Netscape Directory Server Programmer's Guide: Function Reference

Complete Contents
Getting Started
Chapter 1 Understanding Server Plug-Ins
Chapter 2 Writing and Compiling Plug-Ins
Chapter 3 Calling the Front-End API Functions
Chapter 4 Quick Start
Chapter 5 Writing Database Plug-Ins
Chapter 6 Writing Pre/Post-Operation Plug-Ins
Chapter 7 Defining Functions for LDAP Operations
Chapter 8 Defining Functions for Database Operations
Chapter 9 Defining Functions for Authentication
Chapter 10 Writing Entry Store/Fetch Plug-Ins
Chapter 11 Writing Extended Operation Plug-Ins
Chapter 12 Writing Matching Rule Plug-Ins
Chapter 13 Data Type and Structure Reference
Chapter 14 Function Reference
Chapter 15 Parameter Reference
Glossary

slapi_acl_check_mods()

Determines if a user has the rights to perform the specified modifications on an entry.

#include "slapi-plugin.h"
int slapi_acl_check_mods( Slapi_PBlock *pb, Slapi_Entry *e,
LDAPMod **mods, char **errbuf );

The function has the following parameters:
pb
Parameter block passed into this function.

e
Entry that you want to check the access for.

mods
Array of LDAPMod structures, representing the modifications to be made to the entry.

errbuf
Pointer to a string containing an error message, if an error occurs when the function executes.

One of the following values:

LDAP_SUCCESS, if the user has write permission to the values in the specified attributes.

LDAP_INSUFFICIENT_ACCESS, if the user does not have write permission to the values of the specified attribute.

One of the following error codes, if a problem occurs:


LDAP_OPERATIONS_ERROR	An error occured while executing the operation.
LDAP_INVALID_SYNTAX	Invalid syntax was specified. This error can occur if the ACLassociated with an entry, attribute, or value uses the wrong syntax.
LDAP_UNWILLING_TO_PERFORM	The DSA (this directory server) is unable to perform the specified operation. This error can occur if, for example, you are requesting write access to a read-only database.

Description

Call slapi_acl_check_mods() to determine if a user has access rights to modify the specified entry. The function performs this check for users who request the operation that invokes this plug-in.

For example, suppose you are writing a database plug-in. You can call this function to determine if users have the proper access rights before they can add, modify, or delete entries from the database.

As part of the process of determining if the user has access rights, the slapi_access_allowed() function does the following:

Checks to access control for the directory is disabled (for example, if the slapd.conf file contains the directive accesscontrol off).

If access control is disabled, the function returns LDAP_SUCCESS.

For each value in each attribute specified in the LDAPMod array, the function determines if the user has permissions to write to that value. (Essentially, the function calls slapi_access_allowed() with SLAPI_ACL_WRITE as the access right to check.)

If (for some reason) the function cannot determine which operation is being requested, the function returns LDAP_OPERATIONS_ERROR.

If no connection to a client exists (in other words, if the request for the operation was made by the server or its back-end), the function returns LDAP_SUCCESS. (The server and its back-end are not restricted by access control lists.)

If the back-end database is read-only and the request is checking for write access (SLAPI_ACL_WRITE), the function returns LDAP_UNWILLING_TO_PERFORM.

© Copyright 1998 Netscape Communications Corporation