From: Kurt Zeilenga <kurt@openldap.org>
Date: Fri, 29 Oct 1999 20:00:47 +0000 (+0000)
Subject: Apply ACL to lastmod attributes.
X-Git-Tag: OPENLDAP_REL_ENG_1_2_8~15
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f08e56e0554560206021b2199633a1c7ccb350db;p=thirdparty%2Fopenldap.git

Apply ACL to lastmod attributes.
---

diff --git a/CHANGES b/CHANGES
index bf1e162ccc..d4ac3080c3 100644
--- a/CHANGES
+++ b/CHANGES
@@ -8,6 +8,7 @@ Changes included in OpenLDAP 1.2 Release Engineering
 	Fixed ldbm db_appinit to use u_int32_t instead of int (ITS#295)
 	Fixed lber/io.c Cray T90 specific pointer arithmetic problem (ITS#325)
 	Added TCP_NODELAY support
+	Change slapd to apply ACL to lastmod attributes
 	Change slapd.conf default referral
 	Documentation
 		Reference Quick Start Guide in README and INSTALL
diff --git a/servers/slapd/result.c b/servers/slapd/result.c
index f7320bdf8b..03651002fc 100644
--- a/servers/slapd/result.c
+++ b/servers/slapd/result.c
@@ -250,19 +250,8 @@ send_search_entry(
 			continue;
 		}
 
-		/* the lastmod attributes are ignored by ACL checking */
-		if ( strcasecmp( a->a_type, "modifiersname" ) == 0 ||
-			strcasecmp( a->a_type, "modifytimestamp" ) == 0 ||
-			strcasecmp( a->a_type, "creatorsname" ) == 0 ||
-			strcasecmp( a->a_type, "createtimestamp" ) == 0 ) 
-		{
-			Debug( LDAP_DEBUG_ACL, "LASTMOD attribute: %s access DEFAULT\n",
-				a->a_type, 0, 0 );
-			acl = NULL;
-		} else {
-			acl = acl_get_applicable( be, op, e, a->a_type,
-				MAXREMATCHES, matches );
-		}
+		acl = acl_get_applicable( be, op, e, a->a_type,
+			MAXREMATCHES, matches );
 
 		if ( ! acl_access_allowed( acl, be, conn, e,
 			NULL, op, ACL_READ, edn, matches ) ) 
diff --git a/tests/data/slapd-acl.conf b/tests/data/slapd-acl.conf
index 80dd2b6594..16f3bd7a27 100644
--- a/tests/data/slapd-acl.conf
+++ b/tests/data/slapd-acl.conf
@@ -20,19 +20,29 @@ index		cn,sn,uid	pres,eq,approx
 index		default		none
 lastmod		on
 defaultaccess	none
-access		to attr=objectclass
+
+access	to attr=createtimestamp,creatorsname,modifytimestamp,modifiersname
+	by * none
+
+access	to attr=objectclass
 		by * read
+
 access		to attr=userpassword
 		by self write
+		by dn="^$$" none
 		by * compare
-access		to dn=".*,ou=Alumni Association,ou=People,o=University of Michigan,c=US"
-		by dn=".*,o=University of Michigan,c=US"
-		read
+
+access		to dn=".*,ou=Alumni Association,ou=People,o=University of Michigan,c=US$$"
+		by dn="^$$" none
+		by dn=".*,o=University of Michigan,c=US$$" read
 		by * none
+
 access		to attr=member
 		by dnattr=member selfwrite
 		by * read
+
 access		to filter="objectclass=rfc822mailgroup"
-		by dn="Bjorn Jensen,ou=Information Technology Division,ou=People,o=University of Michigan,c=US" write
+		by dn="^cn=Bjorn Jensen,ou=Information Technology Division,ou=People,o=University of Michigan,c=US$$" write
 		by * read
+
 access		to * by * read