mirror of
https://git.openldap.org/openldap/openldap.git
synced 2025-12-24 00:29:35 -05:00
More entry level access control for back-shell
(should be applied to back-perl and other programmable backends)
This commit is contained in:
Kurt Zeilenga
parent
3a17376dfd
commit
df6c69ffd6
3 changed files with 57 additions and 0 deletions
|
|
@ -28,6 +28,8 @@ shell_back_bind(
|
|||
)
|
||||
{
|
||||
struct shellinfo *si = (struct shellinfo *) be->be_private;
|
||||
AttributeDescription *entry = slap_schema.si_ad_entry;
|
||||
Entry e;
|
||||
FILE *rfp, *wfp;
|
||||
int rc;
|
||||
|
||||
|
|
@ -37,6 +39,23 @@ shell_back_bind(
|
|||
return( -1 );
|
||||
}
|
||||
|
||||
e.e_id = NOID;
|
||||
e.e_name = *dn;
|
||||
e.e_nname = *ndn;
|
||||
e.e_attrs = NULL;
|
||||
e.e_ocflags = 0;
|
||||
e.e_bv.bv_len = 0;
|
||||
e.e_bv.bv_val = NULL;
|
||||
e.e_private = NULL;
|
||||
|
||||
if ( ! access_allowed( be, conn, op, &e,
|
||||
entry, NULL, ACL_AUTH, NULL ) )
|
||||
{
|
||||
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
|
||||
NULL, NULL, NULL, NULL );
|
||||
return -1;
|
||||
}
|
||||
|
||||
if ( (op->o_private = (void *) forkandexec( si->si_bind, &rfp, &wfp ))
|
||||
== (void *) -1 ) {
|
||||
send_ldap_result( conn, op, LDAP_OTHER, NULL,
|
||||
|
|
|
|||
|
|
@ -26,6 +26,8 @@ shell_back_compare(
|
|||
)
|
||||
{
|
||||
struct shellinfo *si = (struct shellinfo *) be->be_private;
|
||||
AttributeDescription *entry = slap_schema.si_ad_entry;
|
||||
Entry e;
|
||||
FILE *rfp, *wfp;
|
||||
|
||||
if ( IS_NULLCMD( si->si_compare ) ) {
|
||||
|
|
@ -34,6 +36,23 @@ shell_back_compare(
|
|||
return( -1 );
|
||||
}
|
||||
|
||||
e.e_id = NOID;
|
||||
e.e_name = *dn;
|
||||
e.e_nname = *ndn;
|
||||
e.e_attrs = NULL;
|
||||
e.e_ocflags = 0;
|
||||
e.e_bv.bv_len = 0;
|
||||
e.e_bv.bv_val = NULL;
|
||||
e.e_private = NULL;
|
||||
|
||||
if ( ! access_allowed( be, conn, op, &e,
|
||||
entry, NULL, ACL_READ, NULL ) )
|
||||
{
|
||||
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
|
||||
NULL, NULL, NULL, NULL );
|
||||
return -1;
|
||||
}
|
||||
|
||||
if ( (op->o_private = (void *) forkandexec( si->si_compare, &rfp, &wfp ))
|
||||
== (void *) -1 ) {
|
||||
send_ldap_result( conn, op, LDAP_OTHER, NULL,
|
||||
|
|
|
|||
|
|
@ -27,6 +27,8 @@ shell_back_modify(
|
|||
{
|
||||
Modification *mod;
|
||||
struct shellinfo *si = (struct shellinfo *) be->be_private;
|
||||
AttributeDescription *entry = slap_schema.si_ad_entry;
|
||||
Entry e;
|
||||
FILE *rfp, *wfp;
|
||||
int i;
|
||||
|
||||
|
|
@ -36,6 +38,23 @@ shell_back_modify(
|
|||
return( -1 );
|
||||
}
|
||||
|
||||
e.e_id = NOID;
|
||||
e.e_name = *dn;
|
||||
e.e_nname = *ndn;
|
||||
e.e_attrs = NULL;
|
||||
e.e_ocflags = 0;
|
||||
e.e_bv.bv_len = 0;
|
||||
e.e_bv.bv_val = NULL;
|
||||
e.e_private = NULL;
|
||||
|
||||
if ( ! access_allowed( be, conn, op, &e,
|
||||
entry, NULL, ACL_WRITE, NULL ) )
|
||||
{
|
||||
send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS,
|
||||
NULL, NULL, NULL, NULL );
|
||||
return -1;
|
||||
}
|
||||
|
||||
if ( (op->o_private = (void *) forkandexec( si->si_modify, &rfp, &wfp ))
|
||||
== (void *) -1 ) {
|
||||
send_ldap_result( conn, op, LDAP_OTHER, NULL,
|
||||
|
|
|
|||
Loading…
Reference in a new issue