From: Kurt Zeilenga Date: Fri, 7 Dec 2001 17:15:04 +0000 (+0000) Subject: Apply suffix "" patches X-Git-Tag: OPENLDAP_REL_ENG_2_0_19~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=04136d934fed8813beaf3581a04507a958949a4f;p=thirdparty%2Fopenldap.git Apply suffix "" patches --- diff --git a/CHANGES b/CHANGES index f41c7d37df..8925189245 100644 --- a/CHANGES +++ b/CHANGES @@ -3,9 +3,12 @@ OpenLDAP 2.0 Change Log OpenLDAP 2.0.19 Engineering Fixed -lldap cacertfile bug Fixed back-ldbm not filter indexing + Fixed back-ldbm null suffix bug Fixed back-passwd e_ndn bug (ITS#1467) + Fixed back-ldap undef ad bug (ITS#1367) Fixed slapd suffix "" bugs (ITS#1430) Fixed slapd zero length replace bug (ITS#1364) + Fixed slapd undefined present filter bug (ITS#1439) Fixed lber realloc bug (ITS#1410) Fixed various memory leaks Updated slapd emfile/enfile handling @@ -15,6 +18,7 @@ OpenLDAP 2.0.19 Engineering Updated CThread detection (ITS#1440) Updated MAXPATHLEN handling (ITS#1440) Fixed TLS build (ITS#1412) + Added BerkeleyDB 4 support Added GNU ar support (ITS#1460) OpenLDAP 2.0.18 Release diff --git a/servers/slapd/add.c b/servers/slapd/add.c index 8f3b3082ff..3db485cc02 100644 --- a/servers/slapd/add.c +++ b/servers/slapd/add.c @@ -196,8 +196,7 @@ do_add( Connection *conn, Operation *op ) */ if ( be->be_add ) { /* do the update here */ - int repl_user = (be->be_update_ndn != NULL && - strcmp( be->be_update_ndn, op->o_ndn ) == 0); + int repl_user = be_isupdate(be, op->o_ndn ); #ifndef SLAPD_MULTIMASTER if ( be->be_update_ndn == NULL || repl_user ) #endif diff --git a/servers/slapd/back-ldbm/add.c b/servers/slapd/back-ldbm/add.c index 1d1951913c..7fa4cc0bcb 100644 --- a/servers/slapd/back-ldbm/add.c +++ b/servers/slapd/back-ldbm/add.c @@ -178,18 +178,44 @@ ldbm_back_add( } /* no parent, must be adding entry to root */ - if ( !be_isroot( be, op->o_ndn ) && !be_issuffix( be, "" ) ) { - ldap_pvt_thread_mutex_unlock(&li->li_add_mutex); - - Debug( LDAP_DEBUG_TRACE, "%s add denied\n", - pdn == NULL ? "suffix" : "entry at root", - 0, 0 ); + if ( !be_isroot( be, op->o_ndn ) ) { + if ( be_issuffix( be, "" ) + || be_isupdate( be, op->o_ndn ) ) { + static const Entry rootp = { NOID, "", "", NULL, NULL }; + p = (Entry *)&rootp; + + rc = access_allowed( be, conn, op, p, + children, NULL, ACL_WRITE ); + p = NULL; + + if ( ! rc ) { + ldap_pvt_thread_mutex_unlock(&li->li_add_mutex); + + Debug( LDAP_DEBUG_TRACE, + "no write access to parent\n", + 0, 0, 0 ); + + send_ldap_result( conn, op, + LDAP_INSUFFICIENT_ACCESS, + NULL, + "no write access to parent", + NULL, NULL ); + + return -1; + } + } else { + ldap_pvt_thread_mutex_unlock(&li->li_add_mutex); + Debug( LDAP_DEBUG_TRACE, "%s add denied\n", + pdn == NULL ? "suffix" + : "entry at root", 0, 0 ); - send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS, - NULL, NULL, NULL, NULL ); + send_ldap_result( conn, op, + LDAP_INSUFFICIENT_ACCESS, + NULL, NULL, NULL, NULL ); - return -1; + return -1; + } } /* diff --git a/servers/slapd/back-ldbm/delete.c b/servers/slapd/back-ldbm/delete.c index dc8e63516d..3dce29e3c1 100644 --- a/servers/slapd/back-ldbm/delete.c +++ b/servers/slapd/back-ldbm/delete.c @@ -117,13 +117,38 @@ ldbm_back_delete( } else { /* no parent, must be root to delete */ - if( ! be_isroot( be, op->o_ndn ) && ! be_issuffix( be, "" ) ) { - Debug( LDAP_DEBUG_TRACE, - "<=- ldbm_back_delete: no parent & not root\n", - 0, 0, 0); - send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS, - NULL, NULL, NULL, NULL ); - goto return_results; + if( ! be_isroot( be, op->o_ndn ) ) { + if ( be_issuffix( be, "" ) + || be_isupdate( be, op->o_ndn ) ) { + static const Entry rootp = { NOID, "", "", NULL, NULL }; + p = (Entry *)&rootp; + + rc = access_allowed( be, conn, op, p, + children, NULL, ACL_WRITE ); + p = NULL; + + /* check parent for "children" acl */ + if ( ! rc ) { + Debug( LDAP_DEBUG_TRACE, + "<=- ldbm_back_delete: no " + "access to parent\n", 0, 0, 0 ); + + send_ldap_result( conn, op, + LDAP_INSUFFICIENT_ACCESS, + NULL, NULL, NULL, NULL ); + goto return_results; + } + + } else { + Debug( LDAP_DEBUG_TRACE, + "<=- ldbm_back_delete: no parent & " + "not root\n", 0, 0, 0); + + send_ldap_result( conn, op, + LDAP_INSUFFICIENT_ACCESS, + NULL, NULL, NULL, NULL ); + goto return_results; + } } ldap_pvt_thread_mutex_lock(&li->li_root_mutex); diff --git a/servers/slapd/back-ldbm/modrdn.c b/servers/slapd/back-ldbm/modrdn.c index 5aefdbba58..547e3ecb56 100644 --- a/servers/slapd/back-ldbm/modrdn.c +++ b/servers/slapd/back-ldbm/modrdn.c @@ -50,6 +50,7 @@ ldbm_back_modrdn( char *new_dn = NULL, *new_ndn = NULL; Entry *e, *p = NULL; Entry *matched; + int isroot = -1; int rootlock = 0; #define CAN_ROLLBACK -1 #define MUST_DESTROY 1 @@ -167,14 +168,40 @@ ldbm_back_modrdn( p_dn, 0, 0 ); } else { - /* no parent, modrdn entry directly under root */ - if( ! be_isroot( be, op->o_ndn ) && ! be_issuffix( be, "" ) ) { - Debug( LDAP_DEBUG_TRACE, "no parent & not root\n", - 0, 0, 0); + /* no parent, must be root to modify rdn */ + isroot = be_isroot( be, op->o_ndn ); + if ( ! be_isroot ) { + if ( be_issuffix( be, "" ) + || be_isupdate( be, op->o_ndn ) ) { + static const Entry rootp = { NOID, "", "", NULL, NULL }; + p = (Entry *)&rootp; + + rc = access_allowed( be, conn, op, p, + children, NULL, ACL_WRITE ); + p = NULL; + + /* check parent for "children" acl */ + if ( ! rc ) { + Debug( LDAP_DEBUG_TRACE, + "<=- ldbm_back_modrdn: no " + "access to parent\n", 0, 0, 0 ); + + send_ldap_result( conn, op, + LDAP_INSUFFICIENT_ACCESS, + NULL, NULL, NULL, NULL ); + goto return_results; + } + + } else { + Debug( LDAP_DEBUG_TRACE, + "<=- ldbm_back_modrdn: no parent & " + "not root\n", 0, 0, 0); - send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS, - NULL, NULL, NULL, NULL ); - goto return_results; + send_ldap_result( conn, op, + LDAP_INSUFFICIENT_ACCESS, + NULL, NULL, NULL, NULL ); + goto return_results; + } } ldap_pvt_thread_mutex_lock(&li->li_root_mutex); @@ -210,55 +237,97 @@ ldbm_back_modrdn( /* newSuperior == entry being moved?, if so ==> ERROR */ /* Get Entry with dn=newSuperior. Does newSuperior exist? */ - if( (np = dn2entry_w( be, np_ndn, NULL )) == NULL) { - Debug( LDAP_DEBUG_TRACE, - "ldbm_back_modrdn: newSup(ndn=%s) not here!\n", - np_ndn, 0, 0); + if ( newSuperior[ 0 ] != '\0' ) { - send_ldap_result( conn, op, LDAP_OTHER, - NULL, "newSuperior not found", NULL, NULL ); - goto return_results; - } + if( (np = dn2entry_w( be, np_ndn, NULL )) == NULL) { + Debug( LDAP_DEBUG_TRACE, + "ldbm_back_modrdn: newSup(ndn=%s) not here!\n", + np_ndn, 0, 0); - Debug( LDAP_DEBUG_TRACE, - "ldbm_back_modrdn: wr to new parent OK np=%p, id=%ld\n", - np, np->e_id, 0 ); + send_ldap_result( conn, op, LDAP_OTHER, + NULL, "newSuperior not found", NULL, NULL ); + goto return_results; + } - /* check newSuperior for "children" acl */ - if ( !access_allowed( be, conn, op, np, children, NULL, - ACL_WRITE ) ) - { Debug( LDAP_DEBUG_TRACE, - "ldbm_back_modrdn: no wr to newSup children\n", - 0, 0, 0 ); + "ldbm_back_modrdn: wr to new parent OK np=%p, id=%ld\n", + np, np->e_id, 0 ); - send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS, - NULL, NULL, NULL, NULL ); - goto return_results; - } + /* check newSuperior for "children" acl */ + if ( !access_allowed( be, conn, op, np, children, NULL, + ACL_WRITE ) ) + { + Debug( LDAP_DEBUG_TRACE, + "ldbm_back_modrdn: no wr to newSup children\n", + 0, 0, 0 ); - if ( is_entry_alias( np ) ) { - /* entry is an alias, don't allow bind */ - Debug( LDAP_DEBUG_TRACE, "entry is alias\n", 0, - 0, 0 ); + send_ldap_result( conn, op, LDAP_INSUFFICIENT_ACCESS, + NULL, NULL, NULL, NULL ); + goto return_results; + } + if ( is_entry_alias( np ) ) { + /* parent is an alias, don't allow add */ + Debug( LDAP_DEBUG_TRACE, "entry is alias\n", 0, 0, 0 ); - send_ldap_result( conn, op, LDAP_ALIAS_PROBLEM, - NULL, "newSuperior is an alias", NULL, NULL ); + send_ldap_result( conn, op, LDAP_ALIAS_PROBLEM, + NULL, "newSuperior is an alias", NULL, NULL ); - goto return_results; - } + goto return_results; + } - if ( is_entry_referral( np ) ) { - /* parent is a referral, don't allow add */ - /* parent is an alias, don't allow add */ - Debug( LDAP_DEBUG_TRACE, "entry is referral\n", 0, - 0, 0 ); + if ( is_entry_referral( np ) ) { + /* parent is a referral, don't allow add */ + Debug( LDAP_DEBUG_TRACE, "entry (%s) is referral\n", + np->e_dn, 0, 0 ); - send_ldap_result( conn, op, LDAP_OPERATIONS_ERROR, - NULL, "newSuperior is a referral", NULL, NULL ); + send_ldap_result( conn, op, LDAP_OPERATIONS_ERROR, + NULL, "newSuperior is a referral", NULL, NULL ); - goto return_results; + goto return_results; + } + + } else { + + /* no parent, must be root to modify newSuperior */ + if ( isroot == -1 ) { + isroot = be_isroot( be, op->o_ndn ); + } + + if ( ! be_isroot ) { + if ( be_issuffix( be, "" ) + || be_isupdate( be, op->o_ndn ) ) { + static const Entry rootp = { NOID, "", "", NULL, NULL }; + np = (Entry *)&rootp; + + rc = access_allowed( be, conn, op, np, + children, NULL, ACL_WRITE ); + np = NULL; + + /* check parent for "children" acl */ + if ( ! rc ) { + Debug( LDAP_DEBUG_TRACE, + "<=- ldbm_back_modrdn: no " + "access to new superior\n", 0, 0, 0 ); + + send_ldap_result( conn, op, + LDAP_INSUFFICIENT_ACCESS, + NULL, NULL, NULL, NULL ); + goto return_results; + } + + } else { + Debug( LDAP_DEBUG_TRACE, + "<=- ldbm_back_modrdn: \"\" " + "not allowed as new superior\n", + 0, 0, 0); + + send_ldap_result( conn, op, + LDAP_INSUFFICIENT_ACCESS, + NULL, NULL, NULL, NULL ); + goto return_results; + } + } } Debug( LDAP_DEBUG_TRACE, diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c index 6945dcac9e..4a7311deae 100644 --- a/servers/slapd/backend.c +++ b/servers/slapd/backend.c @@ -506,6 +506,24 @@ be_isroot( Backend *be, const char *ndn ) return(rc); } +int +be_isupdate( Backend *be, const char *ndn ) +{ + int rc; + + if ( ndn == NULL || *ndn == '\0' ) { + return( 0 ); + } + + if ( be->be_update_ndn == NULL || *be->be_update_ndn == '\0' ) { + return( 0 ); + } + + rc = strcmp( be->be_update_ndn, ndn ) ? 0 : 1; + + return(rc); +} + char * be_root_dn( Backend *be ) { diff --git a/servers/slapd/delete.c b/servers/slapd/delete.c index 3696769962..c248e81450 100644 --- a/servers/slapd/delete.c +++ b/servers/slapd/delete.c @@ -126,14 +126,13 @@ do_delete( if ( be->be_delete ) { /* do the update here */ #ifndef SLAPD_MULTIMASTER - if ( be->be_update_ndn == NULL || - strcmp( be->be_update_ndn, op->o_ndn ) == 0 ) + int repl_user = be_isupdate( be, op->o_ndn ); + if ( be->be_update_ndn == NULL || repl_user ) #endif { if ( (*be->be_delete)( be, conn, op, dn, ndn ) == 0 ) { #ifdef SLAPD_MULTIMASTER - if (be->be_update_ndn == NULL || - strcmp( be->be_update_ndn, op->o_ndn )) + if (be->be_update_ndn == NULL || !repl_user ) #endif { replog( be, op, dn, NULL ); diff --git a/servers/slapd/modify.c b/servers/slapd/modify.c index 8c4957543c..be4246de26 100644 --- a/servers/slapd/modify.c +++ b/servers/slapd/modify.c @@ -223,8 +223,7 @@ do_modify( */ if ( be->be_modify ) { /* do the update here */ - int repl_user = (be->be_update_ndn != NULL && - strcmp( be->be_update_ndn, op->o_ndn ) == 0); + int repl_user = be_isupdate( be, op->o_ndn ); #ifndef SLAPD_MULTIMASTER /* Multimaster slapd does not have to check for replicator dn * because it accepts each modify request diff --git a/servers/slapd/modrdn.c b/servers/slapd/modrdn.c index fc8d3964eb..340e45f66d 100644 --- a/servers/slapd/modrdn.c +++ b/servers/slapd/modrdn.c @@ -229,15 +229,14 @@ do_modrdn( if ( be->be_modrdn ) { /* do the update here */ #ifndef SLAPD_MULTIMASTER - if ( be->be_update_ndn == NULL || - strcmp( be->be_update_ndn, op->o_ndn ) == 0 ) + int repl_user = be_isupdate( be, op->o_ndn ); + if ( be->be_update_ndn == NULL || repl_user ) #endif { if ( (*be->be_modrdn)( be, conn, op, dn, ndn, newrdn, deloldrdn, newSuperior ) == 0 #ifdef SLAPD_MULTIMASTER - && ( be->be_update_ndn == NULL || - strcmp( be->be_update_ndn, op->o_ndn ) ) + && ( be->be_update_ndn == NULL || !repl_user ) #endif ) { struct replog_moddn moddn; diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h index d7a72c83e3..ef17bdafbb 100644 --- a/servers/slapd/proto-slap.h +++ b/servers/slapd/proto-slap.h @@ -157,6 +157,7 @@ LDAP_SLAPD_F (int) be_issuffix LDAP_P(( Backend *be, const char *suffix )); LDAP_SLAPD_F (int) be_isroot LDAP_P(( Backend *be, const char *ndn )); LDAP_SLAPD_F (int) be_isroot_pw LDAP_P(( Backend *be, Connection *conn, const char *ndn, struct berval *cred )); +LDAP_SLAPD_F (int) be_isupdate LDAP_P(( Backend *be, const char *ndn )); LDAP_SLAPD_F (char *) be_root_dn LDAP_P(( Backend *be )); LDAP_SLAPD_F (int) be_entry_release_rw LDAP_P(( Backend *be, Entry *e, int rw )); #define be_entry_release_r( be, e ) be_entry_release_rw( be, e, 0 )