Commit e9292209 authored by Quanah Gibson-Mount's avatar Quanah Gibson-Mount
Browse files

ITS#4556,ITS#5723

parent 34ea0bfa
......@@ -5,6 +5,8 @@ OpenLDAP 2.4.13 Engineering
Fixed liblutil hex conversion (ITS#5699)
Fixed liblutil returning undefined data (ITS#5748)
Fixed libldap error code return (ITS#5762)
Fixed slapd acl checks on ADD (ITS#4556,ITS#5723)
Added slapd keyword add_content_acl for add checks (ITS#4556,ITS#5723)
Fixed slapd config backend olcLogFile support (ITS#5765)
Added slapd dn.this search limits (ITS#5734)
Fixed slapd nameUIDPretty bitstring parsing (ITS#5750)
......
......@@ -299,6 +299,24 @@ retry: /* transaction retry */
goto return_results;;
}
/*
* Check ACL for attribute write access
*/
if (!acl_check_modlist(op, oe, op->ora_modlist)) {
switch( opinfo.boi_err ) {
case DB_LOCK_DEADLOCK:
case DB_LOCK_NOTGRANTED:
goto retry;
}
Debug( LDAP_DEBUG_TRACE,
LDAP_XSTRING(bdb_add) ": no write access to attribute\n",
0, 0, 0 );
rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
rs->sr_text = "no write access to attribute";
goto return_results;;
}
if ( eid == NOID ) {
rs->sr_err = bdb_next_id( op->o_bd, &eid );
if( rs->sr_err != 0 ) {
......
......@@ -223,6 +223,19 @@ is_ref: p.e_attrs = NULL;
goto return_results;;
}
/*
* Check ACL for attribute write access
*/
if (!acl_check_modlist(op, op->ora_e, op->ora_modlist)) {
Debug( LDAP_DEBUG_TRACE,
LDAP_XSTRING(bdb_add) ": no write access to attribute\n",
0, 0, 0 );
rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
rs->sr_text = "no write access to attribute";
goto return_results;;
}
/* acquire entry ID */
if ( op->ora_e->e_id == NOID ) {
rs->sr_err = ndb_next_id( op->o_bd, NA.ndb, &op->ora_e->e_id );
......
......@@ -4651,6 +4651,15 @@ config_back_add( Operation *op, SlapReply *rs )
goto out;
}
/*
* Check for attribute ACL
*/
if ( !acl_check_modlist( op, op->ora_e, op->orm_modlist )) {
rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
rs->sr_text = "no write access to attribute";
goto out;
}
cfb = (CfBackInfo *)op->o_bd->be_private;
/* add opattrs for syncprov */
......
......@@ -55,6 +55,7 @@ rootpw secret
#access to attrs=objectclass dn.subtree="dc=example,dc=com"
access to attrs=objectclass
by dn.exact="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" add
by * =rsc stop
#access to filter="(objectclass=person)" attrs=userpassword dn.subtree="dc=example,dc=com"
......
......@@ -66,19 +66,21 @@ access to dn.base="ou=Groups,dc=example,dc=com"
by users write
access to dn.onelevel="ou=Groups,dc=example,dc=com"
attrs=entry
by dnattr=creatorsName write
attrs=entryTtl
by dnattr=member manage
by * read
access to dn.onelevel="ou=Groups,dc=example,dc=com"
attrs=member
by dnattr=creatorsName write
by users selfwrite
by * break
access to dn.onelevel="ou=Groups,dc=example,dc=com"
attrs=entry
by * read
access to dn.onelevel="ou=Groups,dc=example,dc=com"
attrs=entryTtl
by dnattr=member manage
attrs=member
by users selfwrite
by * read
access to *
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment