From: Pierangelo Masarati Date: Fri, 24 Nov 2006 13:02:11 +0000 (+0000) Subject: fix ITS#4760 differently X-Git-Tag: OPENLDAP_REL_ENG_2_3_31~36 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e778611dd28e57c0c72ad81d7317cefc86af1e01;p=thirdparty%2Fopenldap.git fix ITS#4760 differently --- diff --git a/servers/slapd/controls.c b/servers/slapd/controls.c index 2c955eedeb..56b32d3df2 100644 --- a/servers/slapd/controls.c +++ b/servers/slapd/controls.c @@ -919,14 +919,6 @@ static int parseProxyAuthz ( op->o_ndn = dn; ber_dupbv( &op->o_dn, &dn ); - /* - * since the authzid has changed, we need to delete - * cached groups (ITS#4760) - */ - if ( op->o_groups ) { - slap_op_groups_free( op ); - } - Statslog( LDAP_DEBUG_STATS, "%s PROXYAUTHZ dn=\"%s\"\n", op->o_log_prefix, dn.bv_val, 0, 0, 0 ); diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c index 7b8a606f66..dcf0c0c9ef 100644 --- a/servers/slapd/saslauthz.c +++ b/servers/slapd/saslauthz.c @@ -1872,14 +1872,18 @@ slap_sasl_check_authz( Operation *op, AttributeDescription *ad, struct berval *authc ) { - int rc; - BerVarray vals = NULL; + int rc, + do_not_cache = op->o_do_not_cache; + BerVarray vals = NULL; Debug( LDAP_DEBUG_TRACE, "==>slap_sasl_check_authz: does %s match %s rule in %s?\n", assertDN->bv_val, ad->ad_cname.bv_val, searchDN->bv_val); + /* ITS#4760: don't cache group access */ + op->o_do_not_cache = 1; rc = backend_attribute( op, NULL, searchDN, ad, &vals, ACL_AUTH ); + op->o_do_not_cache = do_not_cache; if( rc != LDAP_SUCCESS ) goto COMPLETE; /* Check if the *assertDN matches any *vals */