use result of validation (ITS#4028)

[openldap] / servers / slapd / back-meta / bind.c

diff --git a/servers/slapd/back-meta/bind.c b/servers/slapd/back-meta/bind.c
index 7defb3d424f5f35bd5128c7e710ae8a177b7627d..eb25c58fe01452ca927466c78c57df73e12e184d 100644 (file)
--- a/servers/slapd/back-meta/bind.c
+++ b/servers/slapd/back-meta/bind.c
@@ -59,9 +59,16 @@ meta_back_bind( Operation *op, SlapReply *rs )
        Debug( LDAP_DEBUG_ARGS, "meta_back_bind: dn: %s.\n%s%s",
                        op->o_req_dn.bv_val, "", "" );
 
-       if ( op->orb_method == LDAP_AUTH_SIMPLE && be_isroot_pw( op ) ) {
+       if ( op->orb_method == LDAP_AUTH_SIMPLE
+               && be_isroot_dn( op->o_bd, &op->o_req_ndn ) )
+       {
+               if ( !be_isroot_pw( op ) ) {
+                       rs->sr_err = LDAP_INVALID_CREDENTIALS;
+                       rs->sr_text = NULL;
+                       send_ldap_result( op, rs );
+                       return rs->sr_err;
+               }
                isroot = 1;
-               ber_dupbv( &op->orb_edn, be_root_dn( op->o_bd ) );
        }
 
        /* we need meta_back_getconn() not send result even on error,
@@ -139,8 +146,9 @@ meta_back_bind( Operation *op, SlapReply *rs )
                }
        }
 
-       if ( isroot ) {
+       if ( isroot && rc == LDAP_SUCCESS ) {
                mc->mc_auth_target = META_BOUND_ALL;
+               ber_dupbv( &op->orb_edn, be_root_dn( op->o_bd ) );
        }
 
        meta_back_release_conn( op, mc );
@@ -488,6 +496,7 @@ retry:;
                }
 
        } else {
+               rs->sr_err = rc;
                rc = slap_map_api2result( rs );
        }
 
@@ -580,8 +589,6 @@ meta_back_dobind(
                }
 
                if ( rc != LDAP_SUCCESS ) {
-                       rs->sr_err = slap_map_api2result( rs );
-
                        Debug( LDAP_DEBUG_ANY, "%s meta_back_dobind[%d]: "
                                        "(anonymous) err=%d\n",
                                        op->o_log_prefix, i, rc );
@@ -593,7 +600,8 @@ meta_back_dobind(
                         * due to technical reasons (remote host down?)
                         * so better clear the handle
                         */
-                       candidates[ i ].sr_tag = META_NOT_CANDIDATE;
+                       /* leave the target candidate, but record the error for later use */
+                       candidates[ i ].sr_err = rc;
                        if ( META_BACK_ONERR_STOP( mi ) ) {
                                bound = 0;
                                goto done;
@@ -665,8 +673,10 @@ meta_back_op_result(
 
        int                     i,
                                rerr = LDAP_SUCCESS;
-       char                    *rmsg = NULL;
-       char                    *rmatch = NULL;
+       char                    *rmsg = NULL,
+                               *rmatch = NULL;
+       const char              *save_rmsg = NULL,
+                               *save_rmatch = NULL;
        void                    *rmatch_ctx = NULL;
 
        if ( candidate != META_TARGET_NONE ) {
@@ -780,7 +790,10 @@ meta_back_op_result(
        }
        
        rs->sr_err = rerr;
-       rs->sr_text = rmsg;
+       if ( rmsg != NULL ) {
+               save_rmsg = rs->sr_text;
+               rs->sr_text = rmsg;
+       }
        if ( rmatch != NULL ) {
                struct berval   dn, pdn;
 
@@ -790,16 +803,18 @@ meta_back_op_result(
                        rmatch_ctx = op->o_tmpmemctx;
                        rmatch = pdn.bv_val;
                }
+               save_rmatch = rs->sr_matched;
+               rs->sr_matched = rmatch;
        }
        send_ldap_result( op, rs );
        if ( rmsg != NULL ) {
                ber_memfree( rmsg );
+               rs->sr_text = save_rmsg;
        }
        if ( rmatch != NULL ) {
                ber_memfree_x( rmatch, rmatch_ctx );
-               rs->sr_matched = NULL;
+               rs->sr_matched = save_rmatch;
        }
-       rs->sr_text = NULL;
 
        return ( ( rerr == LDAP_SUCCESS ) ? 0 : -1 );
 }