Fixed slapd attrs/objectclass replog issues (ITS#4298)

Fixed slapd-ldap password modify exop password return (ITS#4294)

Fixed slapd attrs/objectclass replog issues (ITS#4298)
Fixed slapd-ldap password modify exop password return (ITS#4294)
5f6043c0 · Kurt Zeilenga · e2ed30f7 · 5f6043c0 · 5f6043c0 · 5f6043c0
Commit 5f6043c0 authored Jan 04, 2006 by Kurt Zeilenga
--- a/CHANGES
+++ b/CHANGES
@@ -2,8 +2,10 @@ OpenLDAP 2.3 Change Log

 OpenLDAP 2.3.15 Engineering
 	Fixed slapd strerror logging bug (ITS#4292)
-	Fixed slapd-ldap password modify exop password return (ITS#4294)
 	Fixed slapd ACL add/delete fraction issue (ITS#4295)
+	Fixed slapd ACL users selfwrite issue (ITS#4299)
+	Fixed slapd attrs/objectclass replog issues (ITS#4298)
+	Fixed slapd-ldap password modify exop password return (ITS#4294)
 	Build environment
 		Disable test030-relay when threads are unavailable (ITS#4297)


--- a/servers/slapd/acl.c
+++ b/servers/slapd/acl.c
@@ -951,6 +951,8 @@ static int
 acl_mask_dn(
 	Operation		*op,
 	Entry			*e,
+	AttributeDescription	*desc,
+	struct berval		*val,
 	AccessControl		*a,
 	int			nmatch,
 	regmatch_t		*matches,
@@ -978,6 +980,27 @@ acl_mask_dn(
 			return 1;
 		}

+		if ( b->a_self ) {
+			const char *dummy;
+			int rc, match = 0;
+
+			/* must have DN syntax */
+			if ( desc->ad_type->sat_syntax != slap_schema.si_syn_distinguishedName ) return 1;
+
+			/* check if the target is an attribute. */
+			if ( val == NULL ) return 1;
+
+			/* target is attribute, check if the attribute value
+			 * is the op dn.
+			 */
+			rc = value_match( &match, desc,
+				desc->ad_type->sat_equality, 0,
+				val, opndn, &dummy );
+			/* on match error or no match, fail the ACL clause */
+			if ( rc != LDAP_SUCCESS || match != 0 )
+				return 1;
+		}
+
 	} else if ( b->a_style == ACL_STYLE_SELF ) {
 		struct berval	ndn, selfndn;
 		int		level;
@@ -1411,7 +1434,7 @@ slap_acl_mask(
 			 * is maintaned in a_dn_pat.
 			 */

-			if ( acl_mask_dn( op, e, a, nmatch, matches,
+			if ( acl_mask_dn( op, e, desc, val, a, nmatch, matches,
 				&b->a_dn, &op->o_ndn ) )
 			{
 				continue;
@@ -1442,7 +1465,7 @@ slap_acl_mask(
 				ndn = op->o_ndn;
 			}

-			if ( acl_mask_dn( op, e, a, nmatch, matches,
+			if ( acl_mask_dn( op, e, desc, val, a, nmatch, matches,
 				&b->a_realdn, &ndn ) )
 			{
 				continue;

--- a/servers/slapd/repl.c
+++ b/servers/slapd/repl.c
@@ -328,11 +328,22 @@ replog1(
 			if ( ri && ri->ri_attrs ) {
 				int is_in = ad_inlist( ml->sml_desc, ri->ri_attrs );

+				/* skip if:
+				 *   1) the attribute is not in the list,
+				 *      and it's not an exclusion list
+				 *   2) the attribute is in the list
+				 *      and it's an exclusion list,
+				 *      and either the objectClass attribute
+				 *      has already been dealt with or
+				 *      this is not the objectClass attr
+				 */
 				if ( ( !is_in && !ri->ri_exclude )
-					|| ( is_in && ri->ri_exclude ) )
+					|| ( ( is_in && ri->ri_exclude )
+						&& ( !ocs || a->a_desc != slap_schema.si_ad_objectClass ) ) )
 				{
 					continue;
 				}
+
 				/* If this is objectClass, see if the value is included
 				 * in any subset, otherwise drop it.
 				 */
@@ -347,11 +358,24 @@ replog1(
 						int match = 0;
 						for ( an = ri->ri_attrs; an->an_name.bv_val; an++ ) {
 							if ( an->an_oc ) {
+								struct berval	bv = an->an_name;
+
 								ocs = 1;
 								match |= an->an_oc_exclude;
-								if ( ml->sml_values[i].bv_len == an->an_name.bv_len
+
+								switch ( bv.bv_val[ 0 ] ) {
+								case '@':
+								case '+':
+								case '!':
+									bv.bv_val++;
+									bv.bv_len--;
+									break;
+								}
+
+								if ( ml->sml_values[i].bv_len == bv.bv_len
 									&& !strcasecmp(ml->sml_values[i].bv_val,
-										an->an_name.bv_val ) ) {
+										bv.bv_val ) )
+								{
 									match = !an->an_oc_exclude;
 									break;
 								}
@@ -374,7 +398,7 @@ replog1(
 								fprintf( fp, "%s: %s\n", did, type );
 								first = 0;
 							}
-							vals[0] = an->an_name;
+							vals[0] = a->a_nvals[i];
 							print_vals( fp, &ml->sml_desc->ad_cname, vals );
 							ocs = 2;
 						}
@@ -406,7 +430,20 @@ replog1(
 		for ( a = op->ora_e->e_attrs ; a != NULL; a=a->a_next ) {
 			if ( ri && ri->ri_attrs ) {
 				int is_in = ad_inlist( a->a_desc, ri->ri_attrs );
-				if ( ( !is_in && !ri->ri_exclude ) || ( is_in && ri->ri_exclude ) ) {
+
+				/* skip if:
+				 *   1) the attribute is not in the list,
+				 *      and it's not an exclusion list
+				 *   2) the attribute is in the list
+				 *      and it's an exclusion list,
+				 *      and either the objectClass attribute
+				 *      has already been dealt with or
+				 *      this is not the objectClass attr
+				 */
+				if ( ( !is_in && !ri->ri_exclude )
+					|| ( ( is_in && ri->ri_exclude )
+						&& ( !ocs || a->a_desc != slap_schema.si_ad_objectClass ) ) )
+				{
 					continue;
 				}

@@ -423,11 +460,24 @@ replog1(
 						int match = 0;
 						for ( an = ri->ri_attrs; an->an_name.bv_val; an++ ) {
 							if ( an->an_oc ) {
+								struct berval	bv = an->an_name;
+
 								ocs = 1;
 								match |= an->an_oc_exclude;
-								if ( a->a_vals[i].bv_len == an->an_name.bv_len
+
+								switch ( bv.bv_val[ 0 ] ) {
+								case '@':
+								case '+':
+								case '!':
+									bv.bv_val++;
+									bv.bv_len--;
+									break;
+								}
+
+								if ( a->a_vals[i].bv_len == bv.bv_len
 									&& !strcasecmp(a->a_vals[i].bv_val,
-										an->an_name.bv_val ) ) {
+										bv.bv_val ) )
+								{
 									match = !an->an_oc_exclude;
 									break;
 								}
@@ -442,7 +492,7 @@ replog1(
 								fprintf( fp, "changetype: add\n" );
 								dohdr = 0;
 							}
-							vals[0] = an->an_name;
+							vals[0] = a->a_nvals[i];
 							print_vals( fp, &a->a_desc->ad_cname, vals );
 						}
 					}