From efc23a7e63ccaca4146ff26ee09b322b2f0d96e5 Mon Sep 17 00:00:00 2001 From: Alexander Sulfrian Date: Fri, 11 Nov 2016 21:09:10 +0100 Subject: pre_entry: Only return gold accounts for gold services If an authenticated gold service is searching for accounts, it should only get the gold accounts. --- service_passwords.c | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/service_passwords.c b/service_passwords.c index 3dc432c..b0ed330 100644 --- a/service_passwords.c +++ b/service_passwords.c @@ -614,6 +614,8 @@ static int pre_entry(Slapi_PBlock *pb) int is_replication; int is_internal; + int gold_service = 0; + int gold_account = 0; char *service = NULL; char *parent_dn = NULL; const char *result_dn = NULL; @@ -652,7 +654,7 @@ static int pre_entry(Slapi_PBlock *pb) return 0; } - if (is_service(bind_dn, &service, NULL) != 0) { + if (is_service(bind_dn, &service, &gold_service) != 0) { parent_dn = slapi_dn_parent(bind_dn); rc |= is_user(parent_dn, NULL); slapi_ch_free_string(&parent_dn); @@ -677,13 +679,20 @@ static int pre_entry(Slapi_PBlock *pb) } /* modify the dn of the returned entry */ - if (is_user(result_dn, NULL) == 0) { - new_entry = prepend_service_prefix(entry, service); + if (is_user(result_dn, &gold_account) == 0) { + if (gold_service != 0 && gold_account == 0) { + /* ignore non-gold account for gold services */ + rc = -1; + goto fail1; + } + else { + new_entry = prepend_service_prefix(entry, service); - /* Set the new entry as the new result in the pblock and also set the - the REP_ENTRY_MUSTBEFREED flag, so that the entry gets free'd when - ready. */ - slapi_pblock_set(pb, SLAPI_SEARCH_RESULT_ENTRY, new_entry); + /* Set the new entry as the new result in the pblock and also set the + the REP_ENTRY_MUSTBEFREED flag, so that the entry gets free'd when + ready. */ + slapi_pblock_set(pb, SLAPI_SEARCH_RESULT_ENTRY, new_entry); + } } fail1: -- cgit v1.2.3-1-g7c22