Hm, that patch was obviously wrong. Even though it resulted in working value-dependent ACLs, it completely broke ACL caching. This patch should work better:
------------------------------------------------------------------- --- a/servers/slapd/slap.h +++ b/servers/slapd/slap.h @@ -1557,6 +1557,7 @@ typedef struct AccessControlState {
/* Value dependent acl where processing can restart */ AccessControl *as_vd_acl; + int as_vd_acl_present; int as_vd_acl_count; slap_mask_t as_vd_mask;
@@ -1567,7 +1568,7 @@ typedef struct AccessControlState { /* True if started to process frontend ACLs */ int as_fe_done; } AccessControlState; -#define ACL_STATE_INIT { NULL, ACL_NONE, NULL, 0, ACL_PRIV_NONE, -1, 0 } +#define ACL_STATE_INIT { NULL, ACL_NONE, NULL, 0, 0, ACL_PRIV_NONE, -1, 0 }
typedef struct AclRegexMatches { int dn_count; --- a/servers/slapd/acl.c +++ b/servers/slapd/acl.c @@ -220,7 +220,7 @@ slap_access_allowed( state = &acl_state; if ( state->as_desc == desc && state->as_access == access && - state->as_vd_acl != NULL ) + state->as_vd_acl_present ) { a = state->as_vd_acl; count = state->as_vd_acl_count; @@ -405,7 +405,7 @@ access_allowed_mask( if ( state->as_desc == desc && state->as_access == access && state->as_result != -1 && - state->as_vd_acl == NULL ) + !state->as_vd_acl_present ) { Debug( LDAP_DEBUG_ACL, "=> access_allowed: result was in cache (%s)\n", @@ -615,7 +615,8 @@ slap_acl_get( continue; }
- if ( state->as_vd_acl == NULL ) { + if ( !state->as_vd_acl_present ) { + state->as_vd_acl_present = 1; state->as_vd_acl = prev; state->as_vd_acl_count = *count - 1; ACL_PRIV_ASSIGN ( state->as_vd_mask, *mask ); @@ -714,7 +715,8 @@ slap_acl_get( * Record value-dependent access control state */ #define ACL_RECORD_VALUE_STATE do { \ - if( state && state->as_vd_acl == NULL ) { \ + if( state && !state->as_vd_acl_present ) { \ + state->as_vd_acl_present = 1; \ state->as_vd_acl = a; \ state->as_vd_acl_count = count; \ ACL_PRIV_ASSIGN( state->as_vd_mask, *mask ); \ -------------------------------------------------------------------
Comments welcome.
Ralf