Show Table of Contents
16.2. slapi_acl_check_mods()
Description
Call this function to determine if a user has access rights to modify the specified entry. The function performs this check for users who request the operation that invokes this plug-in.
Suppose you are writing a database plug-in. You can call this function to determine if users have the proper access rights before they can add, modify, or delete entries from the database.
As part of the process of determining if the user has access rights, the slapi_acl_check_mods() function does the following:
- Checks if access control for the directory is disabled (for example, if the
dse.ldiffile contains the directiveaccess control off).
If access control is disabled, the function returns
LDAP_SUCCESS.
- For each value in each attribute specified in the LDAPMod array, the function determines if the user has permissions to write to that value. Essentially, the function calls slapi_acl_check_mods() with
SLAPI_ACL_WRITEas the access right to check.- If for some reason the function cannot determine which operation is being requested, the function returns
LDAP_OPERATIONS_ERROR. - If no connection to a client exists (in other words, if the request for the operation was made by the server orits backend), the function returns
LDAP_SUCCESS. (The server and its backend are not restricted by access control lists.) - If the backend database is read-only and the request is checking for write access (
SLAPI_ACL_WRITE), the function returnsLDAP_UNWILLING_TO_PERFORM.
Syntax
#include "slapi-plugin.h" int slapi_acl_check_mods( Slapi_PBlock *pb, Slapi_Entry *e, LDAPMod **mods, char **errbuf );
Parameters
This function takes the following parameters:
| pb | Parameter block passed into this function. |
| e | Entry for which you want to check the access rights. |
| mods | Array of LDAPMod structures that represent the modifications to be made to the entry. |
| errbuf | Pointer to a string containing an error message if an error occurs during the processing of this function. |
Returns
This function returns one of the following values:
LDAP_SUCCESSif the user has write permission to the values in the specified attributes.LDAP_INSUFFICIENT_ACCESSif the user does not have write permission to the values of the specified attribute.- If a problem occurs during processing, the function will return one of the following error codes:
LDAP_OPERATIONS_ERROR | An error occurred while executing the operation. |
LDAP_INVALID_SYNTAX | Invalid syntax was specified. This error can occur if the ACL associated with an entry, attribute, or value uses the wrong syntax. |
LDAP_UNWILLING_TO_PERFORM | The Directory Server is unable to perform the specified operation. This error can occur if, for example, you are requesting write access to a read-only database. |
Memory Concerns
You must free the errbuf buffer by calling slapi_ch_free() when you are finished using the error message.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.