[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapo-dynlist desgin question(s)

To: Quanah Gibson-Mount <quanah@stanford.edu>
Subject: Re: slapo-dynlist desgin question(s)
From: Pierangelo Masarati <ando@sys-net.it>
Date: Fri, 12 Jan 2007 20:49:54 +0100
Cc: openldap-devel@openldap.org
In-reply-to: <0E61081C9DB7BD9EC50B1E33@deus-ex.stanford.edu>
References: <3A8D9F01DE3A005FA31F6791@deus-ex.stanford.edu> <45A664E2.8010808@sys-net.it> <F9A1673CA8CD7096E6925C66@deus-ex.stanford.edu> <0E61081C9DB7BD9EC50B1E33@deus-ex.stanford.edu>
User-agent: Mail/News 1.5.0.7 (X11/20060916)

Quanah Gibson-Mount wrote:

My intention is to be able to do something like:
access to dn.exact="cn=groupa,cn=groups,dc=stanford,dc=edu"
This should read:
access to dn.exact="cn=groupa,cn=groups,dc=stanford,dc=edu" attrs=member

Try this patch (to HEAD as of now).

p.

Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------

Index: servers/slapd/acl.c
===================================================================
RCS file: /repo/OpenLDAP/pkg/ldap/servers/slapd/acl.c,v
retrieving revision 1.322
diff -u -r1.322 acl.c
--- servers/slapd/acl.c	2 Jan 2007 19:01:02 -0000	1.322
+++ servers/slapd/acl.c	12 Jan 2007 19:46:50 -0000
@@ -336,6 +336,9 @@
 	const char			*attr;
 	static AccessControlState	state_init = ACL_STATE_INIT;
 
+	struct berval			save_dn = BER_BVNULL,
+					save_ndn = BER_BVNULL;
+
 	assert( e != NULL );
 	assert( desc != NULL );
 
@@ -356,11 +359,22 @@
 		{
 			access = ACL_AUTH;
 
+		} else if ( op->o_is_acl_check == 1 &&
+			( access_level == ACL_SEARCH || access_level == ACL_READ ) )
+		{
+			save_dn = op->o_dn;
+			save_ndn = op->o_ndn;
+
+			op->o_dn = op->o_bd->be_rootdn;
+			op->o_ndn = op->o_bd->be_rootndn;
+
 		} else if ( get_relax( op ) && access_level == ACL_WRITE &&
 			desc == slap_schema.si_ad_entry )
 		{
 			access = ACL_MANAGE;
 		}
+
+		++op->o_is_acl_check;
 	}
 
 	if ( state ) {
@@ -443,6 +457,16 @@
 	}
 	if ( be_null ) op->o_bd = NULL;
 	if ( maskp ) ACL_PRIV_ASSIGN( *maskp, mask );
+
+	if ( op ) {
+		assert( op->o_is_acl_check > 0 );
+		if ( !BER_BVISNULL( &save_dn ) ) {
+			op->o_dn = save_dn;
+			op->o_ndn = save_ndn;
+		}
+		--op->o_is_acl_check;
+	}
+
 	return ret;
 }
 
Index: servers/slapd/slap.h
===================================================================
RCS file: /repo/OpenLDAP/pkg/ldap/servers/slapd/slap.h,v
retrieving revision 1.805
diff -u -r1.805 slap.h
--- servers/slapd/slap.h	9 Jan 2007 23:23:29 -0000	1.805
+++ servers/slapd/slap.h	12 Jan 2007 19:46:51 -0000
@@ -2480,6 +2480,7 @@
 	GroupAssertion *o_groups;
 	char o_do_not_cache;	/* don't cache groups from this op */
 	char o_is_auth_check;	/* authorization in progress */
+	char o_is_acl_check;	/* acl check in progress */
 
 	char o_nocaching;
 	char o_delete_glue_parent;

Follow-Ups:
- Re: slapo-dynlist desgin question(s)
  - From: Howard Chu <hyc@symas.com>
- Re: slapo-dynlist desgin question(s)
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

References:
- slapo-dynlist desgin question(s)
  - From: Quanah Gibson-Mount <quanah@stanford.edu>
- Re: slapo-dynlist desgin question(s)
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: slapo-dynlist desgin question(s)
  - From: Quanah Gibson-Mount <quanah@stanford.edu>
- Re: slapo-dynlist desgin question(s)
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

Prev by Date: Re: slapo-dynlist desgin question(s)
Next by Date: Re: slapo-dynlist desgin question(s)
Index(es):
- Chronological
- Thread