manageDIT framework and obsolete objectclasses/DIT-content-rule override

2025-12-23 16:19:35 -05:00 · 2005-05-13 19:07:31 +00:00 · 2005-05-13 19:07:31 +00:00 · feeeabcd68
commit feeeabcd68
parent edac9abcfe
16 changed files with 53 additions and 36 deletions
--- a/servers/slapd/back-bdb/add.c
+++ b/servers/slapd/back-bdb/add.c
@ -52,8 +52,8 @@ bdb_add(Operation *op, SlapReply *rs )
 	ctrls[num_ctrls] = 0;

 	/* check entry's schema */
-	rs->sr_err = entry_schema_check( op->o_bd, op->oq_add.rs_e,
-		NULL, &rs->sr_text, textbuf, textlen );
+	rs->sr_err = entry_schema_check( op->o_bd, op->oq_add.rs_e, NULL, 0,
+		&rs->sr_text, textbuf, textlen );
 	if ( rs->sr_err != LDAP_SUCCESS ) {
 		Debug( LDAP_DEBUG_TRACE,
 			LDAP_XSTRING(bdb_add) ": entry failed schema check: "
@ -191,8 +191,8 @@ retry:	/* transaction retry */
 			}

 			Debug( LDAP_DEBUG_TRACE,
-				LDAP_XSTRING(bdb_add) ": no write access "
-				"to parent\n", 0, 0, 0 );
+				LDAP_XSTRING(bdb_add) ": no write access to parent\n",
+				0, 0, 0 );
 			rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
 			rs->sr_text = "no write access to parent";
 			goto return_results;;
--- a/servers/slapd/back-bdb/init.c
+++ b/servers/slapd/back-bdb/init.c
@ -650,6 +650,7 @@ bdb_back_initialize(
 	static char *controls[] = {
 		LDAP_CONTROL_ASSERT,
 		LDAP_CONTROL_MANAGEDSAIT,
+		LDAP_CONTROL_MANAGEDIT,
 		LDAP_CONTROL_NOOP,
 		LDAP_CONTROL_PAGEDRESULTS,
 #ifdef LDAP_CONTROL_SUBENTRIES
--- a/servers/slapd/back-bdb/modify.c
+++ b/servers/slapd/back-bdb/modify.c
@ -42,10 +42,21 @@ int bdb_modify_internal(
 	Attribute	*save_attrs;
 	Attribute 	*ap;
 	int			glue_attr_delete = 0;
+	int	manage=0;

 	Debug( LDAP_DEBUG_TRACE, "bdb_modify_internal: 0x%08lx: %s\n",
 		e->e_id, e->e_dn, 0);

+	if( get_manageDIT(op) ) {
+		AttributeDescription *entry = slap_schema.si_ad_entry;
+		if( !access_allowed( op, e, entry, NULL, ACL_MANAGE, NULL )) {
+			*text = "not authorized to manage entry";
+			return LDAP_INSUFFICIENT_ACCESS;
+		}
+
+		manage = 1;
+	}
+
 	if ( !acl_check_modlist( op, e, modlist )) {
 		return LDAP_INSUFFICIENT_ACCESS;
 	}
@ -196,7 +207,8 @@ int bdb_modify_internal(
 	}

 	/* check that the entry still obeys the schema */
-	rc = entry_schema_check( op->o_bd, e, save_attrs, text, textbuf, textlen );
+	rc = entry_schema_check( op->o_bd, e, save_attrs, manage,
+		text, textbuf, textlen );
 	if ( rc != LDAP_SUCCESS || op->o_noop ) {
 		attrs_free( e->e_attrs );
 		/* clear the indexing flags */
--- a/servers/slapd/back-ldbm/add.c
+++ b/servers/slapd/back-ldbm/add.c
@ -45,7 +45,7 @@ ldbm_back_add(
 	Debug(LDAP_DEBUG_ARGS, "==> ldbm_back_add: %s\n",
 		op->o_req_dn.bv_val, 0, 0);
 	
-	rs->sr_err = entry_schema_check( op->o_bd, op->oq_add.rs_e, NULL,
+	rs->sr_err = entry_schema_check( op->o_bd, op->oq_add.rs_e, NULL, 0,
 		&rs->sr_text, textbuf, textlen );

 	if ( rs->sr_err != LDAP_SUCCESS ) {
--- a/servers/slapd/back-ldbm/modify.c
+++ b/servers/slapd/back-ldbm/modify.c
@ -164,8 +164,8 @@ int ldbm_modify_internal(
 	}

 	/* check that the entry still obeys the schema */
-	rc = entry_schema_check( op->o_bd, e, save_attrs, text, textbuf, textlen );
-
+	rc = entry_schema_check( op->o_bd, e, save_attrs, 0,
+		text, textbuf, textlen );
 	if ( rc != LDAP_SUCCESS ) {
 		Debug( LDAP_DEBUG_ANY, "entry failed schema check: %s\n",
 			*text, 0, 0 );
--- a/servers/slapd/back-ldif/ldif.c
+++ b/servers/slapd/back-ldif/ldif.c
@ -553,7 +553,7 @@ static int apply_modify_to_entry(Entry * entry,
 			entry->e_ocflags = 0;
 		}
 		/* check that the entry still obeys the schema */
-		rc = entry_schema_check(op->o_bd, entry, NULL,
+		rc = entry_schema_check(op->o_bd, entry, NULL, 0,
 			  &rs->sr_text, textbuf, sizeof( textbuf ) );
 	}
 	return rc;
@ -760,8 +760,8 @@ static int ldif_back_add(Operation *op, SlapReply *rs) {
 	int statres;
 	char textbuf[SLAP_TEXT_BUFLEN];

-	rs->sr_err = entry_schema_check(op->o_bd, e,
-				  NULL, &rs->sr_text, textbuf, sizeof( textbuf ) );
+	rs->sr_err = entry_schema_check(op->o_bd, e, NULL, 0,
+		&rs->sr_text, textbuf, sizeof( textbuf ) );
 	if ( rs->sr_err != LDAP_SUCCESS ) goto send_res;
 				
 	ldap_pvt_thread_mutex_lock(&ni->li_mutex);
--- a/servers/slapd/back-monitor/log.c
+++ b/servers/slapd/back-monitor/log.c
@ -197,7 +197,7 @@ monitor_subsys_log_modify(
 		}

 		/* check that the entry still obeys the schema */
-		rc = entry_schema_check( be_monitor, e, save_attrs, 
+		rc = entry_schema_check( be_monitor, e, save_attrs, 0,
 			&text, textbuf, sizeof( textbuf ) );
 		if ( rc != LDAP_SUCCESS ) {
 			rs->sr_err = rc;
--- a/servers/slapd/back-sql/add.c
+++ b/servers/slapd/back-sql/add.c
@ -989,8 +989,7 @@ backsql_add( Operation *op, SlapReply *rs )
 	if ( BACKSQL_CHECK_SCHEMA( bi ) ) {
 		char		textbuf[ SLAP_TEXT_BUFLEN ] = { '\0' };

-		rs->sr_err = entry_schema_check( op->o_bd, op->ora_e,
-				NULL,
+		rs->sr_err = entry_schema_check( op->o_bd, op->ora_e, NULL, 0,
 			&rs->sr_text, textbuf, sizeof( textbuf ) );
 		if ( rs->sr_err != LDAP_SUCCESS ) {
 			Debug( LDAP_DEBUG_TRACE, "   backsql_add(\"%s\"): "
--- a/servers/slapd/back-sql/modify.c
+++ b/servers/slapd/back-sql/modify.c
@ -167,8 +167,7 @@ backsql_modify( Operation *op, SlapReply *rs )
 			goto do_transact;
 		}

-		rs->sr_err = entry_schema_check( op->o_bd, &m,
-				NULL,
+		rs->sr_err = entry_schema_check( op->o_bd, &m, NULL, 0,
 			&rs->sr_text, textbuf, sizeof( textbuf ) );
 		if ( rs->sr_err != LDAP_SUCCESS ) {
 			Debug( LDAP_DEBUG_TRACE, "   backsql_add(\"%s\"): "
--- a/servers/slapd/back-sql/modrdn.c
+++ b/servers/slapd/back-sql/modrdn.c
@ -495,8 +495,7 @@ backsql_modrdn( Operation *op, SlapReply *rs )

 		e_id = bsi.bsi_base_id;

-		rs->sr_err = entry_schema_check( op->o_bd, &r,
-				NULL,
+		rs->sr_err = entry_schema_check( op->o_bd, &r, NULL, 0,
 			&rs->sr_text, textbuf, sizeof( textbuf ) );
 		if ( rs->sr_err != LDAP_SUCCESS ) {
 			Debug( LDAP_DEBUG_TRACE, "   backsql_add(\"%s\"): "
--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@ -3305,7 +3305,7 @@ config_modify_internal( CfEntryInfo *ce, Operation *op, SlapReply *rs,
 	
 	if(rc == LDAP_SUCCESS) {
 		/* check that the entry still obeys the schema */
-		rc = entry_schema_check(op->o_bd, e, NULL,
+		rc = entry_schema_check(op->o_bd, e, NULL, 0,
 			&rs->sr_text, ca->msg, sizeof(ca->msg) );
 	}
 	if ( rc == LDAP_SUCCESS ) {
--- a/servers/slapd/modify.c
+++ b/servers/slapd/modify.c
@ -442,8 +442,6 @@ fe_op_modify( Operation *op, SlapReply *rs )
 				}
 			}

-
-
 			if ( !repl_user ) {
 				for( modtail = &modlist;
 					*modtail != NULL;
--- a/servers/slapd/proto-slap.h
+++ b/servers/slapd/proto-slap.h
@ -1272,7 +1272,10 @@ LDAP_SLAPD_F( int ) structural_class(
 	char *textbuf, size_t textlen );

 LDAP_SLAPD_F( int ) entry_schema_check(
-	Backend *be, Entry *e, Attribute *attrs,
+	Backend *be,
+	Entry *e,
+	Attribute *attrs,
+	int manage,
 	const char** text,
 	char *textbuf, size_t textlen );

--- a/servers/slapd/schema_check.c
+++ b/servers/slapd/schema_check.c
@ -31,6 +31,7 @@ static char * oc_check_required(

 static int entry_naming_check(
 	Entry *e,
+	int manage,
 	const char** text,
 	char *textbuf, size_t textlen );
 /*
@ -45,6 +46,7 @@ entry_schema_check(
 	Backend *be,
 	Entry *e,
 	Attribute *oldattrs,
+	int manage,
 	const char** text,
 	char *textbuf, size_t textlen )
 {
@ -151,7 +153,7 @@ entry_schema_check(
 		return LDAP_OTHER;
 	}

-	if( sc->soc_obsolete ) {
+	if( !manage && sc->soc_obsolete ) {
 		snprintf( textbuf, textlen, 
 			"structuralObjectClass '%s' is OBSOLETE",
 			asc->a_vals[0].bv_val );
@ -201,7 +203,7 @@ entry_schema_check(

 	/* naming check */
 	if ( !is_entry_objectclass ( e, slap_schema.si_oc_glue, 0 ) ) {
-		rc = entry_naming_check( e, text, textbuf, textlen );
+		rc = entry_naming_check( e, manage, text, textbuf, textlen );
 		if( rc != LDAP_SUCCESS ) {
 			return rc;
 		}
@ -217,7 +219,7 @@ entry_schema_check(

 	/* check that the entry has required attrs of the content rule */
 	if( cr ) {
-		if( cr->scr_obsolete ) {
+		if( !manage && cr->scr_obsolete ) {
 			snprintf( textbuf, textlen, 
 				"content rule '%s' is obsolete",
 				ldap_contentrule2name( &cr->scr_crule ));
@ -292,7 +294,7 @@ entry_schema_check(
 			return LDAP_OBJECT_CLASS_VIOLATION;
 		}

-		if ( oc->soc_obsolete ) {
+		if ( !manage && oc->soc_obsolete ) {
 			/* disallow obsolete classes */
 			snprintf( textbuf, textlen, 
 				"objectClass '%s' is OBSOLETE",
@ -727,6 +729,7 @@ int mods_structural_class(
 static int
 entry_naming_check(
 	Entry *e,
+	int manage,
 	const char** text,
 	char *textbuf, size_t textlen )
 {
@ -787,7 +790,7 @@ entry_naming_check(
 			break;
 		}

-		if( desc->ad_type->sat_obsolete ) {
+		if( !manage && desc->ad_type->sat_obsolete ) {
 			snprintf( textbuf, textlen, 
 				"naming attribute '%s' is obsolete",
 				ava->la_attr.bv_val );
--- a/servers/slapd/slapadd.c
+++ b/servers/slapd/slapadd.c
@ -53,6 +53,7 @@ slapadd( int argc, char **argv )
 	char textbuf[SLAP_TEXT_BUFLEN] = { '\0' };
 	size_t textlen = sizeof textbuf;
 	const char *progname = "slapadd";
+	int manage = 0;	

 	struct berval csn;
 	struct berval maxcsn;
@ -181,7 +182,8 @@ slapadd( int argc, char **argv )
 			}

 			/* check schema */
-			rc = entry_schema_check( be, e, NULL, &text, textbuf, textlen );
+			rc = entry_schema_check( be, e, NULL, manage,
+				&text, textbuf, textlen );

 			if( rc != LDAP_SUCCESS ) {
 				fprintf( stderr, "%s: dn=\"%s\" (line=%d): (%d) %s\n",
--- a/servers/slapd/slapi/slapi_utils.c
+++ b/servers/slapd/slapi/slapi_utils.c
@ -4118,7 +4118,8 @@ int slapi_entry_schema_check( Slapi_PBlock *pb, Slapi_Entry *e )
 	if ( slapi_pblock_get( pb, SLAPI_BACKEND, (void **)&be ) != 0 )
 		return -1;

-	rc = entry_schema_check( be, e, NULL, &text, textbuf, textlen );
+	rc = entry_schema_check( be, e, NULL, 0,
+		&text, textbuf, textlen );

 	return ( rc == LDAP_SUCCESS ) ? 0 : 1;
 #else