[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6693) Value dependent ACL issues

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#6693) Value dependent ACL issues
From: rhafer@suse.de
Date: Mon, 8 Nov 2010 14:42:31 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

Hm, that patch was obviously wrong. Even though it resulted in working
value-dependent ACLs, it completely broke ACL caching. This patch
should work better:

-------------------------------------------------------------------
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@@ -1557,6 +1557,7 @@ typedef struct AccessControlState {
 
 	/* Value dependent acl where processing can restart */
 	AccessControl  *as_vd_acl;
+	int as_vd_acl_present;
 	int as_vd_acl_count;
 	slap_mask_t		as_vd_mask;
 
@@ -1567,7 +1568,7 @@ typedef struct AccessControlState {
 	/* True if started to process frontend ACLs */
 	int as_fe_done;
 } AccessControlState;
-#define ACL_STATE_INIT { NULL, ACL_NONE, NULL, 0, ACL_PRIV_NONE, -1, 0 }
+#define ACL_STATE_INIT { NULL, ACL_NONE, NULL, 0, 0, ACL_PRIV_NONE, -1, 0 }
 
 typedef struct AclRegexMatches {        
 	int dn_count;
--- a/servers/slapd/acl.c
+++ b/servers/slapd/acl.c
@@ -220,7 +220,7 @@ slap_access_allowed(
 		state = &acl_state;
 	if ( state->as_desc == desc &&
 		state->as_access == access &&
-		state->as_vd_acl != NULL )
+		state->as_vd_acl_present )
 	{
 		a = state->as_vd_acl;
 		count = state->as_vd_acl_count;
@@ -405,7 +405,7 @@ access_allowed_mask(
 		if ( state->as_desc == desc &&
 			state->as_access == access &&
 			state->as_result != -1 &&
-			state->as_vd_acl == NULL )
+			!state->as_vd_acl_present )
 			{
 			Debug( LDAP_DEBUG_ACL,
 				"=> access_allowed: result was in cache (%s)\n",
@@ -615,7 +615,8 @@ slap_acl_get(
 				continue;
 			}
 
-			if ( state->as_vd_acl == NULL ) {
+			if ( !state->as_vd_acl_present ) {
+				state->as_vd_acl_present = 1;
 				state->as_vd_acl = prev;
 				state->as_vd_acl_count = *count - 1;
 				ACL_PRIV_ASSIGN ( state->as_vd_mask, *mask );
@@ -714,7 +715,8 @@ slap_acl_get(
  * Record value-dependent access control state
  */
 #define ACL_RECORD_VALUE_STATE do { \
-		if( state && state->as_vd_acl == NULL ) { \
+		if( state && !state->as_vd_acl_present ) { \
+			state->as_vd_acl_present = 1; \
 			state->as_vd_acl = a; \
 			state->as_vd_acl_count = count; \
 			ACL_PRIV_ASSIGN( state->as_vd_mask, *mask ); \
-------------------------------------------------------------------

Comments welcome.

Ralf

Prev by Date: Re: (ITS#6686) VLV overlay fails to handle multiple search operations per LDAP connection
Next by Date: RE: (ITS#6683) DDS fails with expired branches
Index(es):
- Chronological
- Thread