+ return( ERR_OK( rs->sr_err ) ? 0 : -1 );
+}
+
+/* return true if bound, false if failed */
+int
+ldap_back_retry( struct ldapconn *lc, Operation *op, SlapReply *rs, ldap_back_send_t sendok )
+{
+ int rc = 0;
+ struct ldapinfo *li = (struct ldapinfo *)op->o_bd->be_private;
+
+ ldap_pvt_thread_mutex_lock( &li->conn_mutex );
+
+ if ( lc->lc_refcnt == 1 ) {
+ ldap_unbind_ext( lc->lc_ld, NULL, NULL );
+ lc->lc_ld = NULL;
+ lc->lc_bound = 0;
+
+ /* lc here must be the regular lc, reset and ready for init */
+ rc = ldap_back_prepare_conn( &lc, op, rs, sendok );
+ if ( rc == LDAP_SUCCESS ) {
+ rc = ldap_back_dobind_int( lc, op, rs, sendok, 0, 0 );
+ }
+ }
+
+ ldap_pvt_thread_mutex_unlock( &li->conn_mutex );
+
+ return rc;
+}
+
+static int
+ldap_back_proxy_authz_bind( struct ldapconn *lc, Operation *op, SlapReply *rs )
+{
+ struct ldapinfo *li = (struct ldapinfo *)op->o_bd->be_private;
+ struct berval binddn = slap_empty_bv;
+ struct berval bindcred = slap_empty_bv;
+ int dobind = 0;
+ int msgid;
+ int rc;
+
+ /*
+ * FIXME: we need to let clients use proxyAuthz
+ * otherwise we cannot do symmetric pools of servers;
+ * we have to live with the fact that a user can
+ * authorize itself as any ID that is allowed
+ * by the authzTo directive of the "proxyauthzdn".
+ */
+ /*
+ * NOTE: current Proxy Authorization specification
+ * and implementation do not allow proxy authorization
+ * control to be provided with Bind requests
+ */
+ /*
+ * if no bind took place yet, but the connection is bound
+ * and the "proxyauthzdn" is set, then bind as
+ * "proxyauthzdn" and explicitly add the proxyAuthz
+ * control to every operation with the dn bound
+ * to the connection as control value.
+ */
+
+ /* bind as proxyauthzdn only if no idassert mode
+ * is requested, or if the client's identity
+ * is authorized */
+ switch ( li->idassert_mode ) {
+ case LDAP_BACK_IDASSERT_LEGACY:
+ if ( !BER_BVISNULL( &op->o_conn->c_ndn ) && !BER_BVISEMPTY( &op->o_conn->c_ndn ) ) {
+ if ( !BER_BVISNULL( &li->idassert_authcDN ) && !BER_BVISEMPTY( &li->idassert_authcDN ) )
+ {
+ binddn = li->idassert_authcDN;
+ bindcred = li->idassert_passwd;
+ dobind = 1;
+ }
+ }
+ break;
+
+ default:
+ /* NOTE: rootdn can always idassert */
+ if ( li->idassert_authz && !be_isroot( op ) ) {
+ struct berval authcDN;
+
+ if ( BER_BVISNULL( &op->o_conn->c_ndn ) ) {
+ authcDN = slap_empty_bv;
+
+ } else {
+ authcDN = op->o_conn->c_ndn;
+ }
+ rs->sr_err = slap_sasl_matches( op, li->idassert_authz,
+ &authcDN, &authcDN );
+ if ( rs->sr_err != LDAP_SUCCESS ) {
+ if ( li->idassert_flags & LDAP_BACK_AUTH_PRESCRIPTIVE ) {
+ send_ldap_result( op, rs );
+ lc->lc_bound = 0;
+
+ } else {
+ rs->sr_err = LDAP_SUCCESS;
+ binddn = slap_empty_bv;
+ bindcred = slap_empty_bv;
+ break;
+ }
+
+ goto done;
+ }
+ }
+
+ binddn = li->idassert_authcDN;
+ bindcred = li->idassert_passwd;
+ dobind = 1;
+ break;
+ }
+
+ if ( dobind && li->idassert_authmethod == LDAP_AUTH_SASL ) {
+#ifdef HAVE_CYRUS_SASL
+ void *defaults = NULL;
+ struct berval authzID = BER_BVNULL;
+ int freeauthz = 0;
+
+ /* if SASL supports native authz, prepare for it */
+ if ( ( !op->o_do_not_cache || !op->o_is_auth_check ) &&
+ ( li->idassert_flags & LDAP_BACK_AUTH_NATIVE_AUTHZ ) )
+ {
+ switch ( li->idassert_mode ) {
+ case LDAP_BACK_IDASSERT_OTHERID:
+ case LDAP_BACK_IDASSERT_OTHERDN:
+ authzID = li->idassert_authzID;
+ break;
+
+ case LDAP_BACK_IDASSERT_ANONYMOUS:
+ BER_BVSTR( &authzID, "dn:" );
+ break;
+
+ case LDAP_BACK_IDASSERT_SELF:
+ if ( BER_BVISNULL( &op->o_conn->c_ndn ) ) {
+ /* connection is not authc'd, so don't idassert */
+ BER_BVSTR( &authzID, "dn:" );
+ break;
+ }
+ authzID.bv_len = STRLENOF( "dn:" ) + op->o_conn->c_ndn.bv_len;
+ authzID.bv_val = slap_sl_malloc( authzID.bv_len + 1, op->o_tmpmemctx );
+ AC_MEMCPY( authzID.bv_val, "dn:", STRLENOF( "dn:" ) );
+ AC_MEMCPY( authzID.bv_val + STRLENOF( "dn:" ),
+ op->o_conn->c_ndn.bv_val, op->o_conn->c_ndn.bv_len + 1 );
+ freeauthz = 1;
+ break;
+
+ default:
+ break;
+ }
+ }
+
+#if 0 /* will deal with this later... */
+ if ( sasl_secprops != NULL ) {
+ rs->sr_err = ldap_set_option( lc->lc_ld, LDAP_OPT_X_SASL_SECPROPS,
+ (void *) sasl_secprops );
+
+ if ( rs->sr_err != LDAP_OPT_SUCCESS ) {
+ send_ldap_result( op, rs );
+ lc->lc_bound = 0;
+ goto done;
+ }
+ }
+#endif
+
+ defaults = lutil_sasl_defaults( lc->lc_ld,
+ li->idassert_sasl_mech.bv_val,
+ li->idassert_sasl_realm.bv_val,
+ li->idassert_authcID.bv_val,
+ li->idassert_passwd.bv_val,
+ authzID.bv_val );
+
+ rs->sr_err = ldap_sasl_interactive_bind_s( lc->lc_ld, binddn.bv_val,
+ li->idassert_sasl_mech.bv_val, NULL, NULL,
+ LDAP_SASL_QUIET, lutil_sasl_interact,
+ defaults );
+
+ lutil_sasl_freedefs( defaults );
+ if ( freeauthz ) {
+ slap_sl_free( authzID.bv_val, op->o_tmpmemctx );
+ }
+
+ rs->sr_err = slap_map_api2result( rs );
+ if ( rs->sr_err != LDAP_SUCCESS ) {
+ lc->lc_bound = 0;
+ send_ldap_result( op, rs );
+
+ } else {
+ lc->lc_bound = 1;
+ }
+ goto done;
+#endif /* HAVE_CYRUS_SASL */
+ }
+
+ switch ( li->idassert_authmethod ) {
+ case LDAP_AUTH_SIMPLE:
+ rs->sr_err = ldap_sasl_bind( lc->lc_ld,
+ binddn.bv_val, LDAP_SASL_SIMPLE,
+ &bindcred, NULL, NULL, &msgid );
+ break;
+
+ case LDAP_AUTH_NONE:
+ lc->lc_bound = 1;
+ goto done;
+
+ default:
+ /* unsupported! */
+ lc->lc_bound = 0;
+ rs->sr_err = LDAP_AUTH_METHOD_NOT_SUPPORTED;
+ send_ldap_result( op, rs );
+ goto done;
+ }
+
+ rc = ldap_back_op_result( lc, op, rs, msgid, LDAP_BACK_SENDERR );
+ if ( rc == LDAP_SUCCESS ) {
+ lc->lc_bound = 1;
+ }
+done:;
+ return lc->lc_bound;