18 years ago · 12127c38df
--- a/ldap/servers/plugins/acl/acl.c
+++ b/ldap/servers/plugins/acl/acl.c
@@ -235,7 +235,7 @@ acl_access_allowed(
 
				 	Slapi_PBlock	    *pb,
			
 
				 	Slapi_Entry	    *e,			/* The Slapi_Entry */
			
 
				 	char				*attr,		/* Attribute of	the entry */
			
 
				-	struct berval	    *val,		/* value of attr. NOT USED */
			
 
				+	struct berval	    *val,		/* value of attr */
			
 
				 	int		    access		/* requested access rights */
			
 
				 	)
			
 
				 {
			
@@ -341,21 +341,32 @@ acl_access_allowed(
 
				 	acl_init_aclpb ( pb, aclpb, clientDn, 0	);
			
 
				 	TNF_PROBE_0_DEBUG(acl_aclpbinit_end,"ACL","");
			
 
				 
			
 
				-
			
 
				-	/* Here	we mean	if "I am trying	to add/delete "myself" ? " */
			
 
				-	if (val &&  (access & SLAPI_ACL_WRITE) && (val->bv_len > 0) ) {
			
 
				-		/* should use slapi_sdn_compare() but that'a an extra malloc/free */
			
 
				-		
			
 
				-		char *dn_val_to_write =
			
 
				-					slapi_dn_normalize(slapi_ch_strdup(val->bv_val)); 
			
 
				-   
			
 
				-     	if ( aclpb->aclpb_authorization_sdn && 
			
 
				-				slapi_utf8casecmp((ACLUCHP)dn_val_to_write, (ACLUCHP)
			
 
				-				slapi_sdn_get_ndn(aclpb->aclpb_authorization_sdn)) == 0) { 
			
 
				-			access |= SLAPI_ACL_SELF;
			
 
				-         } 
			
 
				+	/* Here	we mean	if "I am trying	to add/delete "myself" to a group, etc." We
			
 
				+	 * basically just want to see if the value matches the DN of the user that
			
 
				+	 * we're checking access for */
			
 
				+	if (val &&  (access & SLAPI_ACL_WRITE) && (val->bv_len > 0)) {
			
 
				+		Slapi_Attr *sa = slapi_attr_new();
			
 
				+		char *oid = NULL;
			
 
				+
			
 
				+		slapi_attr_init(sa, attr);
			
 
				+		slapi_attr_get_syntax_oid_copy(sa, &oid);
			
 
				+  
			
 
				+		/* We only want to perform this check if the attribute is
			
 
				+		 * defined using the DN syntax. */
			
 
				+		if (oid && (strcasecmp(oid, DN_SYNTAX_OID) == 0)) { 
			
 
				+			/* should use slapi_sdn_compare() but that'a an extra malloc/free */
			
 
				+			char *dn_val_to_write = slapi_dn_normalize(slapi_ch_strdup(val->bv_val));
			
 
				+			if ( aclpb->aclpb_authorization_sdn && 
			
 
				+					slapi_utf8casecmp((ACLUCHP)dn_val_to_write, (ACLUCHP)
			
 
				+					slapi_sdn_get_ndn(aclpb->aclpb_authorization_sdn)) == 0) { 
			
 
				+				access |= SLAPI_ACL_SELF;
			
 
				+			} 
			
 
				 	
			
 
				-		slapi_ch_free( (void **)&dn_val_to_write);
			
 
				+			slapi_ch_free_string(&dn_val_to_write);
			
 
				+		}
			
 
				+
			
 
				+		slapi_ch_free_string(&oid);
			
 
				+		slapi_attr_free(&sa);
			
 
				 	}
			
 
				 
			
 
				 	/* Convert access to string of rights eg SLAPI_ACL_ADD->"add". */
			
--- a/ldap/servers/slapd/attrsyntax.c
+++ b/ldap/servers/slapd/attrsyntax.c
@@ -731,6 +731,22 @@ slapi_attr_get_oid_copy( const Slapi_Attr *a, char **oidp )
 
				 	}
			
 
				 }
			
 
				 
			
 
				+/* Returns the oid of the syntax of the Slapi_Attr that's passed in.
			
 
				+ * The caller must dispose of oid by calling slapi_ch_free_string(). */
			
 
				+int
			
 
				+slapi_attr_get_syntax_oid_copy( const Slapi_Attr *a, char **oidp )
			
 
				+{
			
 
				+	void *pi = NULL;
			
 
				+
			
 
				+	if (a && (slapi_attr_type2plugin(a->a_type, &pi) == 0)) {
			
 
				+		*oidp = slapi_ch_strdup(plugin_syntax2oid(pi));
			
 
				+		return( 0 );
			
 
				+	} else {
			
 
				+		*oidp = NULL;
			
 
				+		return( -1 );
			
 
				+	}
			
 
				+}
			
 
				+
			
 
				 #ifdef ATTR_LDAP_DEBUG
			
 
				 
			
 
				 PRIntn
			
--- a/ldap/servers/slapd/dn.c
+++ b/ldap/servers/slapd/dn.c
@@ -342,7 +342,13 @@ substr_dn_normalize( char *dn, char *end )
 
				 	/*
			
 
				 	 * Track and sort attribute values within multivalued RDNs.
			
 
				 	 */
			
 
				-	if ( rdn_av_count > 0 ) {
			
 
				+	/* We may still be in an unexpected state, such as B4TYPE if
			
 
				+	 * we encountered something odd like a '+' at the end of the
			
 
				+	 * rdn.  If this is the case, we don't want to add this bogus
			
 
				+	 * rdn to our list to sort.  We should only be in the INVALUE
			
 
				+	 * or B4SEPARATOR state if we have a valid rdn component to 
			
 
				+	 * be added. */
			
 
				+	if ((rdn_av_count > 0) && ((state == INVALUE) || (state == B4SEPARATOR))) {
			
 
				 	    add_rdn_av( typestart, d, &rdn_av_count,
			
 
				 		    &rdn_avs, initial_rdn_av_stack );
			
 
				 	}
			
@@ -352,7 +358,6 @@ substr_dn_normalize( char *dn, char *end )
 
				 	if ( rdn_av_count > 0 ) {
			
 
				 	    reset_rdn_avs( &rdn_avs, &rdn_av_count );
			
 
				 	}
			
 
				-
			
 
				 	/* Trim trailing spaces */
			
 
				 	while ( d != dn && *(d - 1) == ' ' ) d--;  /* XXX 518524 */
			
 
				 
			
--- a/ldap/servers/slapd/libslapd.def
+++ b/ldap/servers/slapd/libslapd.def
@@ -1180,6 +1180,7 @@ EXPORTS
 
				 	sasl_map_done @1179
			
 
				 	slapd_SECITEM_FreeItem @1180
			
 
				 	slapi_op_type_to_string @1181
			
 
				+	slapi_attr_get_syntax_oid_copy @1182
			
 
				 ; password syntax functions
			
 
				         config_set_pw_mindigits @1190
			
 
				         config_set_pw_minalphas @1191
			
--- a/ldap/servers/slapd/slapi-plugin.h
+++ b/ldap/servers/slapd/slapi-plugin.h
@@ -398,6 +398,7 @@ int slapi_attr_add_value(Slapi_Attr *a, const Slapi_Value *v);
 
				 int slapi_attr_type2plugin( const char *type, void **pi );
			
 
				 int slapi_attr_get_type( Slapi_Attr *attr, char **type );
			
 
				 int slapi_attr_get_oid_copy( const Slapi_Attr *attr, char **oidp );
			
 
				+int slapi_attr_get_syntax_oid_copy( const Slapi_Attr *a, char **oidp );
			
 
				 int slapi_attr_get_flags( const Slapi_Attr *attr, unsigned long *flags );
			
 
				 int slapi_attr_flag_is_set( const Slapi_Attr *attr, unsigned long flag );
			
 
				 int slapi_attr_value_cmp( const Slapi_Attr *attr, const struct berval *v1, const struct berval *v2 );