expose oc_check_operational from schema.c

Use everywhere.
Apply search ACLs to operational attributes.
Only provide operational attributes when explicitly requested.

servers/slapd/acl.c

@@ -55,12 +55,8 @@ access_allowed(
 		e->e_dn, attr, 0 );
 
 	/* the lastmod attributes are ignored by ACL checking */
-	if ( strcasecmp( attr, "modifiersname" ) == 0 ||
-		strcasecmp( attr, "modifytimestamp" ) == 0 ||
-		strcasecmp( attr, "creatorsname" ) == 0 ||
-		strcasecmp( attr, "createtimestamp" ) == 0 )
-	{
- 		Debug( LDAP_DEBUG_ACL, "LASTMOD attribute: %s access allowed\n",
+	if ( oc_check_operational( attr ) ) {
+ 		Debug( LDAP_DEBUG_ACL, "Operational attribute: %s access allowed\n",
 			attr, 0, 0 );
 		return(1);
 	}
@@ -403,12 +399,8 @@ acl_check_modlist(
 		regmatch_t       matches[MAXREMATCHES];
 
 		/* the lastmod attributes are ignored by ACL checking */
-		if ( strcasecmp( mlist->ml_type, "modifiersname" ) == 0 ||
-			strcasecmp( mlist->ml_type, "modifytimestamp" ) == 0 ||
-			strcasecmp( mlist->ml_type, "creatorsname" ) == 0 ||
-			strcasecmp( mlist->ml_type, "createtimestamp" ) == 0 ) 
-		{
-			Debug( LDAP_DEBUG_ACL, "LASTMOD attribute: %s access allowed\n",
+		if ( oc_check_operational( mlist->ml_type ) ) {
+			Debug( LDAP_DEBUG_ACL, "Operational attribute: %s access allowed\n",
 				mlist->ml_type, 0, 0 );
 			continue;
 		}

servers/slapd/add.c

@@ -162,10 +162,7 @@ add_created_attrs( Operation *op, Entry *e )
 
 	/* remove any attempts by the user to add these attrs */
 	for ( a = &e->e_attrs; *a != NULL; a = next ) {
-		if ( strcasecmp( (*a)->a_type, "modifiersname" ) == 0 || 
-			strcasecmp( (*a)->a_type, "modifytimestamp" ) == 0 ||
-			strcasecmp( (*a)->a_type, "creatorsname" ) == 0 ||
-			strcasecmp( (*a)->a_type, "createtimestamp" ) == 0 ) {
+		if ( oc_check_operational( (*a)->a_type ) ) {
 			tmp = *a;
 			*a = (*a)->a_next;
 			attr_free( tmp );

servers/slapd/back-bdb2/modify.c

@@ -33,13 +33,9 @@ add_lastmods( Operation *op, LDAPModList **modlist )
 
 	/* remove any attempts by the user to modify these attrs */
 	for ( m = modlist; *m != NULL; m = &(*m)->ml_next ) {
-            if ( strcasecmp( (*m)->ml_type, "modifytimestamp" ) == 0 || 
-				strcasecmp( (*m)->ml_type, "modifiersname" ) == 0 ||
-				strcasecmp( (*m)->ml_type, "createtimestamp" ) == 0 || 
-				strcasecmp( (*m)->ml_type, "creatorsname" ) == 0 ) {
-
+            if ( oc_check_operational( (*m)->ml_type ) ) {
                 Debug( LDAP_DEBUG_TRACE,
-					"add_lastmods: found lastmod attr: %s\n",
+					"add_lastmods: found operational attr: %s\n",
 					(*m)->ml_type, 0, 0 );
                 tmp = *m;
                 *m = (*m)->ml_next;

servers/slapd/back-ldbm/modify.c

@@ -33,13 +33,9 @@ add_lastmods( Operation *op, LDAPModList **modlist )
 
 	/* remove any attempts by the user to modify these attrs */
 	for ( m = modlist; *m != NULL; m = &(*m)->ml_next ) {
-            if ( strcasecmp( (*m)->ml_type, "modifytimestamp" ) == 0 || 
-				strcasecmp( (*m)->ml_type, "modifiersname" ) == 0 ||
-				strcasecmp( (*m)->ml_type, "createtimestamp" ) == 0 || 
-				strcasecmp( (*m)->ml_type, "creatorsname" ) == 0 ) {
-
+            if ( oc_check_operational( (*m)->ml_type ) ) {
                 Debug( LDAP_DEBUG_TRACE,
-					"add_lastmods: found lastmod attr: %s\n",
+					"add_lastmods: found operational attr: %s\n",
 					(*m)->ml_type, 0, 0 );
                 tmp = *m;
                 *m = (*m)->ml_next;

servers/slapd/proto-slap.h

@@ -255,6 +255,7 @@ void send_ldap_search_result LDAP_P(( Connection *conn, Operation *op, int err,
  */
 
 int oc_schema_check LDAP_P(( Entry *e ));
+int oc_check_operational LDAP_P(( char *type ));
 ObjectClass *oc_find LDAP_P((const char *ocname));
 int oc_add LDAP_P((LDAP_OBJECT_CLASS *oc, const char **err));
 Syntax *syn_find LDAP_P((const char *synname));

servers/slapd/result.c

@@ -231,24 +231,21 @@ send_search_entry(
 	for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
 		regmatch_t       matches[MAXREMATCHES];
 
-		if ( attrs != NULL && ! charray_inlist( attrs, a->a_type ) ) {
-			continue;
-		}
-
-		/* the lastmod attributes are ignored by ACL checking */
-		if ( strcasecmp( a->a_type, "modifiersname" ) == 0 ||
-			strcasecmp( a->a_type, "modifytimestamp" ) == 0 ||
-			strcasecmp( a->a_type, "creatorsname" ) == 0 ||
-			strcasecmp( a->a_type, "createtimestamp" ) == 0 ) 
-		{
-			Debug( LDAP_DEBUG_ACL, "LASTMOD attribute: %s access DEFAULT\n",
-				a->a_type, 0, 0 );
-			acl = NULL;
+		if ( attrs == NULL ) {
+			/* all addrs request, skip operational attributes */
+			if( oc_check_operational( a->a_type )) {
+				continue;
+			}
 		} else {
-			acl = acl_get_applicable( be, op, e, a->a_type,
-				MAXREMATCHES, matches );
+			/* specific addrs requested */
+			if ( !charray_inlist( attrs, a->a_type )) {
+				continue;
+			}
 		}
 
+		acl = acl_get_applicable( be, op, e, a->a_type,
+			MAXREMATCHES, matches );
+
 		if ( ! acl_access_allowed( acl, be, conn, e,
 			NULL, op, ACL_READ, edn, matches ) ) 
 		{

servers/slapd/schema.c

@@ -125,9 +125,9 @@ oc_check_required( Entry *e, char *ocname )
 
 /*
  * check to see if attribute is 'operational' or not.
- * this function should be externalized...
+ * this list should be extensible...
  */
-static int
+int
 oc_check_operational( char *type )
 {
 	return ( strcasecmp( type, "modifiersname" ) == 0 ||
@@ -1051,12 +1051,12 @@ schema_info( Connection *conn, Operation *op, char **attrs, int attrsonly )
 
 	val.bv_val = ch_strdup( "top" );
 	val.bv_len = strlen( val.bv_val );
-	attr_merge( e, "objectclass", vals );
+	attr_merge( e, "objectClass", vals );
 	ldap_memfree( val.bv_val );
 
 	val.bv_val = ch_strdup( "subschema" );
 	val.bv_len = strlen( val.bv_val );
-	attr_merge( e, "objectclass", vals );
+	attr_merge( e, "objectClass", vals );
 	ldap_memfree( val.bv_val );
 
 	if ( syn_schema_info( e ) ) {