/*
* Get the PAM identity from the value of the leftmost RDN in the BIND DN.
*/
static char *
derive_from_bind_dn(Slapi_PBlock *pb, const Slapi_DN *bindsdn, MyStrBuf *pam_id)
{
Slapi_RDN *rdn;
char *type = NULL;
char *value = NULL;
rdn = slapi_rdn_new_sdn(bindsdn);
slapi_rdn_get_first(rdn, &type, &value);
init_my_str_buf(pam_id, value);
slapi_rdn_free(&rdn);
return pam_id->str;
}
/*
* Callers should have already allocated *gerstr to hold at least
* "entryLevelRights: adnvxxx\n".
*/
unsigned long
_ger_get_entry_rights (
Slapi_PBlock *gerpb,
Slapi_Entry *e,
const char *subjectndn,
char **gerstr,
size_t *gerstrsize,
size_t *gerstrcap,
char **errbuf
)
{
unsigned long entryrights = 0;
Slapi_RDN *rdn = NULL;
char *rdntype = NULL;
char *rdnvalue = NULL;
_append_gerstr(gerstr, gerstrsize, gerstrcap, "entryLevelRights: ", NULL);
slapi_log_err(SLAPI_LOG_ACL, plugin_name,
"_ger_get_entry_rights - SLAPI_ACL_READ\n" );
if (acl_access_allowed(gerpb, e, "*", NULL, SLAPI_ACL_READ) == LDAP_SUCCESS)
{
/* v - view e */
entryrights |= SLAPI_ACL_READ;
_append_gerstr(gerstr, gerstrsize, gerstrcap, "v", NULL);
}
slapi_log_err(SLAPI_LOG_ACL, plugin_name,
"_ger_get_entry_rights - SLAPI_ACL_ADD\n" );
if (acl_access_allowed(gerpb, e, NULL, NULL, SLAPI_ACL_ADD) == LDAP_SUCCESS)
{
/* a - add child entry below e */
entryrights |= SLAPI_ACL_ADD;
_append_gerstr(gerstr, gerstrsize, gerstrcap, "a", NULL);
}
slapi_log_err(SLAPI_LOG_ACL, plugin_name,
"_ger_get_entry_rights - SLAPI_ACL_DELETE\n" );
if (acl_access_allowed(gerpb, e, NULL, NULL, SLAPI_ACL_DELETE) == LDAP_SUCCESS)
{
/* d - delete e */
entryrights |= SLAPI_ACL_DELETE;
_append_gerstr(gerstr, gerstrsize, gerstrcap, "d", NULL);
}
if (config_get_moddn_aci()) {
/* The server enforces the new MODDN aci right.
* So the status 'n' is set if this right is granted.
* Opposed to the legacy mode where this flag is set if
* WRITE was granted on rdn attrbibute
*/
if (acl_access_allowed(gerpb, e, NULL, NULL, SLAPI_ACL_MODDN) == LDAP_SUCCESS) {
slapi_log_err(SLAPI_LOG_ACL, plugin_name,
"_ger_get_entry_rights - SLAPI_ACL_MODDN %s\n", slapi_entry_get_ndn(e));
/* n - rename e */
entryrights |= SLAPI_ACL_MODDN;
_append_gerstr(gerstr, gerstrsize, gerstrcap, "n", NULL);
}
} else {
/*
* Some limitation/simplification applied here:
* - The modrdn right requires the rights to delete the old rdn and
* the new one. However we have no knowledge of what the new rdn
* is going to be.
* - In multi-valued RDN case, we check the right on
* the first rdn type only for now.
*/
rdn = slapi_rdn_new_dn(slapi_entry_get_ndn(e));
slapi_rdn_get_first(rdn, &rdntype, &rdnvalue);
if (NULL != rdntype) {
slapi_log_err(SLAPI_LOG_ACL, plugin_name,
"_ger_get_entry_rights - SLAPI_ACL_WRITE_DEL & _ADD %s\n", rdntype);
if (acl_access_allowed(gerpb, e, rdntype, NULL,
ACLPB_SLAPI_ACL_WRITE_DEL) == LDAP_SUCCESS &&
acl_access_allowed(gerpb, e, rdntype, NULL,
ACLPB_SLAPI_ACL_WRITE_ADD) == LDAP_SUCCESS) {
/* n - rename e */
entryrights |= SLAPI_ACL_WRITE;
_append_gerstr(gerstr, gerstrsize, gerstrcap, "n", NULL);
}
}
slapi_rdn_free(&rdn);
}
if ( entryrights == 0 )
{
_append_gerstr(gerstr, gerstrsize, gerstrcap, "none", NULL);
}
_append_gerstr(gerstr, gerstrsize, gerstrcap, "\n", NULL);
return entryrights;
}