULL, NULL ); "could not fork/exec", NULL, NULL );

19
servers/slapd/back-shell/delete.c
View file

@ -25,6 +25,8 @@ shell_back_delete(
) )
{ {
struct shellinfo *si = (struct shellinfo *) be->be_private; struct shellinfo *si = (struct shellinfo *) be->be_private;
AttributeDescription *entry = slap_schema.si_ad_entry;
Entry e;
FILE *rfp, *wfp; FILE *rfp, *wfp;
if ( IS_NULLCMD( si->si_delete ) ) { if ( IS_NULLCMD( si->si_delete ) ) {
@ -33,6 +35,23 @@ shell_back_delete(
return( -1 ); return( -1 );
} }
e.e_id = NOID;
e.e_name = *dn;
e.e_nname = *ndn;
e.e_attrs = NULL;
e.e_ocflags = 0;
e.e_bv.bv_len = 0;
e.e_bv.bv_val = NULL;
e.e_private = NULL;
if ( ! access_allowed( be, conn, op, &e,
entry, NULL, ACL_WRITE, NULL ) )
{
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
NULL, NULL, NULL, NULL );
return -1;
}
if ( (op->o_private = (void *) forkandexec( si->si_delete, &rfp, &wfp )) if ( (op->o_private = (void *) forkandexec( si->si_delete, &rfp, &wfp ))
== (void *) -1 ) { == (void *) -1 ) {
send_ldap_result( conn, op, LDAP_OTHER, NULL, send_ldap_result( conn, op, LDAP_OTHER, NULL,

19
servers/slapd/back-shell/modrdn.c
View file

@ -43,6 +43,8 @@ shell_back_modrdn(
) )
{ {
struct shellinfo *si = (struct shellinfo *) be->be_private; struct shellinfo *si = (struct shellinfo *) be->be_private;
AttributeDescription *entry = slap_schema.si_ad_entry;
Entry e;
FILE *rfp, *wfp; FILE *rfp, *wfp;
if ( IS_NULLCMD( si->si_modrdn ) ) { if ( IS_NULLCMD( si->si_modrdn ) ) {
@ -51,6 +53,23 @@ shell_back_modrdn(
return( -1 ); return( -1 );
} }
e.e_id = NOID;
e.e_name = *dn;
e.e_nname = *ndn;
e.e_attrs = NULL;
e.e_ocflags = 0;
e.e_bv.bv_len = 0;
e.e_bv.bv_val = NULL;
e.e_private = NULL;
if ( ! access_allowed( be, conn, op, &e,
entry, NULL, ACL_WRITE, NULL ) )
{
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
NULL, NULL, NULL, NULL );
return -1;
}
if ( (op->o_private = (void *) forkandexec( si->si_modrdn, &rfp, &wfp )) if ( (op->o_private = (void *) forkandexec( si->si_modrdn, &rfp, &wfp ))
== (void *) -1 ) { == (void *) -1 ) {
send_ldap_result( conn, op, LDAP_OTHER, NULL, send_ldap_result( conn, op, LDAP_OTHER, NULL,