From: Pierangelo Masarati <ando@openldap.org>
Date: Fri, 24 Nov 2006 11:46:21 +0000 (+0000)
Subject: import fix to ITS#4760
X-Git-Tag: OPENLDAP_REL_ENG_2_3_31~37
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f7f50d4d8f8b45ee96c4b8768795d4237ef94371;p=thirdparty%2Fopenldap.git

import fix to ITS#4760
---

diff --git a/CHANGES b/CHANGES
index 1b674a5271..5713271d9c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,7 @@
 OpenLDAP 2.3 Change Log
 
 OpenLDAP 2.3.31 Engineering
+	Fixed slapd group ACL caching when proxyAuthz'ing (ITS#4760)
 	Fixed slapd "group" authz default member parsing (ITS#4761)
 	Documentation
 		Fixed typo in slapo-retcode(5) man page (ITS#4753)
diff --git a/servers/slapd/controls.c b/servers/slapd/controls.c
index f4c3eaedc8..2c955eedeb 100644
--- a/servers/slapd/controls.c
+++ b/servers/slapd/controls.c
@@ -919,6 +919,13 @@ static int parseProxyAuthz (
 	op->o_ndn = dn;
 	ber_dupbv( &op->o_dn, &dn );
 
+	/*
+	 * since the authzid has changed, we need to delete
+	 * cached groups (ITS#4760)
+	 */
+        if ( op->o_groups ) {
+                slap_op_groups_free( op );
+        }
 
 	Statslog( LDAP_DEBUG_STATS, "%s PROXYAUTHZ dn=\"%s\"\n",
 	    op->o_log_prefix, dn.bv_val, 0, 0, 0 );
diff --git a/servers/slapd/operation.c b/servers/slapd/operation.c
index b62942d2d2..f49c60e87d 100644
--- a/servers/slapd/operation.c
+++ b/servers/slapd/operation.c
@@ -60,6 +60,17 @@ void slap_op_destroy(void)
 	ldap_pvt_thread_mutex_destroy( &slap_op_mutex );
 }
 
+void
+slap_op_groups_free( Operation *op )
+{
+	GroupAssertion *g, *n;
+	for ( g = op->o_groups; g; g = n ) {
+		n = g->ga_next;
+		slap_sl_free( g, op->o_tmpmemctx );
+	}
+	op->o_groups = NULL;
+}
+
 void
 slap_op_free( Operation *op )
 {
@@ -87,13 +98,8 @@ slap_op_free( Operation *op )
 	}
 #endif
 
-	{
-		GroupAssertion *g, *n;
-		for ( g = op->o_groups; g; g = n ) {
-			n = g->ga_next;
-			slap_sl_free( g, op->o_tmpmemctx );
-		}
-		op->o_groups = NULL;
+	if ( op->o_groups ) {
+		slap_op_groups_free( op );
 	}
 
 #if defined( LDAP_SLAPI )
diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h
index 41620b4c24..c15fb9d552 100644
--- a/servers/slapd/proto-slap.h
+++ b/servers/slapd/proto-slap.h
@@ -1232,6 +1232,7 @@ LDAP_SLAPD_F (int) parse_oidm LDAP_P((
  */
 LDAP_SLAPD_F (void) slap_op_init LDAP_P(( void ));
 LDAP_SLAPD_F (void) slap_op_destroy LDAP_P(( void ));
+LDAP_SLAPD_F (void) slap_op_groups_free LDAP_P(( Operation *op ));
 LDAP_SLAPD_F (void) slap_op_free LDAP_P(( Operation *op ));
 LDAP_SLAPD_F (void) slap_op_time LDAP_P(( time_t *t, int *n ));
 LDAP_SLAPD_F (Operation *) slap_op_alloc LDAP_P((