a95d3a6076
bnc#716895, bnc#719803 and bnc#724201 OBS-URL: https://build.opensuse.org/request/show/89386 OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=71
96 lines
2.8 KiB
Plaintext
96 lines
2.8 KiB
Plaintext
From 5d9026cf3f93f95dd6f80ad209013e30bbb0d8e6 Mon Sep 17 00:00:00 2001
|
|
From: Ralf Haferkamp <ralf@openldap.org>
|
|
Date: Tue, 18 Oct 2011 17:08:05 +0200
|
|
Subject: ITS#7066 reworked default deny ACL for cn=config
|
|
|
|
Dynamically adding ACL for cn=config didn't work correctly, when no
|
|
ACLs where present for that database upon startup. Delete the last
|
|
ACL from the DB could also lead to unexpected results.
|
|
|
|
diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
|
|
index 309668e..7097d72 100644
|
|
--- a/servers/slapd/bconfig.c
|
|
+++ b/servers/slapd/bconfig.c
|
|
@@ -84,6 +84,7 @@ static char *logfileName;
|
|
#ifdef SLAP_AUTH_REWRITE
|
|
static BerVarray authz_rewrites;
|
|
#endif
|
|
+static AccessControl *defacl_parsed = NULL;
|
|
|
|
static struct berval cfdir;
|
|
|
|
@@ -1297,6 +1298,12 @@ config_generic(ConfigArgs *c) {
|
|
*prev = a->acl_next;
|
|
acl_free( a );
|
|
}
|
|
+ if ( SLAP_CONFIG( c->be ) && !c->be->be_acl ) {
|
|
+ Debug( LDAP_DEBUG_CONFIG, "config_generic (CFG_ACL): "
|
|
+ "Last explicit ACL for back-config removed. "
|
|
+ "Using hardcoded default\n", 0, 0, 0 );
|
|
+ c->be->be_acl = defacl_parsed;
|
|
+ }
|
|
break;
|
|
|
|
case CFG_OC: {
|
|
@@ -1792,6 +1799,9 @@ sortval_reject:
|
|
break;
|
|
|
|
case CFG_ACL:
|
|
+ if ( SLAP_CONFIG( c->be ) && c->be->be_acl == defacl_parsed) {
|
|
+ c->be->be_acl = NULL;
|
|
+ }
|
|
/* Don't append to the global ACL if we're on a specific DB */
|
|
i = c->valx;
|
|
if ( c->valx == -1 ) {
|
|
@@ -1801,6 +1811,9 @@ sortval_reject:
|
|
i++;
|
|
}
|
|
if ( parse_acl(c->be, c->fname, c->lineno, c->argc, c->argv, i ) ) {
|
|
+ if ( SLAP_CONFIG( c->be ) && !c->be->be_acl) {
|
|
+ c->be->be_acl = defacl_parsed;
|
|
+ }
|
|
return 1;
|
|
}
|
|
break;
|
|
@@ -6637,14 +6650,23 @@ config_back_db_open( BackendDB *be, ConfigReply *cr )
|
|
slap_callback cb = { NULL, slap_null_cb, NULL, NULL };
|
|
SlapReply rs = {REP_RESULT};
|
|
void *thrctx = NULL;
|
|
+ AccessControl *save_access;
|
|
|
|
Debug( LDAP_DEBUG_TRACE, "config_back_db_open\n", 0, 0, 0);
|
|
|
|
/* If we have no explicitly configured ACLs, don't just use
|
|
* the global ACLs. Explicitly deny access to everything.
|
|
*/
|
|
- if ( !be->bd_self->be_acl ) {
|
|
- parse_acl(be->bd_self, "config_back_db_open", 0, 6, (char **)defacl, 0 );
|
|
+ save_access = be->bd_self->be_acl;
|
|
+ be->bd_self->be_acl = NULL;
|
|
+ parse_acl(be->bd_self, "config_back_db_open", 0, 6, (char **)defacl, 0 );
|
|
+ defacl_parsed = be->bd_self->be_acl;
|
|
+ if ( save_access ) {
|
|
+ be->bd_self->be_acl = save_access;
|
|
+ } else {
|
|
+ Debug( LDAP_DEBUG_CONFIG, "config_back_db_open: "
|
|
+ "No explicit ACL for back-config configured. "
|
|
+ "Using hardcoded default\n", 0, 0, 0 );
|
|
}
|
|
|
|
thrctx = ldap_pvt_thread_pool_context();
|
|
@@ -6889,6 +6911,11 @@ config_back_db_close( BackendDB *be, ConfigReply *cr )
|
|
backend_shutdown( &cfb->cb_db );
|
|
}
|
|
|
|
+ if ( defacl_parsed && be->be_acl != defacl_parsed ) {
|
|
+ acl_free( defacl_parsed );
|
|
+ defacl_parsed = NULL;
|
|
+ }
|
|
+
|
|
return 0;
|
|
}
|
|
|
|
--
|
|
1.7.6.4
|
|
|