From b19dc5b453751ca63545e39537bfb87707cf867e Mon Sep 17 00:00:00 2001 From: "Thierry bordaz (tbordaz)" Date: Thu, 16 Oct 2014 17:24:15 +0200 Subject: [PATCH 77/84] Ticket 47553: Enhance ACIs to have more control over MODRDN operations Bug Description: The ticket 47553 introduces a new aci right: moddn. This rights allows/deny to do a MODDN from a part of the DIT to an other. Before the right allow/deny to do a MODDN was granted if the subject had 'write' access to the rdn attribute. To switch from the previous mode to the new one, there is a toggle 'nsslapd-moddn-aci'. The getEffectiveRight control, should report the MODDN right ('n') according to the acis and the value of this toggle Fix Description: test 'nsslapd-moddn-aci' in the geteffectiveright code https://fedorahosted.org/389/ticket/47553 Reviewed by: Noriko (Thanks !) Platforms tested: F17 Flag Day: no Doc impact: no (cherry picked from commit be67f8128d4a19edec95a6b1b022fd9262710e74) --- dirsrvtests/tickets/ticket47553_ger.py | 553 ++++++++++++++++++++++++++ ldap/servers/plugins/acl/acleffectiverights.c | 67 ++-- 2 files changed, 590 insertions(+), 30 deletions(-) create mode 100644 dirsrvtests/tickets/ticket47553_ger.py diff --git a/dirsrvtests/tickets/ticket47553_ger.py b/dirsrvtests/tickets/ticket47553_ger.py new file mode 100644 index 0000000..d688c70 --- /dev/null +++ b/dirsrvtests/tickets/ticket47553_ger.py @@ -0,0 +1,553 @@ +''' +Created on Nov 7, 2013 + +@author: tbordaz +''' +import os +import sys +import time +import ldap +import logging +import socket +import time +import logging +import pytest +import re +from lib389 import DirSrv, Entry, tools +from lib389.tools import DirSrvTools +from lib389._constants import * +from lib389.properties import * +from constants import * +from lib389._constants import REPLICAROLE_MASTER +from ldap.controls.simple import GetEffectiveRightsControl + +logging.getLogger(__name__).setLevel(logging.DEBUG) +log = logging.getLogger(__name__) + +# +# important part. We can deploy Master1 and Master2 on different versions +# +installation1_prefix = None +installation2_prefix = None + +TEST_REPL_DN = "cn=test_repl, %s" % SUFFIX + +STAGING_CN = "staged user" +PRODUCTION_CN = "accounts" +EXCEPT_CN = "excepts" + +STAGING_DN = "cn=%s,%s" % (STAGING_CN, SUFFIX) +PRODUCTION_DN = "cn=%s,%s" % (PRODUCTION_CN, SUFFIX) +PROD_EXCEPT_DN = "cn=%s,%s" % (EXCEPT_CN, PRODUCTION_DN) + +STAGING_PATTERN = "cn=%s*,%s" % (STAGING_CN[:2], SUFFIX) +PRODUCTION_PATTERN = "cn=%s*,%s" % (PRODUCTION_CN[:2], SUFFIX) +BAD_STAGING_PATTERN = "cn=bad*,%s" % (SUFFIX) +BAD_PRODUCTION_PATTERN = "cn=bad*,%s" % (SUFFIX) + +BIND_CN = "bind_entry" +BIND_DN = "cn=%s,%s" % (BIND_CN, SUFFIX) +BIND_PW = "password" + +NEW_ACCOUNT = "new_account" +MAX_ACCOUNTS = 20 + +CONFIG_MODDN_ACI_ATTR = "nsslapd-moddn-aci" + +class TopologyMaster1Master2(object): + def __init__(self, master1, master2): + master1.open() + self.master1 = master1 + + master2.open() + self.master2 = master2 + + +@pytest.fixture(scope="module") +def topology(request): + ''' + This fixture is used to create a replicated topology for the 'module'. + The replicated topology is MASTER1 <-> Master2. + At the beginning, It may exists a master2 instance and/or a master2 instance. + It may also exists a backup for the master1 and/or the master2. + + Principle: + If master1 instance exists: + restart it + If master2 instance exists: + restart it + If backup of master1 AND backup of master2 exists: + create or rebind to master1 + create or rebind to master2 + + restore master1 from backup + restore master2 from backup + else: + Cleanup everything + remove instances + remove backups + Create instances + Initialize replication + Create backups + ''' + global installation1_prefix + global installation2_prefix + + # allocate master1 on a given deployement + master1 = DirSrv(verbose=False) + if installation1_prefix: + args_instance[SER_DEPLOYED_DIR] = installation1_prefix + + # Args for the master1 instance + args_instance[SER_HOST] = HOST_MASTER_1 + args_instance[SER_PORT] = PORT_MASTER_1 + args_instance[SER_SERVERID_PROP] = SERVERID_MASTER_1 + args_master = args_instance.copy() + master1.allocate(args_master) + + # allocate master1 on a given deployement + master2 = DirSrv(verbose=False) + if installation2_prefix: + args_instance[SER_DEPLOYED_DIR] = installation2_prefix + + # Args for the consumer instance + args_instance[SER_HOST] = HOST_MASTER_2 + args_instance[SER_PORT] = PORT_MASTER_2 + args_instance[SER_SERVERID_PROP] = SERVERID_MASTER_2 + args_master = args_instance.copy() + master2.allocate(args_master) + + + # Get the status of the backups + backup_master1 = master1.checkBackupFS() + backup_master2 = master2.checkBackupFS() + + # Get the status of the instance and restart it if it exists + instance_master1 = master1.exists() + if instance_master1: + master1.stop(timeout=10) + master1.start(timeout=10) + + instance_master2 = master2.exists() + if instance_master2: + master2.stop(timeout=10) + master2.start(timeout=10) + + if backup_master1 and backup_master2: + # The backups exist, assuming they are correct + # we just re-init the instances with them + if not instance_master1: + master1.create() + # Used to retrieve configuration information (dbdir, confdir...) + master1.open() + + if not instance_master2: + master2.create() + # Used to retrieve configuration information (dbdir, confdir...) + master2.open() + + # restore master1 from backup + master1.stop(timeout=10) + master1.restoreFS(backup_master1) + master1.start(timeout=10) + + # restore master2 from backup + master2.stop(timeout=10) + master2.restoreFS(backup_master2) + master2.start(timeout=10) + else: + # We should be here only in two conditions + # - This is the first time a test involve master-consumer + # so we need to create everything + # - Something weird happened (instance/backup destroyed) + # so we discard everything and recreate all + + # Remove all the backups. So even if we have a specific backup file + # (e.g backup_master) we clear all backups that an instance my have created + if backup_master1: + master1.clearBackupFS() + if backup_master2: + master2.clearBackupFS() + + # Remove all the instances + if instance_master1: + master1.delete() + if instance_master2: + master2.delete() + + # Create the instances + master1.create() + master1.open() + master2.create() + master2.open() + + # + # Now prepare the Master-Consumer topology + # + # First Enable replication + master1.replica.enableReplication(suffix=SUFFIX, role=REPLICAROLE_MASTER, replicaId=REPLICAID_MASTER_1) + master2.replica.enableReplication(suffix=SUFFIX, role=REPLICAROLE_MASTER, replicaId=REPLICAID_MASTER_2) + + # Initialize the supplier->consumer + + properties = {RA_NAME: r'meTo_$host:$port', + RA_BINDDN: defaultProperties[REPLICATION_BIND_DN], + RA_BINDPW: defaultProperties[REPLICATION_BIND_PW], + RA_METHOD: defaultProperties[REPLICATION_BIND_METHOD], + RA_TRANSPORT_PROT: defaultProperties[REPLICATION_TRANSPORT]} + repl_agreement = master1.agreement.create(suffix=SUFFIX, host=master2.host, port=master2.port, properties=properties) + + if not repl_agreement: + log.fatal("Fail to create a replica agreement") + sys.exit(1) + + log.debug("%s created" % repl_agreement) + + properties = {RA_NAME: r'meTo_$host:$port', + RA_BINDDN: defaultProperties[REPLICATION_BIND_DN], + RA_BINDPW: defaultProperties[REPLICATION_BIND_PW], + RA_METHOD: defaultProperties[REPLICATION_BIND_METHOD], + RA_TRANSPORT_PROT: defaultProperties[REPLICATION_TRANSPORT]} + master2.agreement.create(suffix=SUFFIX, host=master1.host, port=master1.port, properties=properties) + + master1.agreement.init(SUFFIX, HOST_MASTER_2, PORT_MASTER_2) + master1.waitForReplInit(repl_agreement) + + # Check replication is working fine + master1.add_s(Entry((TEST_REPL_DN, { + 'objectclass': "top person".split(), + 'sn': 'test_repl', + 'cn': 'test_repl'}))) + loop = 0 + while loop <= 10: + try: + ent = master2.getEntry(TEST_REPL_DN, ldap.SCOPE_BASE, "(objectclass=*)") + break + except ldap.NO_SUCH_OBJECT: + time.sleep(1) + loop += 1 + + # Time to create the backups + master1.stop(timeout=10) + master1.backupfile = master1.backupFS() + master1.start(timeout=10) + + master2.stop(timeout=10) + master2.backupfile = master2.backupFS() + master2.start(timeout=10) + + # clear the tmp directory + master1.clearTmpDir(__file__) + + # + # Here we have two instances master and consumer + # with replication working. Either coming from a backup recovery + # or from a fresh (re)init + # Time to return the topology + return TopologyMaster1Master2(master1, master2) + + + +def _bind_manager(topology): + topology.master1.log.info("Bind as %s " % DN_DM) + topology.master1.simple_bind_s(DN_DM, PASSWORD) + +def _bind_normal(topology): + # bind as bind_entry + topology.master1.log.info("Bind as %s" % BIND_DN) + topology.master1.simple_bind_s(BIND_DN, BIND_PW) + +def _moddn_aci_deny_tree(topology, mod_type=None, target_from=STAGING_DN, target_to=PROD_EXCEPT_DN): + ''' + It denies the access moddn_to in cn=except,cn=accounts,SUFFIX + ''' + assert mod_type != None + + ACI_TARGET_FROM = "" + ACI_TARGET_TO = "" + if target_from: + ACI_TARGET_FROM = "(target_from = \"ldap:///%s\")" % (target_from) + if target_to: + ACI_TARGET_TO = "(target_to = \"ldap:///%s\")" % (target_to) + + ACI_ALLOW = "(version 3.0; acl \"Deny MODDN to prod_except\"; deny (moddn)" + ACI_SUBJECT = " userdn = \"ldap:///%s\";)" % BIND_DN + ACI_BODY = ACI_TARGET_TO + ACI_TARGET_FROM + ACI_ALLOW + ACI_SUBJECT + mod = [(mod_type, 'aci', ACI_BODY)] + #topology.master1.modify_s(SUFFIX, mod) + topology.master1.log.info("Add a DENY aci under %s " % PROD_EXCEPT_DN) + topology.master1.modify_s(PROD_EXCEPT_DN, mod) + +def _moddn_aci_staging_to_production(topology, mod_type=None, target_from=STAGING_DN, target_to=PRODUCTION_DN): + assert mod_type != None + + + ACI_TARGET_FROM = "" + ACI_TARGET_TO = "" + if target_from: + ACI_TARGET_FROM = "(target_from = \"ldap:///%s\")" % (target_from) + if target_to: + ACI_TARGET_TO = "(target_to = \"ldap:///%s\")" % (target_to) + + ACI_ALLOW = "(version 3.0; acl \"MODDN from staging to production\"; allow (moddn)" + ACI_SUBJECT = " userdn = \"ldap:///%s\";)" % BIND_DN + ACI_BODY = ACI_TARGET_FROM + ACI_TARGET_TO + ACI_ALLOW + ACI_SUBJECT + mod = [(mod_type, 'aci', ACI_BODY)] + topology.master1.modify_s(SUFFIX, mod) + +def _moddn_aci_from_production_to_staging(topology, mod_type=None): + assert mod_type != None + + ACI_TARGET = "(target_from = \"ldap:///%s\") (target_to = \"ldap:///%s\")" % (PRODUCTION_DN, STAGING_DN) + ACI_ALLOW = "(version 3.0; acl \"MODDN from production to staging\"; allow (moddn)" + ACI_SUBJECT = " userdn = \"ldap:///%s\";)" % BIND_DN + ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT + mod = [(mod_type, 'aci', ACI_BODY)] + topology.master1.modify_s(SUFFIX, mod) + + +def test_ticket47553_init(topology): + """ + Creates + - a staging DIT + - a production DIT + - add accounts in staging DIT + - enable ACL logging (commented for performance reason) + + """ + + topology.master1.log.info("\n\n######################### INITIALIZATION ######################\n") + + # entry used to bind with + topology.master1.log.info("Add %s" % BIND_DN) + topology.master1.add_s(Entry((BIND_DN, { + 'objectclass': "top person".split(), + 'sn': BIND_CN, + 'cn': BIND_CN, + 'userpassword': BIND_PW}))) + + # DIT for staging + topology.master1.log.info("Add %s" % STAGING_DN) + topology.master1.add_s(Entry((STAGING_DN, { + 'objectclass': "top organizationalRole".split(), + 'cn': STAGING_CN, + 'description': "staging DIT"}))) + + # DIT for production + topology.master1.log.info("Add %s" % PRODUCTION_DN) + topology.master1.add_s(Entry((PRODUCTION_DN, { + 'objectclass': "top organizationalRole".split(), + 'cn': PRODUCTION_CN, + 'description': "production DIT"}))) + + # DIT for production/except + topology.master1.log.info("Add %s" % PROD_EXCEPT_DN) + topology.master1.add_s(Entry((PROD_EXCEPT_DN, { + 'objectclass': "top organizationalRole".split(), + 'cn': EXCEPT_CN, + 'description': "production except DIT"}))) + + # enable acl error logging + #mod = [(ldap.MOD_REPLACE, 'nsslapd-errorlog-level', '128')] + #topology.master1.modify_s(DN_CONFIG, mod) + #topology.master2.modify_s(DN_CONFIG, mod) + + + + + + # add dummy entries in the staging DIT + for cpt in range(MAX_ACCOUNTS): + name = "%s%d" % (NEW_ACCOUNT, cpt) + topology.master1.add_s(Entry(("cn=%s,%s" % (name, STAGING_DN), { + 'objectclass': "top person".split(), + 'sn': name, + 'cn': name}))) + + +def test_ticket47553_mode_default_add_deny(topology): + ''' + This test case checks that the ADD operation fails (no ADD aci on production) + ''' + + topology.master1.log.info("\n\n######################### mode moddn_aci : ADD (should fail) ######################\n") + + _bind_normal(topology) + + # + # First try to add an entry in production => INSUFFICIENT_ACCESS + # + try: + topology.master1.log.info("Try to add %s" % PRODUCTION_DN) + name = "%s%d" % (NEW_ACCOUNT, 0) + topology.master1.add_s(Entry(("cn=%s,%s" % (name, PRODUCTION_DN), { + 'objectclass': "top person".split(), + 'sn': name, + 'cn': name}))) + assert 0 # this is an error, we should not be allowed to add an entry in production + except Exception as e: + topology.master1.log.info("Exception (expected): %s" % type(e).__name__) + assert isinstance(e, ldap.INSUFFICIENT_ACCESS) + +def test_ticket47553_mode_default_ger_no_moddn(topology): + topology.master1.log.info("\n\n######################### mode moddn_aci : GER no moddn ######################\n") + request_ctrl = GetEffectiveRightsControl(criticality=True,authzId="dn: " + BIND_DN) + msg_id = topology.master1.search_ext(PRODUCTION_DN, ldap.SCOPE_SUBTREE, "objectclass=*", serverctrls=[request_ctrl]) + rtype,rdata,rmsgid,response_ctrl = topology.master1.result3(msg_id) + ger={} + value='' + for dn, attrs in rdata: + topology.master1.log.info ("dn: %s" % dn) + value = attrs['entryLevelRights'][0] + + topology.master1.log.info ("############### entryLevelRights: %r" % value) + assert 'n' not in value + +def test_ticket47553_mode_default_ger_with_moddn(topology): + ''' + This test case adds the moddn aci and check ger contains 'n' + ''' + + topology.master1.log.info("\n\n######################### mode moddn_aci: GER with moddn ######################\n") + + # successfull MOD with the ACI + _bind_manager(topology) + _moddn_aci_staging_to_production(topology, mod_type=ldap.MOD_ADD, target_from=STAGING_DN, target_to=PRODUCTION_DN) + _bind_normal(topology) + + request_ctrl = GetEffectiveRightsControl(criticality=True,authzId="dn: " + BIND_DN) + msg_id = topology.master1.search_ext(PRODUCTION_DN, ldap.SCOPE_SUBTREE, "objectclass=*", serverctrls=[request_ctrl]) + rtype,rdata,rmsgid,response_ctrl = topology.master1.result3(msg_id) + ger={} + value = '' + for dn, attrs in rdata: + topology.master1.log.info ("dn: %s" % dn) + value = attrs['entryLevelRights'][0] + + topology.master1.log.info ("############### entryLevelRights: %r" % value) + assert 'n' in value + + # successfull MOD with the both ACI + _bind_manager(topology) + _moddn_aci_staging_to_production(topology, mod_type=ldap.MOD_DELETE, target_from=STAGING_DN, target_to=PRODUCTION_DN) + _bind_normal(topology) + +def test_ticket47553_mode_switch_default_to_legacy(topology): + ''' + This test switch the server from default mode to legacy + ''' + topology.master1.log.info("\n\n######################### Disable the moddn aci mod ######################\n" ) + _bind_manager(topology) + mod = [(ldap.MOD_REPLACE, CONFIG_MODDN_ACI_ATTR, 'off')] + topology.master1.modify_s(DN_CONFIG, mod) + +def test_ticket47553_mode_legacy_ger_no_moddn1(topology): + topology.master1.log.info("\n\n######################### mode legacy 1: GER no moddn ######################\n") + request_ctrl = GetEffectiveRightsControl(criticality=True,authzId="dn: " + BIND_DN) + msg_id = topology.master1.search_ext(PRODUCTION_DN, ldap.SCOPE_SUBTREE, "objectclass=*", serverctrls=[request_ctrl]) + rtype,rdata,rmsgid,response_ctrl = topology.master1.result3(msg_id) + ger={} + value='' + for dn, attrs in rdata: + topology.master1.log.info ("dn: %s" % dn) + value = attrs['entryLevelRights'][0] + + topology.master1.log.info ("############### entryLevelRights: %r" % value) + assert 'n' not in value + +def test_ticket47553_mode_legacy_ger_no_moddn2(topology): + topology.master1.log.info("\n\n######################### mode legacy 2: GER no moddn ######################\n") + # successfull MOD with the ACI + _bind_manager(topology) + _moddn_aci_staging_to_production(topology, mod_type=ldap.MOD_ADD, target_from=STAGING_DN, target_to=PRODUCTION_DN) + _bind_normal(topology) + + request_ctrl = GetEffectiveRightsControl(criticality=True,authzId="dn: " + BIND_DN) + msg_id = topology.master1.search_ext(PRODUCTION_DN, ldap.SCOPE_SUBTREE, "objectclass=*", serverctrls=[request_ctrl]) + rtype,rdata,rmsgid,response_ctrl = topology.master1.result3(msg_id) + ger={} + value='' + for dn, attrs in rdata: + topology.master1.log.info ("dn: %s" % dn) + value = attrs['entryLevelRights'][0] + + topology.master1.log.info ("############### entryLevelRights: %r" % value) + assert 'n' not in value + + # successfull MOD with the both ACI + _bind_manager(topology) + _moddn_aci_staging_to_production(topology, mod_type=ldap.MOD_DELETE, target_from=STAGING_DN, target_to=PRODUCTION_DN) + _bind_normal(topology) + +def test_ticket47553_mode_legacy_ger_with_moddn(topology): + topology.master1.log.info("\n\n######################### mode legacy : GER with moddn ######################\n") + + # being allowed to read/write the RDN attribute use to allow the RDN + ACI_TARGET = "(target = \"ldap:///%s\")(targetattr=\"cn\")" % (PRODUCTION_DN) + ACI_ALLOW = "(version 3.0; acl \"MODDN production changing the RDN attribute\"; allow (read,search,write)" + ACI_SUBJECT = " userdn = \"ldap:///%s\";)" % BIND_DN + ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT + + # successfull MOD with the ACI + _bind_manager(topology) + mod = [(ldap.MOD_ADD, 'aci', ACI_BODY)] + topology.master1.modify_s(SUFFIX, mod) + _bind_normal(topology) + + request_ctrl = GetEffectiveRightsControl(criticality=True,authzId="dn: " + BIND_DN) + msg_id = topology.master1.search_ext(PRODUCTION_DN, ldap.SCOPE_SUBTREE, "objectclass=*", serverctrls=[request_ctrl]) + rtype,rdata,rmsgid,response_ctrl = topology.master1.result3(msg_id) + ger={} + value='' + for dn, attrs in rdata: + topology.master1.log.info ("dn: %s" % dn) + value = attrs['entryLevelRights'][0] + + topology.master1.log.info ("############### entryLevelRights: %r" % value) + assert 'n' in value + + # successfull MOD with the both ACI + _bind_manager(topology) + mod = [(ldap.MOD_DELETE, 'aci', ACI_BODY)] + topology.master1.modify_s(SUFFIX, mod) + _bind_normal(topology) + + +def test_ticket47553_final(topology): + topology.master1.stop(timeout=10) + topology.master2.stop(timeout=10) + +def run_isolated(): + ''' + run_isolated is used to run these test cases independently of a test scheduler (xunit, py.test..) + To run isolated without py.test, you need to + - edit this file and comment '@pytest.fixture' line before 'topology' function. + - set the installation prefix + - run this program + ''' + global installation1_prefix + global installation2_prefix + installation1_prefix = None + installation2_prefix = None + + topo = topology(True) + topo.master1.log.info("\n\n######################### Ticket 47553 ######################\n") + test_ticket47553_init(topo) + + # Check that without appropriate aci we are not allowed to add/delete + test_ticket47553_mode_default_add_deny(topo) + test_ticket47553_mode_default_ger_no_moddn(topo) + test_ticket47553_mode_default_ger_with_moddn(topo) + test_ticket47553_mode_switch_default_to_legacy(topo) + test_ticket47553_mode_legacy_ger_no_moddn1(topo) + test_ticket47553_mode_legacy_ger_no_moddn2(topo) + test_ticket47553_mode_legacy_ger_with_moddn(topo) + + test_ticket47553_final(topo) + + + + +if __name__ == '__main__': + run_isolated() + diff --git a/ldap/servers/plugins/acl/acleffectiverights.c b/ldap/servers/plugins/acl/acleffectiverights.c index b9e2055..3c7d635 100644 --- a/ldap/servers/plugins/acl/acleffectiverights.c +++ b/ldap/servers/plugins/acl/acleffectiverights.c @@ -456,38 +456,45 @@ _ger_get_entry_rights ( entryrights |= SLAPI_ACL_DELETE; _append_gerstr(gerstr, gerstrsize, gerstrcap, "d", NULL); } - /* - * Some limitation/simplification applied here: - * - The modrdn right requires the rights to delete the old rdn and - * the new one. However we have no knowledge of what the new rdn - * is going to be. - * - In multi-valued RDN case, we check the right on - * the first rdn type only for now. - */ - rdn = slapi_rdn_new_dn ( slapi_entry_get_ndn (e) ); - slapi_rdn_get_first(rdn, &rdntype, &rdnvalue); - if ( NULL != rdntype ) { - slapi_log_error (SLAPI_LOG_ACL, plugin_name, - "_ger_get_entry_rights: SLAPI_ACL_WRITE_DEL & _ADD %s\n", rdntype ); - if (acl_access_allowed(gerpb, e, rdntype, NULL, - ACLPB_SLAPI_ACL_WRITE_DEL) == LDAP_SUCCESS && - acl_access_allowed(gerpb, e, rdntype, NULL, - ACLPB_SLAPI_ACL_WRITE_ADD) == LDAP_SUCCESS) - { - /* n - rename e */ - entryrights |= SLAPI_ACL_WRITE; - _append_gerstr(gerstr, gerstrsize, gerstrcap, "n", NULL); - } - } - slapi_rdn_free ( &rdn ); - - if (acl_access_allowed(gerpb, e, NULL, NULL, SLAPI_ACL_MODDN) == LDAP_SUCCESS) { - slapi_log_error (SLAPI_LOG_ACL, plugin_name, - "_ger_get_entry_rights: SLAPI_ACL_MODDN %s\n", slapi_entry_get_ndn (e) ); + + if (config_get_moddn_aci()) { + /* The server enforces the new MODDN aci right. + * So the status 'n' is set if this right is granted. + * Opposed to the legacy mode where this flag is set if + * WRITE was granted on rdn attrbibute + */ + if (acl_access_allowed(gerpb, e, NULL, NULL, SLAPI_ACL_MODDN) == LDAP_SUCCESS) { + slapi_log_error(SLAPI_LOG_ACL, plugin_name, + "_ger_get_entry_rights: SLAPI_ACL_MODDN %s\n", slapi_entry_get_ndn(e)); + /* n - rename e */ + entryrights |= SLAPI_ACL_MODDN; + _append_gerstr(gerstr, gerstrsize, gerstrcap, "n", NULL); + } + } else { + /* + * Some limitation/simplification applied here: + * - The modrdn right requires the rights to delete the old rdn and + * the new one. However we have no knowledge of what the new rdn + * is going to be. + * - In multi-valued RDN case, we check the right on + * the first rdn type only for now. + */ + rdn = slapi_rdn_new_dn(slapi_entry_get_ndn(e)); + slapi_rdn_get_first(rdn, &rdntype, &rdnvalue); + if (NULL != rdntype) { + slapi_log_error(SLAPI_LOG_ACL, plugin_name, + "_ger_get_entry_rights: SLAPI_ACL_WRITE_DEL & _ADD %s\n", rdntype); + if (acl_access_allowed(gerpb, e, rdntype, NULL, + ACLPB_SLAPI_ACL_WRITE_DEL) == LDAP_SUCCESS && + acl_access_allowed(gerpb, e, rdntype, NULL, + ACLPB_SLAPI_ACL_WRITE_ADD) == LDAP_SUCCESS) { /* n - rename e */ - entryrights |= SLAPI_ACL_MODDN; - _append_gerstr(gerstr, gerstrsize, gerstrcap, "n", NULL); + entryrights |= SLAPI_ACL_WRITE; + _append_gerstr(gerstr, gerstrsize, gerstrcap, "n", NULL); + } } + slapi_rdn_free(&rdn); + } if ( entryrights == 0 ) { _append_gerstr(gerstr, gerstrsize, gerstrcap, "none", NULL); -- 1.9.3