diff options
author | Alexander Sulfrian <alexander@sulfrian.net> | 2016-11-11 21:09:10 +0100 |
---|---|---|
committer | Alexander Sulfrian <alexander@sulfrian.net> | 2016-11-11 21:53:38 +0100 |
commit | efc23a7e63ccaca4146ff26ee09b322b2f0d96e5 (patch) | |
tree | 5b6fbcf6b63f38132d2685611cb914b929741bf3 /service_passwords.c | |
parent | 2821de999191f94b0fa95899e762aaf82ed53514 (diff) | |
download | ldap-plugin-efc23a7e63ccaca4146ff26ee09b322b2f0d96e5.tar.gz ldap-plugin-efc23a7e63ccaca4146ff26ee09b322b2f0d96e5.tar.bz2 ldap-plugin-efc23a7e63ccaca4146ff26ee09b322b2f0d96e5.zip |
pre_entry: Only return gold accounts for gold services
If an authenticated gold service is searching for accounts, it should
only get the gold accounts.
Diffstat (limited to 'service_passwords.c')
-rw-r--r-- | service_passwords.c | 23 |
1 files changed, 16 insertions, 7 deletions
diff --git a/service_passwords.c b/service_passwords.c index 3dc432c..b0ed330 100644 --- a/service_passwords.c +++ b/service_passwords.c @@ -614,6 +614,8 @@ static int pre_entry(Slapi_PBlock *pb) int is_replication; int is_internal; + int gold_service = 0; + int gold_account = 0; char *service = NULL; char *parent_dn = NULL; const char *result_dn = NULL; @@ -652,7 +654,7 @@ static int pre_entry(Slapi_PBlock *pb) return 0; } - if (is_service(bind_dn, &service, NULL) != 0) { + if (is_service(bind_dn, &service, &gold_service) != 0) { parent_dn = slapi_dn_parent(bind_dn); rc |= is_user(parent_dn, NULL); slapi_ch_free_string(&parent_dn); @@ -677,13 +679,20 @@ static int pre_entry(Slapi_PBlock *pb) } /* modify the dn of the returned entry */ - if (is_user(result_dn, NULL) == 0) { - new_entry = prepend_service_prefix(entry, service); + if (is_user(result_dn, &gold_account) == 0) { + if (gold_service != 0 && gold_account == 0) { + /* ignore non-gold account for gold services */ + rc = -1; + goto fail1; + } + else { + new_entry = prepend_service_prefix(entry, service); - /* Set the new entry as the new result in the pblock and also set the - the REP_ENTRY_MUSTBEFREED flag, so that the entry gets free'd when - ready. */ - slapi_pblock_set(pb, SLAPI_SEARCH_RESULT_ENTRY, new_entry); + /* Set the new entry as the new result in the pblock and also set the + the REP_ENTRY_MUSTBEFREED flag, so that the entry gets free'd when + ready. */ + slapi_pblock_set(pb, SLAPI_SEARCH_RESULT_ENTRY, new_entry); + } } fail1: |