ITS#4556,ITS#5723

e9292209 · Quanah Gibson-Mount · 34ea0bfa · e9292209 · e9292209 · e9292209
Commit e9292209 authored Nov 10, 2008 by Quanah Gibson-Mount
--- a/CHANGES
+++ b/CHANGES
@@ -5,6 +5,8 @@ OpenLDAP 2.4.13 Engineering
 	Fixed liblutil hex conversion (ITS#5699)
 	Fixed liblutil returning undefined data (ITS#5748)
 	Fixed libldap error code return (ITS#5762)
+	Fixed slapd acl checks on ADD (ITS#4556,ITS#5723)
+	Added slapd keyword add_content_acl for add checks (ITS#4556,ITS#5723)
 	Fixed slapd config backend olcLogFile support (ITS#5765)
 	Added slapd dn.this search limits (ITS#5734)
 	Fixed slapd nameUIDPretty bitstring parsing (ITS#5750)

--- a/servers/slapd/back-bdb/add.c
+++ b/servers/slapd/back-bdb/add.c
@@ -299,6 +299,24 @@ retry:	/* transaction retry */
 		goto return_results;;
 	}

+	/* 
+	 * Check ACL for attribute write access
+	 */
+	if (!acl_check_modlist(op, oe, op->ora_modlist)) {
+		switch( opinfo.boi_err ) {
+		case DB_LOCK_DEADLOCK:
+		case DB_LOCK_NOTGRANTED:
+			goto retry;
+		}
+
+		Debug( LDAP_DEBUG_TRACE,
+			LDAP_XSTRING(bdb_add) ": no write access to attribute\n",
+			0, 0, 0 );
+		rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
+		rs->sr_text = "no write access to attribute";
+		goto return_results;;
+	}
+
 	if ( eid == NOID ) {
 		rs->sr_err = bdb_next_id( op->o_bd, &eid );
 		if( rs->sr_err != 0 ) {

--- a/servers/slapd/back-ndb/add.cpp
+++ b/servers/slapd/back-ndb/add.cpp
@@ -223,6 +223,19 @@ is_ref:			p.e_attrs = NULL;
 		goto return_results;;
 	}

+	/* 
+	 * Check ACL for attribute write access
+	 */
+	if (!acl_check_modlist(op, op->ora_e, op->ora_modlist)) {
+		Debug( LDAP_DEBUG_TRACE,
+			LDAP_XSTRING(bdb_add) ": no write access to attribute\n",
+			0, 0, 0 );
+		rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
+		rs->sr_text = "no write access to attribute";
+		goto return_results;;
+	}
+
+
 	/* acquire entry ID */
 	if ( op->ora_e->e_id == NOID ) {
 		rs->sr_err = ndb_next_id( op->o_bd, NA.ndb, &op->ora_e->e_id );

--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@@ -4651,6 +4651,15 @@ config_back_add( Operation *op, SlapReply *rs )
 		goto out;
 	}

+	/*
+	 * Check for attribute ACL
+	 */
+	if ( !acl_check_modlist( op, op->ora_e, op->orm_modlist )) {
+		rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
+		rs->sr_text = "no write access to attribute";
+		goto out;
+	}
+
 	cfb = (CfBackInfo *)op->o_bd->be_private;

 	/* add opattrs for syncprov */

--- a/tests/data/slapd-acl.conf
+++ b/tests/data/slapd-acl.conf
@@ -55,6 +55,7 @@ rootpw		secret

 #access		to attrs=objectclass dn.subtree="dc=example,dc=com"
 access		to attrs=objectclass
+		by dn.exact="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" add
 		by * =rsc stop

 #access		to filter="(objectclass=person)" attrs=userpassword dn.subtree="dc=example,dc=com"

--- a/tests/data/slapd-dds.conf
+++ b/tests/data/slapd-dds.conf
@@ -66,19 +66,21 @@ access to dn.base="ou=Groups,dc=example,dc=com"
        by users write

 access to dn.onelevel="ou=Groups,dc=example,dc=com"
-                attrs=entry
-        by dnattr=creatorsName write
+                attrs=entryTtl
+        by dnattr=member manage
        by * read

 access to dn.onelevel="ou=Groups,dc=example,dc=com"
-                attrs=member
        by dnattr=creatorsName write
-        by users selfwrite
+        by * break
+
+access to dn.onelevel="ou=Groups,dc=example,dc=com"
+                attrs=entry
        by * read

 access to dn.onelevel="ou=Groups,dc=example,dc=com"
-                attrs=entryTtl
-        by dnattr=member manage
+                attrs=member
+        by users selfwrite
        by * read

 access to *