Sun Java System Directory Server Enterprise Edition 6.0 Developer's Guide

slapi_access_allowed()

Determines if the user requesting the current operation has the access rights to perform an operation on a given entry, attribute, or value.

Syntax

#include "slapi-plugin.h"
int slapi_access_allowed( Slapi_PBlock *pb, Slapi_Entry *e,
     char *attr, struct berval *val, int access );

Parameters

This function takes the following parameters:

pb

Parameter block passed into this function.

e

Entry for which you want to check the access rights.

attr

Attribute for which you want to check the access rights.

val

Pointer to the berval structure containing the value for which you want to check the access rights.

access

Type of access rights that you want to check. For example, to check for write access, pass SLAPI_ACL_WRITE as the value of this argument.

The value of the access argument can be one of the following:

SLAPI_ACL_ADD

Permission to add a specified entry.

SLAPI_ACL_COMPARE

Permission to compare the specified values of an attribute in an entry.

SLAPI_ACL_DELETE

Permission to delete a specified entry.

SLAPI_ACL_READ

Permission to read a specified attribute.

SLAPI_ACL_SEARCH

Permission to search on a specified attribute or value.

SLAPI_ACL_WRITE

Permission to write a specified attribute or value or permission to rename a specified entry.

Returns

This function returns one of the following values:

LDAP_OPERATIONS_ERROR

An error occurred while executing the operation.

This error can occur if, for example, the type of access rights specified are not recognized by the server. In other words, you did not pass a value from the previous table.

LDAP_INVALID_SYNTAX

Invalid syntax was specified.

This error can occur if the ACL associated with an entry, attribute, or value uses the wrong syntax.

LDAP_UNWILLING_TO_PERFORM

The DSA (this Directory Server instance) is unable to perform the specified operation.

This error can occur if, for example, you are requesting write access to a read-only database.

Description

Call this function to determine if a user has access rights to a specified entry, attribute, or value. The function performs this check for users who request the operation that invokes this plug-in.

For example, suppose you are writing a preoperation plug-in for the add operation. You can call this function to determine if users have the proper access rights before they can add an entry to the directory.

As part of the process of determining if the user has access rights, this function does the following: