honor disclose

servers/slapd/back-monitor/bind.c

@@ -33,23 +33,19 @@
 int
 monitor_back_bind( Operation *op, SlapReply *rs )
 {
-#if 0	/* not used yet */
-	monitor_info_t	*mi
-		= (monitor_info_t *) op->o_bd->be_private;
-#endif
-
 	Debug(LDAP_DEBUG_ARGS, "==> monitor_back_bind: dn: %s\n", 
 			op->o_req_dn.bv_val, 0, 0 );
 	
 	if ( op->oq_bind.rb_method == LDAP_AUTH_SIMPLE 
-			&& be_isroot_pw( op ) ) {
+			&& be_isroot_pw( op ) )
+	{
 		ber_dupbv( &op->oq_bind.rb_edn, be_root_dn( op->o_bd ) );
-		return( 0 );
+		return LDAP_SUCCESS;
 	}
 
 	rs->sr_err = LDAP_INVALID_CREDENTIALS;
 	send_ldap_result( op, rs );
 
-	return( 1 );
+	return rs->sr_err;
 }
 

servers/slapd/back-monitor/compare.c

@@ -32,13 +32,24 @@ monitor_back_compare( struct slap_op *op, struct slap_rep *rs)
 	monitor_info_t	*mi = ( monitor_info_t * ) op->o_bd->be_private;
 	Entry           *e, *matched = NULL;
 	Attribute	*a;
+	int		rc;
 
 	/* get entry with reader lock */
 	monitor_cache_dn2entry( op, &op->o_req_ndn, &e, &matched );
 	if ( e == NULL ) {
 		rs->sr_err = LDAP_NO_SUCH_OBJECT;
 		if ( matched ) {
-			rs->sr_matched = matched->e_dn;
+#ifdef SLAP_ACL_HONOR_DISCLOSE
+			if ( !access_allowed_mask( op, matched,
+					slap_schema.si_ad_entry,
+					NULL, ACL_DISCLOSE, NULL, NULL ) )
+			{
+				/* do nothing */ ;
+			} else 
+#endif /* SLAP_ACL_HONOR_DISCLOSE */
+			{
+				rs->sr_matched = matched->e_dn;
+			}
 		}
 		send_ldap_result( op, rs );
 		if ( matched ) {
@@ -46,7 +57,7 @@ monitor_back_compare( struct slap_op *op, struct slap_rep *rs)
 			rs->sr_matched = NULL;
 		}
 
-		return( 0 );
+		return rs->sr_err;
 	}
 
 	rs->sr_err = access_allowed( op, e, op->oq_compare.rs_ava->aa_desc,
@@ -75,14 +86,32 @@ monitor_back_compare( struct slap_op *op, struct slap_rep *rs)
 	}
 
 return_results:;
-	send_ldap_result( op, rs );
-	if ( rs->sr_err == LDAP_COMPARE_FALSE
-			|| rs->sr_err == LDAP_COMPARE_TRUE ) {
-		rs->sr_err = LDAP_SUCCESS;
+	rc = rs->sr_err;
+	switch ( rc ) {
+	case LDAP_COMPARE_FALSE:
+	case LDAP_COMPARE_TRUE:
+		rc = LDAP_SUCCESS;
+		break;
+
+	case LDAP_NO_SUCH_ATTRIBUTE:
+		break;
+
+	default:
+#ifdef SLAP_ACL_HONOR_DISCLOSE
+		if ( !access_allowed_mask( op, e, slap_schema.si_ad_entry,
+				NULL, ACL_DISCLOSE, NULL, NULL ) )
+		{
+			rs->sr_err = LDAP_NO_SUCH_OBJECT;
+		}
+#endif /* SLAP_ACL_HONOR_DISCLOSE */
+		break;
 	}
+		
+	send_ldap_result( op, rs );
+	rs->sr_err = rc;
 
 	monitor_cache_release( mi, e );
 
-	return( rs->sr_err );
+	return rs->sr_err;
 }
 

servers/slapd/back-monitor/modify.c

@@ -32,14 +32,6 @@
 
 int
 monitor_back_modify( Operation *op, SlapReply *rs )
-	/*
-	Backend		*be,
-	Connection	*conn,
-	Operation	*op,
-	struct berval	*dn,
-	struct berval	*ndn,
-	Modifications	*modlist
-	*/
 {
 	int 		rc = 0;
 	monitor_info_t	*mi = ( monitor_info_t * )op->o_bd->be_private;
@@ -53,14 +45,24 @@ monitor_back_modify( Operation *op, SlapReply *rs )
 	if ( e == NULL ) {
 		rs->sr_err = LDAP_NO_SUCH_OBJECT;
 		if ( matched ) {
-			rs->sr_matched = matched->e_name.bv_val;
+#ifdef SLAP_ACL_HONOR_DISCLOSE
+			if ( !access_allowed_mask( op, matched,
+					slap_schema.si_ad_entry,
+					NULL, ACL_DISCLOSE, NULL, NULL ) )
+			{
+				/* do nothing */ ;
+			} else 
+#endif /* SLAP_ACL_HONOR_DISCLOSE */
+			{
+				rs->sr_matched = matched->e_dn;
+			}
 		}
 		send_ldap_result( op, rs );
 		if ( matched != NULL ) {
 			rs->sr_matched = NULL;
 			monitor_cache_release( mi, matched );
 		}
-		return( 0 );
+		return rs->sr_err;
 	}
 
 	if ( !acl_check_modlist( op, e, op->oq_modify.rs_modlist )) {
@@ -69,11 +71,21 @@ monitor_back_modify( Operation *op, SlapReply *rs )
 		rc = monitor_entry_modify( op, e );
 	}
 
+#ifdef SLAP_ACL_HONOR_DISCLOSE
+	if ( rc != LDAP_SUCCESS ) {
+		if ( !access_allowed_mask( op, e, slap_schema.si_ad_entry,
+				NULL, ACL_DISCLOSE, NULL, NULL ) )
+		{
+			rc = LDAP_NO_SUCH_OBJECT;
+		}
+	}
+#endif /* SLAP_ACL_HONOR_DISCLOSE */
+
 	rs->sr_err = rc;
 	send_ldap_result( op, rs );
 
 	monitor_cache_release( mi, e );
 
-	return( 0 );
+	return rs->sr_err;
 }