Functions for Access Control230 Red Hat Directory Server Plug-in Programmer’s Guide • May 2005DescriptionCall this function to determine if a user has access rights to modify the specifiedentry. The function performs this check for users who request the operation thatinvokes this plug-in.Suppose you are writing a database plug-in. You can call this function todetermine if users have the proper access rights before they can add, modify, ordelete entries from the database.As part of the process of determining if the user has access rights, theslapi_access_allowed() function does the following:• Checks if access control for the directory is disabled (for example, if thedse.ldif file contains the directive accesscontrol off).If access control is disabled, the function returns LDAP_SUCCESS.• For each value in each attribute specified in the LDAPMod array, the functiondetermines if the user has permissions to write to that value. Essentially, thefunction calls slapi_access_allowed() with SLAPI_ACL_WRITE as theaccess right to check.m If for some reason the function cannot determine which operation is beingrequested, the function returns LDAP_OPERATIONS_ERROR.m If no connection to a client exists (in other words, if the request for theoperation was made by the server or its backend), the function returnsLDAP_SUCCESS. (The server and its backend are not restricted by accesscontrol lists.)m If the backend database is read-only and the request is checking for writeaccess (SLAPI_ACL_WRITE), the function returnsLDAP_UNWILLING_TO_PERFORM.LDAP_INVALID_SYNTAX Invalid syntax was specified.This error can occur if the ACL associated withan entry, attribute, or value uses the wrongsyntax.LDAP_UNWILLING_TO_PERFORM The Directory Server is unable to perform thespecified operation.This error can occur if, for example, you arerequesting write access to a read-only database.
