external-software/github_OpenIdentityPlatform_OpenDJ.git

parent: ed40fd0d | patch | commit | ignore whitespace

Fix issue 4042: LDAP assertion control access control evaluation results i...

matthew_swift

08.53.2009 5ab71727e25999e8bafe2f299ea4ac05bf4290b6

Fix issue 4042:  LDAP assertion control access control evaluation results in protocol error

This change ensures that we get the correct LDAP result code back when LDAP assertion control evaluation fails.

6 files modified

	opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendAddOperation.java	50 ●●●●● patch \| view \| raw \| blame \| history
	opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendCompareOperation.java	42 ●●●●● patch \| view \| raw \| blame \| history
	opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendDeleteOperation.java	42 ●●●●● patch \| view \| raw \| blame \| history
	opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendModifyDNOperation.java	42 ●●●●● patch \| view \| raw \| blame \| history
	opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendModifyOperation.java	42 ●●●●● patch \| view \| raw \| blame \| history
	opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendSearchOperation.java	72 ●●●●● patch \| view \| raw \| blame \| history

 opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendAddOperation.java

@@ -1465,30 +1465,46 @@
        if (oid.equals(OID_LDAP_ASSERTION))
        {
          // RFC 4528 mandates support for Add operation basically
          // suggesting an asertion on self. As daft as it may be
          // suggesting an assertion on self. As daft as it may be
          // we gonna have to support this for RFC compliance.
          LDAPAssertionRequestControl assertControl =
            getRequestControl(LDAPAssertionRequestControl.DECODER);

          SearchFilter filter;
          try
          {
            SearchFilter filter = assertControl.getSearchFilter();

            // Check if the current user has permission to make
            // this determination.
            if (!AccessControlConfigManager.getInstance().
              getAccessControlHandler().isAllowed(this, entry, filter))
            filter = assertControl.getSearchFilter();
          }
          catch (DirectoryException de)
          {
            if (debugEnabled())
            {
              throw new DirectoryException(
                ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
                ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
              TRACER.debugCaught(DebugLogLevel.ERROR, de);
            }

            if (! filter.matchesEntry(entry))
            throw new DirectoryException(de.getResultCode(),
                ERR_ADD_CANNOT_PROCESS_ASSERTION_FILTER.get(
                    String.valueOf(entryDN),
                    de.getMessageObject()));
          }

          // Check if the current user has permission to make
          // this determination.
          if (!AccessControlConfigManager.getInstance().
              getAccessControlHandler().isAllowed(this, entry, filter))
          {
            throw new DirectoryException(
                ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
                ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
          }

          try
          {
            if (!filter.matchesEntry(entry))
            {
              throw new DirectoryException(ResultCode.ASSERTION_FAILED,
                                           ERR_ADD_ASSERTION_FAILED.get(
                                                String.valueOf(entryDN)));
                  ERR_ADD_ASSERTION_FAILED.get(String
                      .valueOf(entryDN)));
            }
          }
          catch (DirectoryException de)
@@ -1503,10 +1519,10 @@
              TRACER.debugCaught(DebugLogLevel.ERROR, de);
            }

            throw new DirectoryException(ResultCode.PROTOCOL_ERROR,
                           ERR_ADD_CANNOT_PROCESS_ASSERTION_FILTER.get(
                                String.valueOf(entryDN),
                                de.getMessageObject()));
            throw new DirectoryException(de.getResultCode(),
                ERR_ADD_CANNOT_PROCESS_ASSERTION_FILTER.get(
                    String.valueOf(entryDN),
                    de.getMessageObject()));
          }
        }
        else if (oid.equals(OID_LDAP_NOOP_OPENLDAP_ASSIGNED))

 opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendCompareOperation.java

@@ -446,25 +446,41 @@
          LDAPAssertionRequestControl assertControl =
                getRequestControl(LDAPAssertionRequestControl.DECODER);

          SearchFilter filter;
          try
          {
            SearchFilter filter = assertControl.getSearchFilter();

            // Check if the current user has permission to make
            // this determination.
            if (!AccessControlConfigManager.getInstance().
              getAccessControlHandler().isAllowed(this, entry, filter))
            filter = assertControl.getSearchFilter();
          }
          catch (DirectoryException de)
          {
            if (debugEnabled())
            {
              throw new DirectoryException(
                ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
                ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
              TRACER.debugCaught(DebugLogLevel.ERROR, de);
            }

            if (! filter.matchesEntry(entry))
            throw new DirectoryException(de.getResultCode(),
                           ERR_COMPARE_CANNOT_PROCESS_ASSERTION_FILTER.get(
                                String.valueOf(entryDN),
                                de.getMessageObject()));
          }

          // Check if the current user has permission to make
          // this determination.
          if (!AccessControlConfigManager.getInstance().
            getAccessControlHandler().isAllowed(this, entry, filter))
          {
            throw new DirectoryException(
              ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
              ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
          }

          try
          {
            if (!filter.matchesEntry(entry))
            {
              throw new DirectoryException(ResultCode.ASSERTION_FAILED,
                                           ERR_COMPARE_ASSERTION_FAILED.get(
                                                String.valueOf(entryDN)));
                  ERR_COMPARE_ASSERTION_FAILED.get(String
                      .valueOf(entryDN)));
            }
          }
          catch (DirectoryException de)
@@ -479,7 +495,7 @@
              TRACER.debugCaught(DebugLogLevel.ERROR, de);
            }

            throw new DirectoryException(ResultCode.PROTOCOL_ERROR,
            throw new DirectoryException(de.getResultCode(),
                           ERR_COMPARE_CANNOT_PROCESS_ASSERTION_FILTER.get(
                                String.valueOf(entryDN),
                                de.getMessageObject()));

 opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendDeleteOperation.java

@@ -530,25 +530,41 @@
          LDAPAssertionRequestControl assertControl =
                getRequestControl(LDAPAssertionRequestControl.DECODER);

          SearchFilter filter;
          try
          {
            SearchFilter filter = assertControl.getSearchFilter();

            // Check if the current user has permission to make
            // this determination.
            if (!AccessControlConfigManager.getInstance().
              getAccessControlHandler().isAllowed(this, entry, filter))
            filter = assertControl.getSearchFilter();
          }
          catch (DirectoryException de)
          {
            if (debugEnabled())
            {
              throw new DirectoryException(
                ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
                ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
              TRACER.debugCaught(DebugLogLevel.ERROR, de);
            }

            if (! filter.matchesEntry(entry))
            throw new DirectoryException(de.getResultCode(),
                           ERR_DELETE_CANNOT_PROCESS_ASSERTION_FILTER.get(
                                String.valueOf(entryDN),
                                de.getMessageObject()));
          }

          // Check if the current user has permission to make
          // this determination.
          if (!AccessControlConfigManager.getInstance().
            getAccessControlHandler().isAllowed(this, entry, filter))
          {
            throw new DirectoryException(
              ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
              ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
          }

          try
          {
            if (!filter.matchesEntry(entry))
            {
              throw new DirectoryException(ResultCode.ASSERTION_FAILED,
                                           ERR_DELETE_ASSERTION_FAILED.get(
                                                String.valueOf(entryDN)));
                  ERR_DELETE_ASSERTION_FAILED.get(String
                      .valueOf(entryDN)));
            }
          }
          catch (DirectoryException de)
@@ -563,7 +579,7 @@
              TRACER.debugCaught(DebugLogLevel.ERROR, de);
            }

            throw new DirectoryException(ResultCode.PROTOCOL_ERROR,
            throw new DirectoryException(de.getResultCode(),
                           ERR_DELETE_CANNOT_PROCESS_ASSERTION_FILTER.get(
                                String.valueOf(entryDN),
                                de.getMessageObject()));

 opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendModifyDNOperation.java

@@ -754,25 +754,41 @@
          LDAPAssertionRequestControl assertControl =
                getRequestControl(LDAPAssertionRequestControl.DECODER);

          SearchFilter filter;
          try
          {
            SearchFilter filter = assertControl.getSearchFilter();

            // Check if the current user has permission to make
            // this determination.
            if (!AccessControlConfigManager.getInstance().
              getAccessControlHandler().isAllowed(this, currentEntry, filter))
            filter = assertControl.getSearchFilter();
          }
          catch (DirectoryException de)
          {
            if (debugEnabled())
            {
              throw new DirectoryException(
                ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
                ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
              TRACER.debugCaught(DebugLogLevel.ERROR, de);
            }

            if (! filter.matchesEntry(currentEntry))
            throw new DirectoryException(de.getResultCode(),
                           ERR_MODDN_CANNOT_PROCESS_ASSERTION_FILTER.get(
                                String.valueOf(entryDN),
                                de.getMessageObject()));
          }

          // Check if the current user has permission to make
          // this determination.
          if (!AccessControlConfigManager.getInstance().
            getAccessControlHandler().isAllowed(this, currentEntry, filter))
          {
            throw new DirectoryException(
              ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
              ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
          }

          try
          {
            if (!filter.matchesEntry(currentEntry))
            {
              throw new DirectoryException(ResultCode.ASSERTION_FAILED,
                                           ERR_MODDN_ASSERTION_FAILED.get(
                                                String.valueOf(entryDN)));
                  ERR_MODDN_ASSERTION_FAILED.get(String
                      .valueOf(entryDN)));
            }
          }
          catch (DirectoryException de)
@@ -787,7 +803,7 @@
              TRACER.debugCaught(DebugLogLevel.ERROR, de);
            }

            throw new DirectoryException(ResultCode.PROTOCOL_ERROR,
            throw new DirectoryException(de.getResultCode(),
                           ERR_MODDN_CANNOT_PROCESS_ASSERTION_FILTER.get(
                                String.valueOf(entryDN),
                                de.getMessageObject()));

 opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendModifyOperation.java

@@ -780,25 +780,41 @@
          LDAPAssertionRequestControl assertControl =
                getRequestControl(LDAPAssertionRequestControl.DECODER);

          SearchFilter filter;
          try
          {
            SearchFilter filter = assertControl.getSearchFilter();

            // Check if the current user has permission to make
            // this determination.
            if (!AccessControlConfigManager.getInstance().
              getAccessControlHandler().isAllowed(this, currentEntry, filter))
            filter = assertControl.getSearchFilter();
          }
          catch (DirectoryException de)
          {
            if (debugEnabled())
            {
              throw new DirectoryException(
                ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
                ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
              TRACER.debugCaught(DebugLogLevel.ERROR, de);
            }

            if (! filter.matchesEntry(currentEntry))
            throw new DirectoryException(de.getResultCode(),
                           ERR_MODIFY_CANNOT_PROCESS_ASSERTION_FILTER.get(
                                String.valueOf(entryDN),
                                de.getMessageObject()));
          }

          // Check if the current user has permission to make
          // this determination.
          if (!AccessControlConfigManager.getInstance().
            getAccessControlHandler().isAllowed(this, currentEntry, filter))
          {
            throw new DirectoryException(
              ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
              ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
          }

          try
          {
            if (!filter.matchesEntry(currentEntry))
            {
              throw new DirectoryException(ResultCode.ASSERTION_FAILED,
                                           ERR_MODIFY_ASSERTION_FAILED.get(
                                                String.valueOf(entryDN)));
                  ERR_MODIFY_ASSERTION_FAILED.get(String
                      .valueOf(entryDN)));
            }
          }
          catch (DirectoryException de)
@@ -813,7 +829,7 @@
              TRACER.debugCaught(DebugLogLevel.ERROR, de);
            }

            throw new DirectoryException(ResultCode.PROTOCOL_ERROR,
            throw new DirectoryException(de.getResultCode(),
                           ERR_MODIFY_CANNOT_PROCESS_ASSERTION_FILTER.get(
                                String.valueOf(entryDN),
                                de.getMessageObject()));

 opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendSearchOperation.java

@@ -359,42 +359,58 @@
          LDAPAssertionRequestControl assertControl =
                getRequestControl(LDAPAssertionRequestControl.DECODER);

          SearchFilter assertionFilter;

          try
          {
            SearchFilter assertionFilter = assertControl.getSearchFilter();
            Entry entry;
            try
            assertionFilter = assertControl.getSearchFilter();
          }
          catch (DirectoryException de)
          {
            if (debugEnabled())
            {
              entry = DirectoryServer.getEntry(baseDN);
            }
            catch (DirectoryException de)
            {
              if (debugEnabled())
              {
                TRACER.debugCaught(DebugLogLevel.ERROR, de);
              }

              throw new DirectoryException(de.getResultCode(),
                             ERR_SEARCH_CANNOT_GET_ENTRY_FOR_ASSERTION.get(
                                  de.getMessageObject()));
              TRACER.debugCaught(DebugLogLevel.ERROR, de);
            }

            if (entry == null)
            throw new DirectoryException(de.getResultCode(),
                           ERR_SEARCH_CANNOT_PROCESS_ASSERTION_FILTER.get(
                                de.getMessageObject()), de);
          }

          Entry entry;
          try
          {
            entry = DirectoryServer.getEntry(baseDN);
          }
          catch (DirectoryException de)
          {
            if (debugEnabled())
            {
              throw new DirectoryException(ResultCode.NO_SUCH_OBJECT,
                             ERR_SEARCH_NO_SUCH_ENTRY_FOR_ASSERTION.get());
              TRACER.debugCaught(DebugLogLevel.ERROR, de);
            }

            // Check if the current user has permission to make
            // this determination.
            if (!AccessControlConfigManager.getInstance().
              getAccessControlHandler().isAllowed(this, entry, assertionFilter))
            {
              throw new DirectoryException(
                ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
                ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
            }
            throw new DirectoryException(de.getResultCode(),
                           ERR_SEARCH_CANNOT_GET_ENTRY_FOR_ASSERTION.get(
                                de.getMessageObject()));
          }

          if (entry == null)
          {
            throw new DirectoryException(ResultCode.NO_SUCH_OBJECT,
                           ERR_SEARCH_NO_SUCH_ENTRY_FOR_ASSERTION.get());
          }

          // Check if the current user has permission to make
          // this determination.
          if (!AccessControlConfigManager.getInstance().
            getAccessControlHandler().isAllowed(this, entry, assertionFilter))
          {
            throw new DirectoryException(
              ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
              ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
          }

          try {
            if (! assertionFilter.matchesEntry(entry))
            {
              throw new DirectoryException(ResultCode.ASSERTION_FAILED,
@@ -413,7 +429,7 @@
              TRACER.debugCaught(DebugLogLevel.ERROR, de);
            }

            throw new DirectoryException(ResultCode.PROTOCOL_ERROR,
            throw new DirectoryException(de.getResultCode(),
                           ERR_SEARCH_CANNOT_PROCESS_ASSERTION_FILTER.get(
                                de.getMessageObject()), de);
          }

			@@ -1465,30 +1465,46 @@
			if (oid.equals(OID_LDAP_ASSERTION))
			{
			// RFC 4528 mandates support for Add operation basically
			// suggesting an asertion on self. As daft as it may be
			// suggesting an assertion on self. As daft as it may be
			// we gonna have to support this for RFC compliance.
			LDAPAssertionRequestControl assertControl =
			getRequestControl(LDAPAssertionRequestControl.DECODER);

			SearchFilter filter;
			try
			{
			SearchFilter filter = assertControl.getSearchFilter();

			// Check if the current user has permission to make
			// this determination.
			if (!AccessControlConfigManager.getInstance().
			getAccessControlHandler().isAllowed(this, entry, filter))
			filter = assertControl.getSearchFilter();
			}
			catch (DirectoryException de)
			{
			if (debugEnabled())
			{
			throw new DirectoryException(
			ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
			ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
			TRACER.debugCaught(DebugLogLevel.ERROR, de);
			}

			if (! filter.matchesEntry(entry))
			throw new DirectoryException(de.getResultCode(),
			ERR_ADD_CANNOT_PROCESS_ASSERTION_FILTER.get(
			String.valueOf(entryDN),
			de.getMessageObject()));
			}

			// Check if the current user has permission to make
			// this determination.
			if (!AccessControlConfigManager.getInstance().
			getAccessControlHandler().isAllowed(this, entry, filter))
			{
			throw new DirectoryException(
			ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
			ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
			}

			try
			{
			if (!filter.matchesEntry(entry))
			{
			throw new DirectoryException(ResultCode.ASSERTION_FAILED,
			ERR_ADD_ASSERTION_FAILED.get(
			String.valueOf(entryDN)));
			ERR_ADD_ASSERTION_FAILED.get(String
			.valueOf(entryDN)));
			}
			}
			catch (DirectoryException de)
			@@ -1503,10 +1519,10 @@
			TRACER.debugCaught(DebugLogLevel.ERROR, de);
			}

			throw new DirectoryException(ResultCode.PROTOCOL_ERROR,
			ERR_ADD_CANNOT_PROCESS_ASSERTION_FILTER.get(
			String.valueOf(entryDN),
			de.getMessageObject()));
			throw new DirectoryException(de.getResultCode(),
			ERR_ADD_CANNOT_PROCESS_ASSERTION_FILTER.get(
			String.valueOf(entryDN),
			de.getMessageObject()));
			}
			}
			else if (oid.equals(OID_LDAP_NOOP_OPENLDAP_ASSIGNED))

			@@ -446,25 +446,41 @@
			LDAPAssertionRequestControl assertControl =
			getRequestControl(LDAPAssertionRequestControl.DECODER);

			SearchFilter filter;
			try
			{
			SearchFilter filter = assertControl.getSearchFilter();

			// Check if the current user has permission to make
			// this determination.
			if (!AccessControlConfigManager.getInstance().
			getAccessControlHandler().isAllowed(this, entry, filter))
			filter = assertControl.getSearchFilter();
			}
			catch (DirectoryException de)
			{
			if (debugEnabled())
			{
			throw new DirectoryException(
			ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
			ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
			TRACER.debugCaught(DebugLogLevel.ERROR, de);
			}

			if (! filter.matchesEntry(entry))
			throw new DirectoryException(de.getResultCode(),
			ERR_COMPARE_CANNOT_PROCESS_ASSERTION_FILTER.get(
			String.valueOf(entryDN),
			de.getMessageObject()));
			}

			// Check if the current user has permission to make
			// this determination.
			if (!AccessControlConfigManager.getInstance().
			getAccessControlHandler().isAllowed(this, entry, filter))
			{
			throw new DirectoryException(
			ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
			ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
			}

			try
			{
			if (!filter.matchesEntry(entry))
			{
			throw new DirectoryException(ResultCode.ASSERTION_FAILED,
			ERR_COMPARE_ASSERTION_FAILED.get(
			String.valueOf(entryDN)));
			ERR_COMPARE_ASSERTION_FAILED.get(String
			.valueOf(entryDN)));
			}
			}
			catch (DirectoryException de)
			@@ -479,7 +495,7 @@
			TRACER.debugCaught(DebugLogLevel.ERROR, de);
			}

			throw new DirectoryException(ResultCode.PROTOCOL_ERROR,
			throw new DirectoryException(de.getResultCode(),
			ERR_COMPARE_CANNOT_PROCESS_ASSERTION_FILTER.get(
			String.valueOf(entryDN),
			de.getMessageObject()));

			@@ -530,25 +530,41 @@
			LDAPAssertionRequestControl assertControl =
			getRequestControl(LDAPAssertionRequestControl.DECODER);

			SearchFilter filter;
			try
			{
			SearchFilter filter = assertControl.getSearchFilter();

			// Check if the current user has permission to make
			// this determination.
			if (!AccessControlConfigManager.getInstance().
			getAccessControlHandler().isAllowed(this, entry, filter))
			filter = assertControl.getSearchFilter();
			}
			catch (DirectoryException de)
			{
			if (debugEnabled())
			{
			throw new DirectoryException(
			ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
			ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
			TRACER.debugCaught(DebugLogLevel.ERROR, de);
			}

			if (! filter.matchesEntry(entry))
			throw new DirectoryException(de.getResultCode(),
			ERR_DELETE_CANNOT_PROCESS_ASSERTION_FILTER.get(
			String.valueOf(entryDN),
			de.getMessageObject()));
			}

			// Check if the current user has permission to make
			// this determination.
			if (!AccessControlConfigManager.getInstance().
			getAccessControlHandler().isAllowed(this, entry, filter))
			{
			throw new DirectoryException(
			ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
			ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
			}

			try
			{
			if (!filter.matchesEntry(entry))
			{
			throw new DirectoryException(ResultCode.ASSERTION_FAILED,
			ERR_DELETE_ASSERTION_FAILED.get(
			String.valueOf(entryDN)));
			ERR_DELETE_ASSERTION_FAILED.get(String
			.valueOf(entryDN)));
			}
			}
			catch (DirectoryException de)
			@@ -563,7 +579,7 @@
			TRACER.debugCaught(DebugLogLevel.ERROR, de);
			}

			throw new DirectoryException(ResultCode.PROTOCOL_ERROR,
			throw new DirectoryException(de.getResultCode(),
			ERR_DELETE_CANNOT_PROCESS_ASSERTION_FILTER.get(
			String.valueOf(entryDN),
			de.getMessageObject()));

			@@ -754,25 +754,41 @@
			LDAPAssertionRequestControl assertControl =
			getRequestControl(LDAPAssertionRequestControl.DECODER);

			SearchFilter filter;
			try
			{
			SearchFilter filter = assertControl.getSearchFilter();

			// Check if the current user has permission to make
			// this determination.
			if (!AccessControlConfigManager.getInstance().
			getAccessControlHandler().isAllowed(this, currentEntry, filter))
			filter = assertControl.getSearchFilter();
			}
			catch (DirectoryException de)
			{
			if (debugEnabled())
			{
			throw new DirectoryException(
			ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
			ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
			TRACER.debugCaught(DebugLogLevel.ERROR, de);
			}

			if (! filter.matchesEntry(currentEntry))
			throw new DirectoryException(de.getResultCode(),
			ERR_MODDN_CANNOT_PROCESS_ASSERTION_FILTER.get(
			String.valueOf(entryDN),
			de.getMessageObject()));
			}

			// Check if the current user has permission to make
			// this determination.
			if (!AccessControlConfigManager.getInstance().
			getAccessControlHandler().isAllowed(this, currentEntry, filter))
			{
			throw new DirectoryException(
			ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
			ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
			}

			try
			{
			if (!filter.matchesEntry(currentEntry))
			{
			throw new DirectoryException(ResultCode.ASSERTION_FAILED,
			ERR_MODDN_ASSERTION_FAILED.get(
			String.valueOf(entryDN)));
			ERR_MODDN_ASSERTION_FAILED.get(String
			.valueOf(entryDN)));
			}
			}
			catch (DirectoryException de)
			@@ -787,7 +803,7 @@
			TRACER.debugCaught(DebugLogLevel.ERROR, de);
			}

			throw new DirectoryException(ResultCode.PROTOCOL_ERROR,
			throw new DirectoryException(de.getResultCode(),
			ERR_MODDN_CANNOT_PROCESS_ASSERTION_FILTER.get(
			String.valueOf(entryDN),
			de.getMessageObject()));

			@@ -780,25 +780,41 @@
			LDAPAssertionRequestControl assertControl =
			getRequestControl(LDAPAssertionRequestControl.DECODER);

			SearchFilter filter;
			try
			{
			SearchFilter filter = assertControl.getSearchFilter();

			// Check if the current user has permission to make
			// this determination.
			if (!AccessControlConfigManager.getInstance().
			getAccessControlHandler().isAllowed(this, currentEntry, filter))
			filter = assertControl.getSearchFilter();
			}
			catch (DirectoryException de)
			{
			if (debugEnabled())
			{
			throw new DirectoryException(
			ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
			ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
			TRACER.debugCaught(DebugLogLevel.ERROR, de);
			}

			if (! filter.matchesEntry(currentEntry))
			throw new DirectoryException(de.getResultCode(),
			ERR_MODIFY_CANNOT_PROCESS_ASSERTION_FILTER.get(
			String.valueOf(entryDN),
			de.getMessageObject()));
			}

			// Check if the current user has permission to make
			// this determination.
			if (!AccessControlConfigManager.getInstance().
			getAccessControlHandler().isAllowed(this, currentEntry, filter))
			{
			throw new DirectoryException(
			ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
			ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
			}

			try
			{
			if (!filter.matchesEntry(currentEntry))
			{
			throw new DirectoryException(ResultCode.ASSERTION_FAILED,
			ERR_MODIFY_ASSERTION_FAILED.get(
			String.valueOf(entryDN)));
			ERR_MODIFY_ASSERTION_FAILED.get(String
			.valueOf(entryDN)));
			}
			}
			catch (DirectoryException de)
			@@ -813,7 +829,7 @@
			TRACER.debugCaught(DebugLogLevel.ERROR, de);
			}

			throw new DirectoryException(ResultCode.PROTOCOL_ERROR,
			throw new DirectoryException(de.getResultCode(),
			ERR_MODIFY_CANNOT_PROCESS_ASSERTION_FILTER.get(
			String.valueOf(entryDN),
			de.getMessageObject()));

			@@ -359,42 +359,58 @@
			LDAPAssertionRequestControl assertControl =
			getRequestControl(LDAPAssertionRequestControl.DECODER);

			SearchFilter assertionFilter;

			try
			{
			SearchFilter assertionFilter = assertControl.getSearchFilter();
			Entry entry;
			try
			assertionFilter = assertControl.getSearchFilter();
			}
			catch (DirectoryException de)
			{
			if (debugEnabled())
			{
			entry = DirectoryServer.getEntry(baseDN);
			}
			catch (DirectoryException de)
			{
			if (debugEnabled())
			{
			TRACER.debugCaught(DebugLogLevel.ERROR, de);
			}

			throw new DirectoryException(de.getResultCode(),
			ERR_SEARCH_CANNOT_GET_ENTRY_FOR_ASSERTION.get(
			de.getMessageObject()));
			TRACER.debugCaught(DebugLogLevel.ERROR, de);
			}

			if (entry == null)
			throw new DirectoryException(de.getResultCode(),
			ERR_SEARCH_CANNOT_PROCESS_ASSERTION_FILTER.get(
			de.getMessageObject()), de);
			}

			Entry entry;
			try
			{
			entry = DirectoryServer.getEntry(baseDN);
			}
			catch (DirectoryException de)
			{
			if (debugEnabled())
			{
			throw new DirectoryException(ResultCode.NO_SUCH_OBJECT,
			ERR_SEARCH_NO_SUCH_ENTRY_FOR_ASSERTION.get());
			TRACER.debugCaught(DebugLogLevel.ERROR, de);
			}

			// Check if the current user has permission to make
			// this determination.
			if (!AccessControlConfigManager.getInstance().
			getAccessControlHandler().isAllowed(this, entry, assertionFilter))
			{
			throw new DirectoryException(
			ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
			ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
			}
			throw new DirectoryException(de.getResultCode(),
			ERR_SEARCH_CANNOT_GET_ENTRY_FOR_ASSERTION.get(
			de.getMessageObject()));
			}

			if (entry == null)
			{
			throw new DirectoryException(ResultCode.NO_SUCH_OBJECT,
			ERR_SEARCH_NO_SUCH_ENTRY_FOR_ASSERTION.get());
			}

			// Check if the current user has permission to make
			// this determination.
			if (!AccessControlConfigManager.getInstance().
			getAccessControlHandler().isAllowed(this, entry, assertionFilter))
			{
			throw new DirectoryException(
			ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
			ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
			}

			try {
			if (! assertionFilter.matchesEntry(entry))
			{
			throw new DirectoryException(ResultCode.ASSERTION_FAILED,
			@@ -413,7 +429,7 @@
			TRACER.debugCaught(DebugLogLevel.ERROR, de);
			}

			throw new DirectoryException(ResultCode.PROTOCOL_ERROR,
			throw new DirectoryException(de.getResultCode(),
			ERR_SEARCH_CANNOT_PROCESS_ASSERTION_FILTER.get(
			de.getMessageObject()), de);
			}