From 39e0ea8a34ee4b61883acaa41b73fcf49da73d84 Mon Sep 17 00:00:00 2001
From: dugan <dugan@localhost>
Date: Wed, 01 Aug 2007 01:15:44 +0000
Subject: [PATCH] Add ACI support to control whether a "smart referral" (named subordinate references -- RFC 3296) may be returned to a client. Smart referral entries contain the referral objectclass and have one or more "ref" attributes containing LDAP URLS. The ref attribute type has usage distributedOperation, so the operational shorthand '+' character can be used to match it:
---
opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java | 49 ++++++++++++++++++++++++++++++++++++++-----------
1 files changed, 38 insertions(+), 11 deletions(-)
diff --git a/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java b/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java
index 77c3ba1..fa824cd 100644
--- a/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java
+++ b/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java
@@ -97,6 +97,12 @@
*/
static AttributeType debugSearchIndex;
+ /**
+ * Attribute type corresponding to the "ref" attribute type. Used in the
+ * search reference access check.
+ */
+ static AttributeType refAttrType;
+
/*
* DN corresponding to "debugsearchindex" attribute type.
*/
@@ -149,6 +155,14 @@
DirectoryServer.
getDefaultAttributeType(EntryContainer.ATTR_DEBUG_SEARCH_INDEX);
}
+
+ if((refAttrType =
+ DirectoryServer.
+ getAttributeType(ATTR_REFERRAL_URL)) == null) {
+ refAttrType =
+ DirectoryServer.
+ getDefaultAttributeType(ATTR_REFERRAL_URL);
+ }
try {
debugSearchIndexDN=DN.decode("cn=debugsearch");
} catch (DirectoryException ex) {
@@ -1232,26 +1246,39 @@
new AciLDAPOperationContainer(operation, e, (ACI_READ | ACI_EXT_OP));
ret=accessAllowed(operationContainer);
}
- if(operation.getRequestOID().equals(OID_PROXIED_AUTH_V2) ||
- operation.getRequestOID().equals(OID_PROXIED_AUTH_V1))
- operation.
- setAttachment(ORIG_AUTH_ENTRY, operation.getAuthorizationEntry());
return ret;
}
- //Not planned to be implemented methods.
-
- /**
+ /**
* {@inheritDoc}
*/
@Override
- public boolean maySend(SearchOperation operation,
- SearchResultReference reference) {
- //TODO: Deferred.
- return true;
+ public boolean maySend(DN dn, SearchOperation operation,
+ SearchResultReference reference) {
+ boolean ret;
+ if(!(ret=skipAccessCheck(operation))) {
+ Entry e = new Entry(dn, null, null, null);
+ LinkedHashSet<AttributeValue> vals = new LinkedHashSet<AttributeValue>();
+ List<String> URLStrings=reference.getReferralURLs();
+ //Load the values, a bind rule might want to evaluate them.
+ for(String URLString : URLStrings) {
+ vals.add(new AttributeValue(refAttrType, URLString));
+ }
+ Attribute attr =
+ new Attribute(refAttrType, ATTR_REFERRAL_URL, vals);
+ e.addAttribute(attr,null);
+ SearchResultEntry se=new SearchResultEntry(e);
+ AciLDAPOperationContainer operationContainer =
+ new AciLDAPOperationContainer(operation,
+ (ACI_READ), se);
+ operationContainer.setCurrentAttributeType(refAttrType);
+ ret=accessAllowed(operationContainer);
+ }
+ return ret;
}
+
/**
* {@inheritDoc}
*/
--
Gitblit v1.10.0