pre_entry: Only return gold accounts for gold services

If an authenticated gold service is searching for accounts, it should
only get the gold accounts.

1 files changed, 16 insertions, 7 deletions

diff --git a/service_passwords.c b/service_passwords.c
index 3dc432c..b0ed330 100644
--- a/service_passwords.c
+++ b/service_passwords.c
@@ -614,6 +614,8 @@ static int pre_entry(Slapi_PBlock *pb)
     int is_replication;
     int is_internal;
 
+    int gold_service = 0;
+    int gold_account = 0;
     char *service = NULL;
     char *parent_dn = NULL;
     const char *result_dn = NULL;
@@ -652,7 +654,7 @@ static int pre_entry(Slapi_PBlock *pb)
         return 0;
     }
 
-    if (is_service(bind_dn, &service, NULL) != 0) {
+    if (is_service(bind_dn, &service, &gold_service) != 0) {
         parent_dn = slapi_dn_parent(bind_dn);
         rc |= is_user(parent_dn, NULL);
         slapi_ch_free_string(&parent_dn);
@@ -677,13 +679,20 @@ static int pre_entry(Slapi_PBlock *pb)
     }
 
     /* modify the dn of the returned entry */
-    if (is_user(result_dn, NULL) == 0) {
-        new_entry = prepend_service_prefix(entry, service);
+    if (is_user(result_dn, &gold_account) == 0) {
+        if (gold_service != 0 && gold_account == 0) {
+            /* ignore non-gold account for gold services */
+            rc = -1;
+            goto fail1;
+        }
+        else {
+            new_entry = prepend_service_prefix(entry, service);
 
-        /* Set the new entry as the new result in the pblock and also set the
-           the REP_ENTRY_MUSTBEFREED flag, so that the entry gets free'd when
-           ready. */
-        slapi_pblock_set(pb, SLAPI_SEARCH_RESULT_ENTRY, new_entry);
+            /* Set the new entry as the new result in the pblock and also set the
+               the REP_ENTRY_MUSTBEFREED flag, so that the entry gets free'd when
+               ready. */
+            slapi_pblock_set(pb, SLAPI_SEARCH_RESULT_ENTRY, new_entry);
+        }
     }
 
 fail1: