Show Table of Contents
Chapter 16. Functions for Access Control
This chapter contains reference information on access control routines.
Table 16.1. Access Control Routines
| Function | Description |
|---|---|
| slapi_access_allowed() | Determines if the user who is requesting the current operation has the access rights to perform an operation on a given entry, attribute, or value. |
| slapi_acl_check_mods() | Determines if a user has the rights to perform the specified modifications on an entry. |
| slapi_acl_verify_aci_syntax() | Determines whether the access control items (ACIs) on an entry are valid. |
16.1. slapi_access_allowed()
Description
Call this function to determine if a user has access rights to a specified entry, attribute, or value. The function performs this check for users who request the operation that invokes this plug-in.
For example, suppose you are writing a pre-operation plug-in for the add operation. You can call this function to determine if users have the proper access rights before they can add an entry to the directory.
As part of the process of determining if the user has access rights, the function does the following:
- Checks to see if the user requesting the operation is the root DN.
If so, the function returns
LDAP_SUCCESS. (The root DN has permission to perform any operation.)
- Gets information about the operation being requested, the connection to the client, and the backend database where directory information is stored.
- If for some reason the function cannot determine which operation is being requested, the function returns
LDAP_OPERATIONS_ERROR. - If no connection to a client exists (in other words, if the request for the operation was made by the server or its backend), the function returns
LDAP_SUCCESS. (The server and its backend are not restricted by access control lists.) - If the backend database is read-only and the request is checking for write access (
SLAPI_ACL_WRITE), the function returnsLDAP_UNWILLING_TO_PERFORM.
- Determines if the user requesting the operation is attempting to modify his or her own entry.
ACLs can be set up to allow users the rights to modify their own entries. The slapi_access_allowed() function checks for this condition.
The caller must ensure that the backend specified in the pblock is set prior to calling this function. For example:
be = slapi_be_select( slapi_entry_get_sdn_const( seObjectEntry ));
if ( NULL == be ) {
cleanup("backend selection failed for entry: \"%s\"\n",
szObjectDN);
slapi_send_ldap_result( pb, LDAP_NO_SUCH_OBJECT, NULL,
" Object could not be found", 0, NULL );
return( SLAPI_PLUGIN_EXTENDED_SENT_RESULT );
}
slapi_pblock_set( pb, SLAPI_BACKEND, be );
nAccessResult = slapi_access_allowed( pb, seObjectEntry, "*", bval, SLAPI_ACL_DELETE);
Determines if a user (who is requesting the current operation) has the access rights to perform an operation on a given entry, attribute, or value.
Syntax
#include "slapi-plugin.h" int slapi_access_allowed( Slapi_PBlock *pb, Slapi_Entry *e, char *attr, struct berval *val, int access );
Parameters
This function takes the following parameters:
| pb | Parameter block passed into this function. |
| e | Entry for which you want to check the access rights. |
| attr | Attribute for which you want to check the access rights. |
| val | Pointer to the berval structure containing the value for which you want to check the access rights. |
| access | Type of access rights for which you want to check; for example, to check for write access, pass SLAPI_ACL_WRITE as the value of this argument. |
The value of the
access argument can be one of the following:
SLAPI_ACL_ADD | Permission to add a specified entry. |
SLAPI_ACL_COMPARE | Permission to compare the specified values of an attribute in an entry. |
SLAPI_ACL_DELETE | Permission to delete a specified entry. |
SLAPI_ACL_READ | Permission to read a specified attribute. |
SLAPI_ACL_SEARCH | Permission to search on a specified attribute or value. |
SLAPI_ACL_WRITE | Permission to write a specified attribute or value or permission to rename a specified entry. |
Returns
This function returns one of the following values:
LDAP_SUCCESSif the user has the specified rights to the entry, attribute, or value.LDAP_INSUFFICIENT_ACCESSif the user does not have the specified rights to the entry, attribute, or value.
If a problem occurs during processing, the function will return one of the following error codes:
LDAP_OPERATIONS_ERROR | An error occurred while executing the operation. This error can occur if, for example, the type of access rights you've specified are not recognized by the server (in other words, you did not pass a value from the previous table). |
LDAP_INVALID_SYNTAX | Invalid syntax was specified. This error can occur if the ACL associated with an entry, attribute, or value uses the wrong syntax. |
LDAP_UNWILLING_TO_PERFORM | The Directory Server is unable to perform the specified operation. This error can occur if, for example, you are requesting write access to a read-only database. |
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.