back_attribute() should use ACL_AUTH not ACL_READ (at

least for current callers, may need to pass it the permission level)

back_attribute() should use ACL_AUTH not ACL_READ (at
ab80b030 · Kurt Zeilenga · f0a3a7bb · ab80b030 · ab80b030 · ab80b030
Commit ab80b030 authored 22 years ago by Kurt Zeilenga
--- a/configure
+++ b/configure
 #! /bin/sh
 # $OpenLDAP$
-# from OpenLDAP: pkg/ldap/configure.in,v 1.428 2002/08/28 05:12:22 hyc Exp  
+# from OpenLDAP: pkg/ldap/configure.in,v 1.430 2002/09/04 08:58:25 hyc Exp  
  
 # Copyright 1998-2002 The OpenLDAP Foundation.  All Rights Reserved.
 # 
@@ -23128,6 +23128,12 @@ else
 	PLAT=UNIX
 fi
  
+if test -z "$SLAPD_STATIC_BACKENDS"; then
+	SLAPD_NO_STATIC='#'
+else
+	SLAPD_NO_STATIC=
+fi
+
  
  
  
@@ -23192,6 +23198,7 @@ fi
  
  
  
+
  
  
 # Check whether --with-xxinstall or --without-xxinstall was given.
@@ -23423,6 +23430,7 @@ s%@WRAP_LIBS@%$WRAP_LIBS%g
 s%@MOD_TCL_LIB@%$MOD_TCL_LIB%g
 s%@SLAPD_MODULES_CPPFLAGS@%$SLAPD_MODULES_CPPFLAGS%g
 s%@SLAPD_MODULES_LDFLAGS@%$SLAPD_MODULES_LDFLAGS%g
+s%@SLAPD_NO_STATIC@%$SLAPD_NO_STATIC%g
 s%@SLAPD_STATIC_BACKENDS@%$SLAPD_STATIC_BACKENDS%g
 s%@SLAPD_DYNAMIC_BACKENDS@%$SLAPD_DYNAMIC_BACKENDS%g
 s%@PERL_CPPFLAGS@%$PERL_CPPFLAGS%g

--- a/servers/slapd/back-bdb/attribute.c
+++ b/servers/slapd/back-bdb/attribute.c
@@ -91,7 +91,6 @@ bdb_attribute(
 			entry_ndn->bv_val, 0, 0 );
 #endif

-
 	} else {
 dn2entry_retry:
 		/* can we find entry */
@@ -165,14 +164,6 @@ dn2entry_retry:
 		goto return_results;
 	}

-	if (conn != NULL && op != NULL
-		&& access_allowed( be, conn, op, e, slap_schema.si_ad_entry,
-			NULL, ACL_READ, &acl_state ) == 0 )
-	{
-		rc = LDAP_INSUFFICIENT_ACCESS;
-		goto return_results;
-	}
-
 	if ((attr = attr_find(e->e_attrs, entry_at)) == NULL) {
 #ifdef NEW_LOGGING
 		LDAP_LOG( BACK_BDB, INFO, 
@@ -187,8 +178,8 @@ dn2entry_retry:
 	}

 	if (conn != NULL && op != NULL
-		&& access_allowed( be, conn, op, e, entry_at, NULL, ACL_READ, 
-			   &acl_state ) == 0 )
+		&& access_allowed( be, conn, op, e, entry_at, NULL,
+			ACL_AUTH, &acl_state ) == 0 )
 	{
 		rc = LDAP_INSUFFICIENT_ACCESS;
 		goto return_results;
@@ -204,7 +195,7 @@ dn2entry_retry:
 		if( conn != NULL
 			&& op != NULL
 			&& access_allowed(be, conn, op, e, entry_at,
-				&attr->a_vals[i], ACL_READ, &acl_state ) == 0)
+				&attr->a_vals[i], ACL_AUTH, &acl_state ) == 0)
 		{
 			continue;
 		}

--- a/servers/slapd/back-ldbm/attribute.c
+++ b/servers/slapd/back-ldbm/attribute.c
@@ -128,14 +128,6 @@ ldbm_back_attribute(
 		goto return_results;
 	}

-	if (conn != NULL && op != NULL
-		&& access_allowed( be, conn, op, e, slap_schema.si_ad_entry,
-			NULL, ACL_READ, NULL ) == 0)
-	{
-		rc = LDAP_INSUFFICIENT_ACCESS;
-		goto return_results;
-	}
-
 	if ((attr = attr_find(e->e_attrs, entry_at)) == NULL) {
 #ifdef NEW_LOGGING
 		LDAP_LOG( BACK_LDBM, INFO, 
@@ -152,7 +144,7 @@ ldbm_back_attribute(

 	if (conn != NULL && op != NULL
 		&& access_allowed( be, conn, op, e, entry_at, NULL,
-			ACL_READ, &acl_state ) == 0)
+			ACL_AUTH, &acl_state ) == 0)
 	{
 		rc = LDAP_INSUFFICIENT_ACCESS;
 		goto return_results;
@@ -168,7 +160,7 @@ ldbm_back_attribute(
 		if( conn != NULL
 			&& op != NULL
 			&& access_allowed( be, conn, op, e, entry_at,
-				iv, ACL_READ, &acl_state ) == 0)
+				iv, ACL_AUTH, &acl_state ) == 0)
 		{
 			continue;
 		}

--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -616,15 +616,16 @@ slap_sasl_check_authz( Connection *conn,

 #ifdef NEW_LOGGING
 	LDAP_LOG( TRANSPORT, ENTRY, 
-		   "slap_sasl_check_authz: does %s match %s rule in %s?\n",
-	       assertDN->bv_val, ad->ad_cname.bv_val, searchDN->bv_val);
+		"slap_sasl_check_authz: does %s match %s rule in %s?\n",
+	    assertDN->bv_val, ad->ad_cname.bv_val, searchDN->bv_val);
 #else
 	Debug( LDAP_DEBUG_TRACE,
 	   "==>slap_sasl_check_authz: does %s match %s rule in %s?\n",
 	   assertDN->bv_val, ad->ad_cname.bv_val, searchDN->bv_val);
 #endif

-	rc = backend_attribute( NULL, NULL, conn->c_sasl_bindop, NULL, searchDN, ad, &vals );
+	rc = backend_attribute( NULL, NULL, conn->c_sasl_bindop, NULL,
+		searchDN, ad, &vals );
 	if( rc != LDAP_SUCCESS )
 		goto COMPLETE;

@@ -641,11 +642,12 @@ COMPLETE:

 #ifdef NEW_LOGGING
 	LDAP_LOG( TRANSPORT, RESULTS, 
-		   "slap_sasl_check_authz: %s check returning %s\n", 
-		   ad->ad_cname.bv_val, rc, 0 );
+		"slap_sasl_check_authz: %s check returning %s\n", 
+		ad->ad_cname.bv_val, rc, 0 );
 #else
 	Debug( LDAP_DEBUG_TRACE,
-	   "<==slap_sasl_check_authz: %s check returning %d\n", ad->ad_cname.bv_val, rc, 0);
+	   "<==slap_sasl_check_authz: %s check returning %d\n",
+		ad->ad_cname.bv_val, rc, 0);
 #endif

 	return( rc );