Ticket 77 - [RFE] Add ACI support for ldapi

RFE Description:  Add support for LDAPI connection types in access control.

Fix Description:  Extended the authMethod keyword to include LDAPI.

	(targetattr = "*") (version 3.0;acl "ldapi";allow (all)(userdn = "ldap:///anyone"
	and authmethod = "ldapi" or ip = "127.0.0.1");)

https://fedorahosted.org/389/ticket/77

Reviewed by: richm(Thanks!)

ldap/servers/plugins/acl/acl.h

@@ -209,6 +209,7 @@ typedef enum
 #define DS_ATTR_AUTHTYPE	"authtype"
 #define DS_ATTR_CERT		"clientcert"
 #define DS_ATTR_SSF		"ssf"
+#define DS_ATTR_LDAPI		"ldapi"
 
 #define ACL_ANOM_MAX_ACL 40
 struct scoped_entry_anominfo {
@@ -664,6 +665,7 @@ typedef struct {
 	Acl_PBlock	*aclpb;
 	Slapi_Entry	*resourceEntry;
 	int		ssf;
+	char		*ldapi;
 }lasInfo;
 
 

ldap/servers/plugins/acl/acl_ext.c

@@ -446,7 +446,6 @@ acl__handle_plugin_config_entry (Slapi_Entry *e,  void *callback_data )
 int
 acl_create_aclpb_pool ()
 {
-
 	Acl_PBlock			*aclpb;
 	Acl_PBlock			*prev_aclpb;
 	Acl_PBlock			*first_aclpb;
@@ -648,6 +647,11 @@ acl__malloc_aclpb ( )
 					"Unable to set the AUTH TYPE in the Plist\n");
 		goto error;
 	}
+	if (PListInitProp(aclpb->aclpb_proplist, 0, DS_ATTR_LDAPI, aclpb, 0) < 0) {
+		slapi_log_error(SLAPI_LOG_FATAL, plugin_name,
+					"Unable to set the AUTH TYPE in the Plist\n");
+		goto error;
+	}
 	if (PListInitProp(aclpb->aclpb_proplist, 0, DS_ATTR_ENTRY, aclpb, 0) < 0) {
 		slapi_log_error(SLAPI_LOG_FATAL, plugin_name, 
 					"Unable to set the ENTRY TYPE in the Plist\n");
@@ -771,7 +775,7 @@ acl__free_aclpb ( Acl_PBlock **aclpb_ptr)
 
 /* Initializes the aclpb */
 void 
-acl_init_aclpb ( Slapi_PBlock *pb , Acl_PBlock *aclpb, const char *ndn, int copy_from_aclcb)
+acl_init_aclpb ( Slapi_PBlock *pb, Acl_PBlock *aclpb, const char *ndn, int copy_from_aclcb)
 {
 	struct acl_cblock	*aclcb = NULL;
 	char				*authType;
@@ -818,6 +822,13 @@ acl_init_aclpb ( Slapi_PBlock *pb , Acl_PBlock *aclpb, const char *ndn, int copy
 				"Unable to set the AUTH TYPE in the Plist\n");
 		return;
 	}
+	if(slapi_is_ldapi_conn(pb)){
+		if(PListAssignValue(aclpb->aclpb_proplist, DS_ATTR_LDAPI, "yes", 0) < 0){
+			slapi_log_error(SLAPI_LOG_FATAL, plugin_name,
+					"Unable to set the AUTH TYPE in the Plist\n");
+			return;
+		}
+	}
 	slapi_pblock_get ( pb, SLAPI_OPERATION_SSF, &ssf);
 	if (PListAssignValue(aclpb->aclpb_proplist, DS_ATTR_SSF, (const void *)ssf, 0) < 0) {
 		slapi_log_error(SLAPI_LOG_FATAL, plugin_name,
@@ -1036,6 +1047,9 @@ acl__done_aclpb ( struct acl_pblock *aclpb )
 		PListDeleteProp(aclpb->aclpb_proplist, rc,  NULL);
 	}
 
+	/* reset the LDAPI property */
+	PListAssignValue(aclpb->aclpb_proplist, DS_ATTR_LDAPI, NULL, 0);
+
 	/*
 	 * Remove the DS_ATTR_IP property from the property list.
 	 * The value of this property is just the property pointer

ldap/servers/plugins/acl/aclinit.c

@@ -547,7 +547,7 @@ __aclinit__RegisterLases(void)
 		return ACL_ERR;
 	}
 	if (ACL_LasRegister(NULL, DS_LAS_AUTHMETHOD, 
-				(LASEvalFunc_t)DS_LASAuthMethodEval, 
+				(LASEvalFunc_t)DS_LASAuthMethodEval,
 				(LASFlushFunc_t)NULL) < 0) {
 		slapi_log_error (SLAPI_LOG_FATAL, plugin_name,
 			"Unable to register CLIENTAUTHTYPE Las\n");

ldap/servers/plugins/acl/acllas.c

@@ -1684,7 +1684,9 @@ DS_LASAuthMethodEval(NSErr_t *errp, char *attr_name, CmpOp_t comparator,
 
 	/* None method means, we don't care -- otherwise we care */
 	if ((strcasecmp(attr, "none") == 0) ||
-		(strcasecmp(attr, lasinfo.authType) == 0)) {
+		(strcasecmp(attr, lasinfo.authType) == 0) ||
+		(lasinfo.ldapi && strcasecmp(attr, DS_ATTR_LDAPI) == 0))
+	{
 		matched = ACL_TRUE;
 	}
 
@@ -3678,6 +3680,7 @@ acllas__handle_client_search ( Slapi_Entry *e, void *callback_data )
 		aclpb->aclpb_client_entry = slapi_entry_dup ( e );
         return 0;
 }
+
 /*
 *
 * Do all the necessary setup for all the
@@ -3694,7 +3697,6 @@ acllas__handle_client_search ( Slapi_Entry *e, void *callback_data )
 * 	#define LAS_EVAL_FAIL       -4
 * 	#define LAS_EVAL_INVALID    -5
 */
-
 static int
 __acllas_setup ( NSErr_t *errp, char *attr_name, CmpOp_t comparator,
 		int allow_range, char *attr_pattern, int *cachable, void **LAS_cookie,
@@ -3750,8 +3752,8 @@ __acllas_setup ( NSErr_t *errp, char *attr_name, CmpOp_t comparator,
 		return LAS_EVAL_FAIL;
 	}
 
-	if ((rc = PListFindValue(subject, DS_ATTR_ENTRY, 
-					(void **)&linfo->resourceEntry, NULL)) < 0)	{
+	if ((rc = PListFindValue(subject, DS_ATTR_ENTRY,
+					(void **)&linfo->resourceEntry, NULL)) < 0){
 		acl_print_acllib_err(errp, NULL);
 		slapi_log_error( SLAPI_LOG_ACL, plugin_name, 
 		          "%s:Unable to get the Slapi_Entry attr(%d)\n",lasName, rc);
@@ -3767,6 +3769,15 @@ __acllas_setup ( NSErr_t *errp, char *attr_name, CmpOp_t comparator,
 			"%s:Unable to get the ACLPB(%d)\n", lasName, rc);
 		return LAS_EVAL_FAIL;
 	}
+
+	/* LDAPI? */
+	if ((rc = PListFindValue(subject, DS_ATTR_LDAPI, (void **)&linfo->ldapi, NULL)) < 0){
+		slapi_log_error( SLAPI_LOG_ACL, plugin_name,
+		          "%s:Unable to get LDAPI value(%d)\n", lasName, rc);
+
+		return LAS_EVAL_FAIL;
+	}
+
 	if (NULL == attr_pattern ) {
 		slapi_log_error( SLAPI_LOG_ACL, plugin_name, 
 		          "%s:No rule value in the ACL\n", lasName);

ldap/servers/slapd/libslapd.def

@@ -1199,3 +1199,4 @@ EXPORTS
 	config_get_pw_mincategories @1206
 	config_get_pw_mintokenlength @1207
 	slapi_check_account_lock @1208
+    	slapi_is_ldapi_conn @1209

ldap/servers/slapd/pblock.c

@@ -3535,6 +3535,15 @@ slapi_pblock_set( Slapi_PBlock *pblock, int arg, void *value )
 	return( 0 );
 }
 
+int
+slapi_is_ldapi_conn(Slapi_PBlock *pb)
+{
+    if(pb && pb->pb_conn){
+    	return pb->pb_conn->c_unix_local;
+    } else {
+        return 0;
+    }
+}
 
 /*
  * Clears (and free's as appropriate) the bind DN and related credentials

ldap/servers/slapd/slapi-plugin.h

@@ -6067,6 +6067,15 @@ int slapi_back_transaction_commit(Slapi_PBlock *pb);
  */
 int slapi_back_transaction_abort(Slapi_PBlock *pb);
 
+/**
+ * Checks if the connection type is LDAPI
+ *
+ * \param pb Parameter block.
+ *
+ * \return \c 1 if connection type is LDAPI
+ * \return \c 0 if connection is not LDAPI
+ */
+int slapi_is_ldapi_conn(Slapi_PBlock *pb);
 
 int slapi_be_is_flag_set(Slapi_Backend * be, int flag);
 void slapi_be_set_flag(Slapi_Backend * be, int flag);