manageDIT framework and obsolete objectclasses/DIT-content-rule override

servers/slapd/back-bdb/add.c

@@ -52,8 +52,8 @@ bdb_add(Operation *op, SlapReply *rs )
 	ctrls[num_ctrls] = 0;
 
 	/* check entry's schema */
-	rs->sr_err = entry_schema_check( op->o_bd, op->oq_add.rs_e,
-		NULL, &rs->sr_text, textbuf, textlen );
+	rs->sr_err = entry_schema_check( op->o_bd, op->oq_add.rs_e, NULL, 0,
+		&rs->sr_text, textbuf, textlen );
 	if ( rs->sr_err != LDAP_SUCCESS ) {
 		Debug( LDAP_DEBUG_TRACE,
 			LDAP_XSTRING(bdb_add) ": entry failed schema check: "
@@ -191,8 +191,8 @@ retry:	/* transaction retry */
 			}
 
 			Debug( LDAP_DEBUG_TRACE,
-				LDAP_XSTRING(bdb_add) ": no write access "
-				"to parent\n", 0, 0, 0 );
+				LDAP_XSTRING(bdb_add) ": no write access to parent\n",
+				0, 0, 0 );
 			rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
 			rs->sr_text = "no write access to parent";
 			goto return_results;;

servers/slapd/back-bdb/init.c

@@ -650,6 +650,7 @@ bdb_back_initialize(
 	static char *controls[] = {
 		LDAP_CONTROL_ASSERT,
 		LDAP_CONTROL_MANAGEDSAIT,
+		LDAP_CONTROL_MANAGEDIT,
 		LDAP_CONTROL_NOOP,
 		LDAP_CONTROL_PAGEDRESULTS,
 #ifdef LDAP_CONTROL_SUBENTRIES

servers/slapd/back-bdb/modify.c

@@ -42,10 +42,21 @@ int bdb_modify_internal(
 	Attribute	*save_attrs;
 	Attribute 	*ap;
 	int			glue_attr_delete = 0;
+	int	manage=0;
 
 	Debug( LDAP_DEBUG_TRACE, "bdb_modify_internal: 0x%08lx: %s\n",
 		e->e_id, e->e_dn, 0);
 
+	if( get_manageDIT(op) ) {
+		AttributeDescription *entry = slap_schema.si_ad_entry;
+		if( !access_allowed( op, e, entry, NULL, ACL_MANAGE, NULL )) {
+			*text = "not authorized to manage entry";
+			return LDAP_INSUFFICIENT_ACCESS;
+		}
+
+		manage = 1;
+	}
+
 	if ( !acl_check_modlist( op, e, modlist )) {
 		return LDAP_INSUFFICIENT_ACCESS;
 	}
@@ -196,7 +207,8 @@ int bdb_modify_internal(
 	}
 
 	/* check that the entry still obeys the schema */
-	rc = entry_schema_check( op->o_bd, e, save_attrs, text, textbuf, textlen );
+	rc = entry_schema_check( op->o_bd, e, save_attrs, manage,
+		text, textbuf, textlen );
 	if ( rc != LDAP_SUCCESS || op->o_noop ) {
 		attrs_free( e->e_attrs );
 		/* clear the indexing flags */

servers/slapd/back-ldbm/add.c

@@ -45,7 +45,7 @@ ldbm_back_add(
 	Debug(LDAP_DEBUG_ARGS, "==> ldbm_back_add: %s\n",
 		op->o_req_dn.bv_val, 0, 0);
 	
-	rs->sr_err = entry_schema_check( op->o_bd, op->oq_add.rs_e, NULL,
+	rs->sr_err = entry_schema_check( op->o_bd, op->oq_add.rs_e, NULL, 0,
 		&rs->sr_text, textbuf, textlen );
 
 	if ( rs->sr_err != LDAP_SUCCESS ) {

servers/slapd/back-ldbm/modify.c

@@ -164,8 +164,8 @@ int ldbm_modify_internal(
 	}
 
 	/* check that the entry still obeys the schema */
-	rc = entry_schema_check( op->o_bd, e, save_attrs, text, textbuf, textlen );
-
+	rc = entry_schema_check( op->o_bd, e, save_attrs, 0,
+		text, textbuf, textlen );
 	if ( rc != LDAP_SUCCESS ) {
 		Debug( LDAP_DEBUG_ANY, "entry failed schema check: %s\n",
 			*text, 0, 0 );

servers/slapd/back-ldif/ldif.c

@@ -553,8 +553,8 @@ static int apply_modify_to_entry(Entry * entry,
 			entry->e_ocflags = 0;
 		}
 		/* check that the entry still obeys the schema */
-		rc = entry_schema_check(op->o_bd, entry, NULL,
-				  &rs->sr_text, textbuf, sizeof( textbuf ) );
+		rc = entry_schema_check(op->o_bd, entry, NULL, 0,
+			  &rs->sr_text, textbuf, sizeof( textbuf ) );
 	}
 	return rc;
 }
@@ -760,8 +760,8 @@ static int ldif_back_add(Operation *op, SlapReply *rs) {
 	int statres;
 	char textbuf[SLAP_TEXT_BUFLEN];
 
-	rs->sr_err = entry_schema_check(op->o_bd, e,
-				  NULL, &rs->sr_text, textbuf, sizeof( textbuf ) );
+	rs->sr_err = entry_schema_check(op->o_bd, e, NULL, 0,
+		&rs->sr_text, textbuf, sizeof( textbuf ) );
 	if ( rs->sr_err != LDAP_SUCCESS ) goto send_res;
 				
 	ldap_pvt_thread_mutex_lock(&ni->li_mutex);

servers/slapd/back-monitor/log.c

@@ -197,8 +197,8 @@ monitor_subsys_log_modify(
 		}
 
 		/* check that the entry still obeys the schema */
-		rc = entry_schema_check( be_monitor, e, save_attrs, 
-				&text, textbuf, sizeof( textbuf ) );
+		rc = entry_schema_check( be_monitor, e, save_attrs, 0,
+			&text, textbuf, sizeof( textbuf ) );
 		if ( rc != LDAP_SUCCESS ) {
 			rs->sr_err = rc;
 			goto cleanup;

servers/slapd/back-sql/add.c

@@ -989,9 +989,8 @@ backsql_add( Operation *op, SlapReply *rs )
 	if ( BACKSQL_CHECK_SCHEMA( bi ) ) {
 		char		textbuf[ SLAP_TEXT_BUFLEN ] = { '\0' };
 
-		rs->sr_err = entry_schema_check( op->o_bd, op->ora_e,
-				NULL,
-				&rs->sr_text, textbuf, sizeof( textbuf ) );
+		rs->sr_err = entry_schema_check( op->o_bd, op->ora_e, NULL, 0,
+			&rs->sr_text, textbuf, sizeof( textbuf ) );
 		if ( rs->sr_err != LDAP_SUCCESS ) {
 			Debug( LDAP_DEBUG_TRACE, "   backsql_add(\"%s\"): "
 				"entry failed schema check -- aborting\n",

servers/slapd/back-sql/modify.c

@@ -167,9 +167,8 @@ backsql_modify( Operation *op, SlapReply *rs )
 			goto do_transact;
 		}
 
-		rs->sr_err = entry_schema_check( op->o_bd, &m,
-				NULL,
-				&rs->sr_text, textbuf, sizeof( textbuf ) );
+		rs->sr_err = entry_schema_check( op->o_bd, &m, NULL, 0,
+			&rs->sr_text, textbuf, sizeof( textbuf ) );
 		if ( rs->sr_err != LDAP_SUCCESS ) {
 			Debug( LDAP_DEBUG_TRACE, "   backsql_add(\"%s\"): "
 				"entry failed schema check -- aborting\n",

servers/slapd/back-sql/modrdn.c

@@ -495,9 +495,8 @@ backsql_modrdn( Operation *op, SlapReply *rs )
 
 		e_id = bsi.bsi_base_id;
 
-		rs->sr_err = entry_schema_check( op->o_bd, &r,
-				NULL,
-				&rs->sr_text, textbuf, sizeof( textbuf ) );
+		rs->sr_err = entry_schema_check( op->o_bd, &r, NULL, 0,
+			&rs->sr_text, textbuf, sizeof( textbuf ) );
 		if ( rs->sr_err != LDAP_SUCCESS ) {
 			Debug( LDAP_DEBUG_TRACE, "   backsql_add(\"%s\"): "
 				"entry failed schema check -- aborting\n",

servers/slapd/bconfig.c

@@ -3305,8 +3305,8 @@ config_modify_internal( CfEntryInfo *ce, Operation *op, SlapReply *rs,
 	
 	if(rc == LDAP_SUCCESS) {
 		/* check that the entry still obeys the schema */
-		rc = entry_schema_check(op->o_bd, e, NULL,
-				  &rs->sr_text, ca->msg, sizeof(ca->msg) );
+		rc = entry_schema_check(op->o_bd, e, NULL, 0,
+			&rs->sr_text, ca->msg, sizeof(ca->msg) );
 	}
 	if ( rc == LDAP_SUCCESS ) {
 		/* Basic syntax checks are OK. Do the actual settings. */

servers/slapd/modify.c

@@ -187,7 +187,7 @@ do_modify(
 	}
 
 	rs->sr_err = slap_mods_check( modlist, &rs->sr_text,
-			textbuf, textlen, NULL );
+		textbuf, textlen, NULL );
 
 	if ( rs->sr_err != LDAP_SUCCESS ) {
 		send_ldap_result( op, rs );
@@ -442,8 +442,6 @@ fe_op_modify( Operation *op, SlapReply *rs )
 				}
 			}
 
-
-
 			if ( !repl_user ) {
 				for( modtail = &modlist;
 					*modtail != NULL;

servers/slapd/proto-slap.h

@@ -1272,7 +1272,10 @@ LDAP_SLAPD_F( int ) structural_class(
 	char *textbuf, size_t textlen );
 
 LDAP_SLAPD_F( int ) entry_schema_check(
-	Backend *be, Entry *e, Attribute *attrs,
+	Backend *be,
+	Entry *e,
+	Attribute *attrs,
+	int manage,
 	const char** text,
 	char *textbuf, size_t textlen );
 

servers/slapd/schema_check.c

@@ -31,6 +31,7 @@ static char * oc_check_required(
 
 static int entry_naming_check(
 	Entry *e,
+	int manage,
 	const char** text,
 	char *textbuf, size_t textlen );
 /*
@@ -45,6 +46,7 @@ entry_schema_check(
 	Backend *be,
 	Entry *e,
 	Attribute *oldattrs,
+	int manage,
 	const char** text,
 	char *textbuf, size_t textlen )
 {
@@ -151,7 +153,7 @@ entry_schema_check(
 		return LDAP_OTHER;
 	}
 
-	if( sc->soc_obsolete ) {
+	if( !manage && sc->soc_obsolete ) {
 		snprintf( textbuf, textlen, 
 			"structuralObjectClass '%s' is OBSOLETE",
 			asc->a_vals[0].bv_val );
@@ -201,7 +203,7 @@ entry_schema_check(
 
 	/* naming check */
 	if ( !is_entry_objectclass ( e, slap_schema.si_oc_glue, 0 ) ) {
-		rc = entry_naming_check( e, text, textbuf, textlen );
+		rc = entry_naming_check( e, manage, text, textbuf, textlen );
 		if( rc != LDAP_SUCCESS ) {
 			return rc;
 		}
@@ -217,7 +219,7 @@ entry_schema_check(
 
 	/* check that the entry has required attrs of the content rule */
 	if( cr ) {
-		if( cr->scr_obsolete ) {
+		if( !manage && cr->scr_obsolete ) {
 			snprintf( textbuf, textlen, 
 				"content rule '%s' is obsolete",
 				ldap_contentrule2name( &cr->scr_crule ));
@@ -292,7 +294,7 @@ entry_schema_check(
 			return LDAP_OBJECT_CLASS_VIOLATION;
 		}
 
-		if ( oc->soc_obsolete ) {
+		if ( !manage && oc->soc_obsolete ) {
 			/* disallow obsolete classes */
 			snprintf( textbuf, textlen, 
 				"objectClass '%s' is OBSOLETE",
@@ -727,6 +729,7 @@ int mods_structural_class(
 static int
 entry_naming_check(
 	Entry *e,
+	int manage,
 	const char** text,
 	char *textbuf, size_t textlen )
 {
@@ -787,7 +790,7 @@ entry_naming_check(
 			break;
 		}
 
-		if( desc->ad_type->sat_obsolete ) {
+		if( !manage && desc->ad_type->sat_obsolete ) {
 			snprintf( textbuf, textlen, 
 				"naming attribute '%s' is obsolete",
 				ava->la_attr.bv_val );

servers/slapd/slapadd.c

@@ -53,6 +53,7 @@ slapadd( int argc, char **argv )
 	char textbuf[SLAP_TEXT_BUFLEN] = { '\0' };
 	size_t textlen = sizeof textbuf;
 	const char *progname = "slapadd";
+	int manage = 0;	
 
 	struct berval csn;
 	struct berval maxcsn;
@@ -181,7 +182,8 @@ slapadd( int argc, char **argv )
 			}
 
 			/* check schema */
-			rc = entry_schema_check( be, e, NULL, &text, textbuf, textlen );
+			rc = entry_schema_check( be, e, NULL, manage,
+				&text, textbuf, textlen );
 
 			if( rc != LDAP_SUCCESS ) {
 				fprintf( stderr, "%s: dn=\"%s\" (line=%d): (%d) %s\n",

servers/slapd/slapi/slapi_utils.c

@@ -4118,7 +4118,8 @@ int slapi_entry_schema_check( Slapi_PBlock *pb, Slapi_Entry *e )
 	if ( slapi_pblock_get( pb, SLAPI_BACKEND, (void **)&be ) != 0 )
 		return -1;
 
-	rc = entry_schema_check( be, e, NULL, &text, textbuf, textlen );
+	rc = entry_schema_check( be, e, NULL, 0,
+		&text, textbuf, textlen );
 
 	return ( rc == LDAP_SUCCESS ) ? 0 : 1;
 #else