]> git.sur5r.net Git - openldap/blobdiff - servers/slapd/back-meta/conn.c
projects / openldap / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
better fix: in case of error during bind, just bail out (very conservative, though)
[openldap] / servers / slapd / back-meta / conn.c
diff --git a/servers/slapd/back-meta/conn.c b/servers/slapd/back-meta/conn.c
index ebf63df8397b932633aeb1189936b56b53a276ba..9254407e45f515370323ff6a1a3dc9683b57bf13 100644 (file)
--- a/servers/slapd/back-meta/conn.c
+++ b/servers/slapd/back-meta/conn.c
@@ -24,6 +24,7 @@
 
 #include <stdio.h>
 
+#include <ac/errno.h>
 #include <ac/socket.h>
 #include <ac/string.h>
 
@@ -51,7 +52,17 @@ meta_back_conn_cmp(
 {
        metaconn_t      *mc1 = ( metaconn_t * )c1;
         metaconn_t     *mc2 = ( metaconn_t * )c2;
+       int             rc;
        
+       /* If local DNs don't match, it is definitely not a match */
+       rc = ber_bvcmp( &mc1->mc_local_ndn, &mc2->mc_local_ndn );
+       if ( rc ) {
+               return rc;
+       }
+
+       /* For shared sessions, conn is NULL. Only explicitly
+        * bound sessions will have non-NULL conn.
+        */
        return SLAP_PTRCMP( mc1->mc_conn, mc2->mc_conn );
 }
 
@@ -69,7 +80,14 @@ meta_back_conn_dup(
        metaconn_t      *mc1 = ( metaconn_t * )c1;
        metaconn_t      *mc2 = ( metaconn_t * )c2;
 
-       return( ( mc1->mc_conn == mc2->mc_conn ) ? -1 : 0 );
+       /* Cannot have more than one shared session with same DN */
+       if ( dn_match( &mc1->mc_local_ndn, &mc2->mc_local_ndn ) &&
+                               mc1->mc_conn == mc2->mc_conn )
+       {
+               return -1;
+       }
+               
+       return 0;
 }
 
 /*
@@ -79,7 +97,8 @@ meta_back_conn_dup(
 static void
 ravl_print( Avlnode *root, int depth )
 {
-       int     i;
+       int             i;
+       metaconn_t      *mc = (metaconn_t *)root->avl_data;
        
        if ( root == 0 ) {
                return;
@@ -91,7 +110,11 @@ ravl_print( Avlnode *root, int depth )
                printf( "    " );
        }
 
-       printf( "c(%d) %d\n", ( ( metaconn_t * )root->avl_data )->mc_conn->c_connid, root->avl_bf );
+       printf( "c(%d%s%s) %d\n",
+               LDAP_BACK_PCONN_ID( mc->mc_conn ),
+               BER_BVISNULL( &mc->mc_local_ndn ) ? "" : ": ",
+               BER_BVISNULL( &mc->mc_local_ndn ) ? "" : mc->mc_local_ndn.bv_val,
+               root->avl_bf );
        
        ravl_print( root->avl_left, depth + 1 );
 }
@@ -121,53 +144,54 @@ myprint( Avlnode *root )
  */
 static metaconn_t *
 metaconn_alloc(
-       int             ntargets )
+               Operation               *op )
 {
+       metainfo_t      *mi = ( metainfo_t * )op->o_bd->be_private;
        metaconn_t      *mc;
+       int             i, ntargets = mi->mi_ntargets;
 
        assert( ntargets > 0 );
 
-       /* malloc once only; leave an extra one for one-past-end */
+       /* malloc all in one */
        mc = ( metaconn_t * )ch_malloc( sizeof( metaconn_t )
-                       + sizeof( metasingleconn_t ) * ( ntargets + 1 ) );
+                       + sizeof( metasingleconn_t ) * ntargets );
        if ( mc == NULL ) {
                return NULL;
        }
 
-       mc->mc_conns = ( metasingleconn_t * )&mc[ 1 ];
-
-       /* FIXME: needed by META_LAST() */
-       mc->mc_conns[ ntargets ].msc_candidate = META_LAST_CONN;
-
-       for ( ; ntargets-- > 0; ) {
-               mc->mc_conns[ ntargets ].msc_ld = NULL;
-               BER_BVZERO( &mc->mc_conns[ ntargets ].msc_bound_ndn );
-               BER_BVZERO( &mc->mc_conns[ ntargets ].msc_cred );
-               mc->mc_conns[ ntargets ].msc_bound = META_UNBOUND;
+       for ( i = 0; i < ntargets; i++ ) {
+               mc->mc_conns[ i ].msc_ld = NULL;
+               BER_BVZERO( &mc->mc_conns[ i ].msc_bound_ndn );
+               BER_BVZERO( &mc->mc_conns[ i ].msc_cred );
+               LDAP_BACK_CONN_ISBOUND_CLEAR( &mc->mc_conns[ i ] );
+               mc->mc_conns[ i ].msc_info = mi;
        }
 
-       mc->mc_auth_target = META_BOUND_NONE;
+       BER_BVZERO( &mc->mc_local_ndn );
+       mc->msc_mscflags = 0;
+       mc->mc_authz_target = META_BOUND_NONE;
        ldap_pvt_thread_mutex_init( &mc->mc_mutex );
+       mc->mc_refcnt = 1;
 
        return mc;
 }
 
-/*
- * meta_back_conn_free
- *
- * clears a metaconn
- */
-void
-meta_back_conn_free(
+static void
+meta_back_freeconn(
+       Operation       *op,
        metaconn_t      *mc )
 {
-       if ( mc == NULL ) {
-               return;
+       metainfo_t      *mi = ( metainfo_t * )op->o_bd->be_private;
+
+       assert( mc != NULL );
+
+       ldap_pvt_thread_mutex_lock( &mi->mi_conn_mutex );
+
+       if ( --mc->mc_refcnt == 0 ) {
+               meta_back_conn_free( mc );
        }
 
-       ldap_pvt_thread_mutex_destroy( &mc->mc_mutex );
-       
-       free( mc );
+       ldap_pvt_thread_mutex_unlock( &mi->mi_conn_mutex );
 }
 
 /*
@@ -180,7 +204,10 @@ meta_back_init_one_conn(
        Operation               *op,
        SlapReply               *rs,
        metatarget_t            *mt, 
+       metaconn_t              *mc,
        metasingleconn_t        *msc,
+       int                     ispriv,
+       int                     isauthz,
        ldap_back_send_t        sendok )
 {
        metainfo_t      *mi = ( metainfo_t * )op->o_bd->be_private;
@@ -191,8 +218,7 @@ meta_back_init_one_conn(
         * Already init'ed
         */
        if ( msc->msc_ld != NULL ) {
-               rs->sr_err = LDAP_SUCCESS;
-               goto error_return;
+               return rs->sr_err = LDAP_SUCCESS;
        }
        
        /*
@@ -216,14 +242,14 @@ meta_back_init_one_conn(
        }
 
 #ifdef HAVE_TLS
-       /* start TLS ("start-tls"/"try-start-tls" statements) */
+       /* start TLS ("tls [try-]{start|propagate}" statement) */
        if ( ( LDAP_BACK_USE_TLS( mi ) || ( op->o_conn->c_is_tls && LDAP_BACK_PROPAGATE_TLS( mi ) ) )
                        && !ldap_is_ldaps_url( mt->mt_uri ) )
        {
 #ifdef SLAP_STARTTLS_ASYNCHRONOUS
                /*
-                * use asynchronous StartTLS
-                * in case, chase referral (not implemented yet)
+                * use asynchronous StartTLS; in case, chase referral
+                * FIXME: OpenLDAP does not return referral on StartTLS yet
                 */
                int             msgid;
 
@@ -231,7 +257,9 @@ meta_back_init_one_conn(
                if ( rs->sr_err == LDAP_SUCCESS ) {
                        LDAPMessage     *res = NULL;
                        int             rc, nretries = mt->mt_nretries;
-                       struct timeval  tv = { 0, 0 };
+                       struct timeval  tv;
+
+                       LDAP_BACK_TV_SET( &tv );
 
 retry:;
                        rc = ldap_result( msc->msc_ld, msgid, LDAP_MSG_ALL, &tv, &res );
@@ -243,8 +271,7 @@ retry:;
                                        if ( nretries > 0 ) {
                                                nretries--;
                                        }
-                                       tv.tv_sec = 0;
-                                       tv.tv_usec = 100000;
+                                       LDAP_BACK_TV_SET( &tv );
                                        goto retry;
                                }
                                rs->sr_err = LDAP_OTHER;
@@ -319,44 +346,67 @@ retry:;
                                (void *)&network_timeout );
        }
 
-       /*
-        * Sets a cookie for the rewrite session
-        */
-       ( void )rewrite_session_init( mt->mt_rwmap.rwm_rw, op->o_conn );
-
        /*
         * If the connection DN is not null, an attempt to rewrite it is made
         */
-       if ( !BER_BVISEMPTY( &op->o_conn->c_dn ) ) {
-               dc.rwmap = &mt->mt_rwmap;
-               dc.conn = op->o_conn;
-               dc.rs = rs;
-               dc.ctx = "bindDN";
-               
-               /*
-                * Rewrite the bind dn if needed
-                */
-               if ( ldap_back_dn_massage( &dc, &op->o_conn->c_dn,
-                                       &msc->msc_bound_ndn ) )
-               {
-                       goto error_return;
-               }
 
-               /* copy the DN idf needed */
-               if ( msc->msc_bound_ndn.bv_val == op->o_conn->c_dn.bv_val ) {
-                       ber_dupbv( &msc->msc_bound_ndn, &op->o_conn->c_dn );
+       if ( ispriv ) {
+               if ( !BER_BVISNULL( &mt->mt_pseudorootdn ) ) {
+                       ber_dupbv( &msc->msc_bound_ndn, &mt->mt_pseudorootdn );
+                       if ( !BER_BVISNULL( &mt->mt_pseudorootpw ) ) {
+                               ber_dupbv( &msc->msc_cred, &mt->mt_pseudorootpw );
+                       }
+
+               } else {
+                       ber_str2bv( "", 0, 1, &msc->msc_bound_ndn );
                }
 
-               assert( !BER_BVISNULL( &msc->msc_bound_ndn ) );
+               LDAP_BACK_CONN_ISPRIV_SET( msc );
 
        } else {
-               ber_str2bv( "", 0, 1, &msc->msc_bound_ndn );
+               BER_BVZERO( &msc->msc_cred );
+               BER_BVZERO( &msc->msc_bound_ndn );
+               if ( !BER_BVISEMPTY( &op->o_ndn )
+                       && SLAP_IS_AUTHZ_BACKEND( op )
+                       && isauthz )
+               {
+                       dc.target = mt;
+                       dc.conn = op->o_conn;
+                       dc.rs = rs;
+                       dc.ctx = "bindDN";
+               
+                       /*
+                        * Rewrite the bind dn if needed
+                        */
+                       if ( ldap_back_dn_massage( &dc, &op->o_conn->c_dn,
+                                               &msc->msc_bound_ndn ) )
+                       {
+                               ldap_unbind_ext_s( msc->msc_ld, NULL, NULL );
+                               goto error_return;
+                       }
+                       
+                       /* copy the DN idf needed */
+                       if ( msc->msc_bound_ndn.bv_val == op->o_conn->c_dn.bv_val ) {
+                               ber_dupbv( &msc->msc_bound_ndn, &op->o_conn->c_dn );
+                       }
+
+               } else {
+                       ber_str2bv( "", 0, 1, &msc->msc_bound_ndn );
+               }
        }
 
-       msc->msc_bound = META_UNBOUND;
+       assert( !BER_BVISNULL( &msc->msc_bound_ndn ) );
+
+       LDAP_BACK_CONN_ISBOUND_CLEAR( msc );
 
 error_return:;
-       if ( rs->sr_err != LDAP_SUCCESS ) {
+       if ( rs->sr_err == LDAP_SUCCESS ) {
+               /*
+                * Sets a cookie for the rewrite session
+                */
+               ( void )rewrite_session_init( mt->mt_rwmap.rwm_rw, op->o_conn );
+
+       } else {
                rs->sr_err = slap_map_api2result( rs );
                if ( sendok & LDAP_BACK_SENDERR ) {
                        send_ldap_result( op, rs );
@@ -381,25 +431,42 @@ meta_back_retry(
        ldap_back_send_t        sendok )
 {
        metainfo_t              *mi = ( metainfo_t * )op->o_bd->be_private;
-       metatarget_t            *mt = mi->mi_targets[ candidate ];
-       int                     rc;
+       metatarget_t            *mt = &mi->mi_targets[ candidate ];
+       int                     rc = LDAP_UNAVAILABLE;
        metasingleconn_t        *msc = &mc->mc_conns[ candidate ];
 
-       ldap_pvt_thread_mutex_lock( &mc->mc_mutex );
+retry_lock:;
+       ldap_pvt_thread_mutex_lock( &mi->mi_conn_mutex );
+
+       assert( mc->mc_refcnt > 0 );
 
-       ldap_unbind_ext_s( msc->msc_ld, NULL, NULL );
-        msc->msc_ld = NULL;
-        msc->msc_bound = 0;
+       if ( mc->mc_refcnt == 1 ) {
+               while ( ldap_pvt_thread_mutex_trylock( &mc->mc_mutex ) ) {
+                       ldap_pvt_thread_mutex_unlock( &mi->mi_conn_mutex );
+                       ldap_pvt_thread_yield();
+                       goto retry_lock;
+               }
 
-        /* mc here must be the regular mc, reset and ready for init */
-        rc = meta_back_init_one_conn( op, rs, mt, msc, sendok );
+               ldap_unbind_ext_s( msc->msc_ld, NULL, NULL );
+               msc->msc_ld = NULL;
+               LDAP_BACK_CONN_ISBOUND_CLEAR( msc );
 
-       if ( rc == LDAP_SUCCESS ) {
-               rc = meta_back_single_dobind( op, rs, mc, candidate,
-                               sendok, mt->mt_nretries );
-        }
+               ( void )rewrite_session_delete( mt->mt_rwmap.rwm_rw, op->o_conn );
 
-       ldap_pvt_thread_mutex_unlock( &mc->mc_mutex );
+               /* mc here must be the regular mc, reset and ready for init */
+               rc = meta_back_init_one_conn( op, rs, mt, mc, msc,
+                       LDAP_BACK_CONN_ISPRIV( mc ),
+                       candidate == mc->mc_authz_target, sendok );
+
+               if ( rc == LDAP_SUCCESS ) {
+                       rc = meta_back_single_dobind( op, rs, mc, candidate,
+                                       sendok, mt->mt_nretries, 0 );
+               }
+
+               ldap_pvt_thread_mutex_unlock( &mc->mc_mutex );
+       }
+
+       ldap_pvt_thread_mutex_unlock( &mi->mi_conn_mutex );
 
        return rc == LDAP_SUCCESS ? 1 : 0;
 }
@@ -414,7 +481,7 @@ meta_back_conn_cb( Operation *op, SlapReply *rs )
 
        switch ( rs->sr_type ) {
        case REP_SEARCH:
-               ((int *)op->o_callback->sc_private)[0] = (int)op->o_private;
+               ((long *)op->o_callback->sc_private)[0] = (long)op->o_private;
                break;
 
        case REP_SEARCHREF:
@@ -436,7 +503,7 @@ meta_back_get_candidate(
        struct berval   *ndn )
 {
        metainfo_t      *mi = ( metainfo_t * )op->o_bd->be_private;
-       int             candidate;
+       long            candidate;
 
        /*
         * tries to get a unique candidate
@@ -493,7 +560,8 @@ meta_back_get_candidate(
                         * and a default target is defined, and it is
                         * a candidate, try using it (FIXME: YMMV) */
                        if ( mi->mi_defaulttarget != META_DEFAULT_TARGET_NONE
-                               && meta_back_is_candidate( &mi->mi_targets[ mi->mi_defaulttarget ]->mt_nsuffix,
+                               && meta_back_is_candidate( &mi->mi_targets[ mi->mi_defaulttarget ].mt_nsuffix,
+                                               mi->mi_targets[ mi->mi_defaulttarget ].mt_scope,
                                                ndn, op->o_tag == LDAP_REQ_SEARCH ? op->ors_scope : LDAP_SCOPE_BASE ) )
                        {
                                candidate = mi->mi_defaulttarget;
@@ -506,45 +574,69 @@ meta_back_get_candidate(
                        }
                        break;
                }
+
+       } else {
+               rs->sr_err = LDAP_SUCCESS;
        }
 
        return candidate;
 }
 
+static void    *meta_back_candidates_dummy;
+
 static void
-meta_back_candidate_keyfree(
+meta_back_candidates_keyfree(
        void            *key,
        void            *data )
 {
+       metacandidates_t        *mc = (metacandidates_t *)data;
+
+       ber_memfree_x( mc->mc_candidates, NULL );
        ber_memfree_x( data, NULL );
 }
 
 SlapReply *
 meta_back_candidates_get( Operation *op )
 {
-       metainfo_t      *mi = ( metainfo_t * )op->o_bd->be_private;
-       void            *data = NULL;
+       metainfo_t              *mi = ( metainfo_t * )op->o_bd->be_private;
+       metacandidates_t        *mc;
 
        if ( op->o_threadctx ) {
+               void            *data = NULL;
+
                ldap_pvt_thread_pool_getkey( op->o_threadctx,
-                               meta_back_candidate_keyfree, &data, NULL );
+                               &meta_back_candidates_dummy, &data, NULL );
+               mc = (metacandidates_t *)data;
+
        } else {
-               data = (void *)mi->mi_candidates;
+               mc = mi->mi_candidates;
        }
 
-       if ( data == NULL ) {
-               data = ber_memalloc( sizeof( SlapReply ) * mi->mi_ntargets );
+       if ( mc == NULL ) {
+               mc = ch_calloc( sizeof( metacandidates_t ), 1 );
+               mc->mc_ntargets = mi->mi_ntargets;
+               mc->mc_candidates = ch_calloc( sizeof( SlapReply ), mc->mc_ntargets );
                if ( op->o_threadctx ) {
+                       void            *data = NULL;
+
+                       data = (void *)mc;
                        ldap_pvt_thread_pool_setkey( op->o_threadctx,
-                                       meta_back_candidate_keyfree, data,
-                                       meta_back_candidate_keyfree );
+                                       &meta_back_candidates_dummy, data,
+                                       meta_back_candidates_keyfree );
 
                } else {
-                       mi->mi_candidates = (SlapReply *)data;
+                       mi->mi_candidates = mc;
                }
+
+       } else if ( mc->mc_ntargets < mi->mi_ntargets ) {
+               /* NOTE: in the future, may want to allow back-config
+                * to add/remove targets from back-meta... */
+               mc->mc_ntargets = mi->mi_ntargets;
+               mc->mc_candidates = ch_realloc( mc->mc_candidates,
+                               sizeof( SlapReply ) * mc->mc_ntargets );
        }
 
-       return (SlapReply *)data;
+       return mc->mc_candidates;
 }
 
 /*
@@ -588,11 +680,14 @@ meta_back_getconn(
        ldap_back_send_t        sendok )
 {
        metainfo_t      *mi = ( metainfo_t * )op->o_bd->be_private;
-       metaconn_t      *mc, mc_curr;
+       metaconn_t      *mc = NULL,
+                       mc_curr = { 0 };
        int             cached = META_TARGET_NONE,
                        i = META_TARGET_NONE,
                        err = LDAP_SUCCESS,
-                       new_conn = 0;
+                       new_conn = 0,
+                       ncandidates = 0;
+
 
        meta_op_type    op_type = META_OP_REQUIRE_SINGLE;
        int             parent = 0,
@@ -602,11 +697,32 @@ meta_back_getconn(
 
        SlapReply       *candidates = meta_back_candidates_get( op );
 
+       /* Internal searches are privileged and shared. So is root. */
+       /* FIXME: there seem to be concurrency issues */
+       if ( op->o_do_not_cache || be_isroot( op ) ) {
+               mc_curr.mc_local_ndn = op->o_bd->be_rootndn;
+               LDAP_BACK_CONN_ISPRIV_SET( &mc_curr );
+               mc_curr.mc_conn = LDAP_BACK_PCONN_SET( op );
+
+       } else {
+               mc_curr.mc_local_ndn = op->o_ndn;
+
+               /* Explicit binds must not be shared */
+               if ( op->o_tag == LDAP_REQ_BIND || SLAP_IS_AUTHZ_BACKEND( op ) ) {
+                       mc_curr.mc_conn = op->o_conn;
+       
+               } else {
+                       mc_curr.mc_conn = LDAP_BACK_PCONN_SET( op );
+               }
+       }
+
        /* Searches for a metaconn in the avl tree */
-       mc_curr.mc_conn = op->o_conn;
        ldap_pvt_thread_mutex_lock( &mi->mi_conn_mutex );
        mc = (metaconn_t *)avl_find( mi->mi_conntree, 
                (caddr_t)&mc_curr, meta_back_conn_cmp );
+       if ( mc ) {
+               mc->mc_refcnt++;
+       }
        ldap_pvt_thread_mutex_unlock( &mi->mi_conn_mutex );
 
        switch ( op->o_tag ) {
@@ -655,23 +771,29 @@ meta_back_getconn(
        if ( op_type == META_OP_REQUIRE_ALL ) {
 
                /* Looks like we didn't get a bind. Open a new session... */
-               if ( !mc ) {
-                       mc = metaconn_alloc( mi->mi_ntargets );
-                       mc->mc_conn = op->o_conn;
+               if ( mc == NULL ) {
+                       mc = metaconn_alloc( op );
+                       mc->mc_conn = mc_curr.mc_conn;
+                       ber_dupbv( &mc->mc_local_ndn, &mc_curr.mc_local_ndn );
                        new_conn = 1;
                }
 
                for ( i = 0; i < mi->mi_ntargets; i++ ) {
+                       metatarget_t            *mt = &mi->mi_targets[ i ];
+                       metasingleconn_t        *msc = &mc->mc_conns[ i ];
 
                        /*
                         * The target is activated; if needed, it is
                         * also init'd
                         */
-                       int lerr = meta_back_init_one_conn( op, rs, mi->mi_targets[ i ],
-                                       &mc->mc_conns[ i ], sendok );
-                       if ( lerr == LDAP_SUCCESS ) {
+                       candidates[ i ].sr_err = meta_back_init_one_conn( op,
+                               rs, mt, mc, msc,
+                               LDAP_BACK_CONN_ISPRIV( &mc_curr ),
+                               i == mc->mc_authz_target, sendok );
+                       if ( candidates[ i ].sr_err == LDAP_SUCCESS ) {
                                candidates[ i ].sr_tag = META_CANDIDATE;
-                               
+                               ncandidates++;
+       
                        } else {
                                
                                /*
@@ -680,10 +802,34 @@ meta_back_getconn(
                                 * be tried?
                                 */
                                candidates[ i ].sr_tag = META_NOT_CANDIDATE;
-                               err = lerr;
+                               err = candidates[ i ].sr_err;
                                continue;
                        }
                }
+
+               if ( ncandidates == 0 ) {
+                       if ( new_conn ) {
+                               meta_back_freeconn( op, mc );
+
+                       } else {
+                               meta_back_release_conn( op, mc );
+                       }
+
+                       rs->sr_err = LDAP_NO_SUCH_OBJECT;
+                       rs->sr_text = "Unable to select valid candidates";
+
+                       if ( sendok & LDAP_BACK_SENDERR ) {
+                               if ( rs->sr_err == LDAP_NO_SUCH_OBJECT ) {
+                                       rs->sr_matched = op->o_bd->be_suffix[ 0 ].bv_val;
+                               }
+                               send_ldap_result( op, rs );
+                               rs->sr_text = NULL;
+                               rs->sr_matched = NULL;
+                       }
+
+                       return NULL;
+               }
+
                goto done;
        }
        
@@ -695,7 +841,10 @@ meta_back_getconn(
        }
 
        if ( op_type == META_OP_REQUIRE_SINGLE ) {
-               int     j;
+               metatarget_t            *mt = NULL;
+               metasingleconn_t        *msc = NULL;
+
+               int                     j;
 
                for ( j = 0; j < mi->mi_ntargets; j++ ) {
                        candidates[ j ].sr_tag = META_NOT_CANDIDATE;
@@ -713,41 +862,62 @@ meta_back_getconn(
                        }
        
                        if ( rs->sr_err != LDAP_SUCCESS ) {
+                               if ( mc != NULL ) {
+                                       meta_back_release_conn( op, mc );
+                               }
+
                                if ( sendok & LDAP_BACK_SENDERR ) {
+                                       if ( rs->sr_err == LDAP_NO_SUCH_OBJECT ) {
+                                               rs->sr_matched = op->o_bd->be_suffix[ 0 ].bv_val;
+                                       }
                                        send_ldap_result( op, rs );
                                        rs->sr_text = NULL;
+                                       rs->sr_matched = NULL;
                                }
+                       
                                return NULL;
                        }
                }
 
                if ( newparent && meta_back_get_candidate( op, rs, op->orr_nnewSup ) != i )
                {
+                       if ( mc != NULL ) {
+                               meta_back_release_conn( op, mc );
+                       }
+
                        rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
                        rs->sr_text = "cross-target rename not supported";
                        if ( sendok & LDAP_BACK_SENDERR ) {
                                send_ldap_result( op, rs );
                                rs->sr_text = NULL;
                        }
+
                        return NULL;
                }
 
-               Debug( LDAP_DEBUG_CACHE,
+               Debug( LDAP_DEBUG_TRACE,
        "==>meta_back_getconn: got target %d for ndn=\"%s\" from cache\n",
                                i, op->o_req_ndn.bv_val, 0 );
 
-               /* Retries searching for a metaconn in the avl tree */
-               mc_curr.mc_conn = op->o_conn;
-               ldap_pvt_thread_mutex_lock( &mi->mi_conn_mutex );
-               mc = (metaconn_t *)avl_find( mi->mi_conntree, 
-                       (caddr_t)&mc_curr, meta_back_conn_cmp );
-               ldap_pvt_thread_mutex_unlock( &mi->mi_conn_mutex );
-
-               /* Looks like we didn't get a bind. Open a new session... */
-               if ( !mc ) {
-                       mc = metaconn_alloc( mi->mi_ntargets );
-                       mc->mc_conn = op->o_conn;
-                       new_conn = 1;
+               if ( mc == NULL ) {
+                       /* Retries searching for a metaconn in the avl tree
+                        * the reason is that the connection might have been
+                        * created by meta_back_get_candidate() */
+                       ldap_pvt_thread_mutex_lock( &mi->mi_conn_mutex );
+                       mc = (metaconn_t *)avl_find( mi->mi_conntree, 
+                               (caddr_t)&mc_curr, meta_back_conn_cmp );
+                       if ( mc != NULL ) {
+                               mc->mc_refcnt++;
+                       }
+                       ldap_pvt_thread_mutex_unlock( &mi->mi_conn_mutex );
+
+                       /* Looks like we didn't get a bind. Open a new session... */
+                       if ( mc == NULL ) {
+                               mc = metaconn_alloc( op );
+                               mc->mc_conn = mc_curr.mc_conn;
+                               ber_dupbv( &mc->mc_local_ndn, &mc_curr.mc_local_ndn );
+                               new_conn = 1;
+                       }
                }
 
                /*
@@ -755,18 +925,18 @@ meta_back_getconn(
                 */
                ( void )meta_clear_unused_candidates( op, i );
 
+               mt = &mi->mi_targets[ i ];
+               msc = &mc->mc_conns[ i ];
+
                /*
                 * The target is activated; if needed, it is
                 * also init'd. In case of error, meta_back_init_one_conn
                 * sends the appropriate result.
                 */
-               err = meta_back_init_one_conn( op, rs, mi->mi_targets[ i ],
-                               &mc->mc_conns[ i ], sendok );
-               if ( err == LDAP_SUCCESS ) {
-                       candidates[ i ].sr_tag = META_CANDIDATE;
-
-               } else {
-               
+               err = meta_back_init_one_conn( op, rs, mt, mc, msc,
+                       LDAP_BACK_CONN_ISPRIV( &mc_curr ),
+                       i == mc->mc_authz_target, sendok );
+               if ( err != LDAP_SUCCESS ) {
                        /*
                         * FIXME: in case one target cannot
                         * be init'd, should the other ones
@@ -774,12 +944,19 @@ meta_back_getconn(
                         */
                        candidates[ i ].sr_tag = META_NOT_CANDIDATE;
                        if ( new_conn ) {
-                               ( void )meta_clear_one_candidate( &mc->mc_conns[ i ] );
-                               meta_back_conn_free( mc );
+                               (void)meta_clear_one_candidate( msc );
+                               meta_back_freeconn( op, mc );
+
+                       } else {
+                               meta_back_release_conn( op, mc );
                        }
                        return NULL;
                }
 
+               candidates[ i ].sr_err = LDAP_SUCCESS;
+               candidates[ i ].sr_tag = META_CANDIDATE;
+               ncandidates++;
+
                if ( candidate ) {
                        *candidate = i;
                }
@@ -789,19 +966,23 @@ meta_back_getconn(
         */
        } else {
 
-               int     ncandidates = 0;
-
                /* Looks like we didn't get a bind. Open a new session... */
-               if ( !mc ) {
-                       mc = metaconn_alloc( mi->mi_ntargets );
-                       mc->mc_conn = op->o_conn;
+               if ( mc == NULL ) {
+                       mc = metaconn_alloc( op );
+                       mc->mc_conn = mc_curr.mc_conn;
+                       ber_dupbv( &mc->mc_local_ndn, &mc_curr.mc_local_ndn );
                        new_conn = 1;
                }
 
                for ( i = 0; i < mi->mi_ntargets; i++ ) {
+                       metatarget_t            *mt = &mi->mi_targets[ i ];
+                       metasingleconn_t        *msc = &mc->mc_conns[ i ];
+
                        if ( i == cached 
-                               || meta_back_is_candidate( &mi->mi_targets[ i ]->mt_nsuffix,
-                                               &op->o_req_ndn, LDAP_SCOPE_SUBTREE ) )
+                               || meta_back_is_candidate( &mt->mt_nsuffix,
+                                               mt->mt_scope,
+                                               &op->o_req_ndn,
+                                               LDAP_SCOPE_SUBTREE ) )
                        {
 
                                /*
@@ -809,12 +990,18 @@ meta_back_getconn(
                                 * also init'd
                                 */
                                int lerr = meta_back_init_one_conn( op, rs,
-                                               mi->mi_targets[ i ],
-                                               &mc->mc_conns[ i ], sendok );
+                                               mt, mc, msc,
+                                               LDAP_BACK_CONN_ISPRIV( &mc_curr ),
+                                               i == mc->mc_authz_target,
+                                               sendok );
                                if ( lerr == LDAP_SUCCESS ) {
                                        candidates[ i ].sr_tag = META_CANDIDATE;
+                                       candidates[ i ].sr_err = LDAP_SUCCESS;
                                        ncandidates++;
 
+                                       Debug( LDAP_DEBUG_TRACE, "%s: meta_back_init_one_conn(%d)\n",
+                                               op->o_log_prefix, i, 0 );
+
                                } else {
                                
                                        /*
@@ -823,9 +1010,10 @@ meta_back_getconn(
                                         * be tried?
                                         */
                                        if ( new_conn ) {
-                                               ( void )meta_clear_one_candidate( &mc->mc_conns[ i ] );
+                                               ( void )meta_clear_one_candidate( msc );
                                        }
-                                       candidates[ i ].sr_tag = META_NOT_CANDIDATE;
+                                       /* leave the target candidate, but record the error for later use */
+                                       candidates[ i ].sr_err = lerr;
                                        err = lerr;
 
                                        Debug( LDAP_DEBUG_ANY, "%s: meta_back_init_one_conn(%d) failed: %d\n",
@@ -836,7 +1024,7 @@ meta_back_getconn(
 
                        } else {
                                if ( new_conn ) {
-                                       ( void )meta_clear_one_candidate( &mc->mc_conns[ i ] );
+                                       ( void )meta_clear_one_candidate( msc );
                                }
                                candidates[ i ].sr_tag = META_NOT_CANDIDATE;
                        }
@@ -844,15 +1032,22 @@ meta_back_getconn(
 
                if ( ncandidates == 0 ) {
                        if ( new_conn ) {
-                               meta_back_conn_free( mc );
+                               meta_back_freeconn( op, mc );
+
+                       } else {
+                               meta_back_release_conn( op, mc );
                        }
 
                        rs->sr_err = LDAP_NO_SUCH_OBJECT;
                        rs->sr_text = "Unable to select valid candidates";
 
                        if ( sendok & LDAP_BACK_SENDERR ) {
+                               if ( rs->sr_err == LDAP_NO_SUCH_OBJECT ) {
+                                       rs->sr_matched = op->o_bd->be_suffix[ 0 ].bv_val;
+                               }
                                send_ldap_result( op, rs );
                                rs->sr_text = NULL;
+                               rs->sr_matched = NULL;
                        }
 
                        return NULL;
@@ -881,20 +1076,19 @@ done:;
 
                /*
                 * Err could be -1 in case a duplicate metaconn is inserted
+                *
+                * FIXME: what if the same client issues more than one
+                * asynchronous operations?
                 */
-               if ( err == 0 ) {
-                       Debug( LDAP_DEBUG_TRACE,
-                               "%s meta_back_getconn: conn %ld inserted\n",
-                               op->o_log_prefix, mc->mc_conn->c_connid, 0 );
-
-               } else {
-                       Debug( LDAP_DEBUG_TRACE,
-                               "%s meta_back_getconn: conn %ld insert failed\n",
-                               op->o_log_prefix, mc->mc_conn->c_connid, 0 );
+               if ( err != 0 ) {
+                       Debug( LDAP_DEBUG_ANY,
+                               "%s meta_back_getconn: candidates=%d conn=%ld insert failed\n",
+                               op->o_log_prefix, ncandidates,
+                               LDAP_BACK_PCONN_ID( mc->mc_conn ) );
                
                        rs->sr_err = LDAP_OTHER;
                        rs->sr_text = "Internal server error";
-                       meta_back_conn_free( mc );
+                       meta_back_freeconn( op, mc );
                        if ( sendok & LDAP_BACK_SENDERR ) {
                                send_ldap_result( op, rs );
                                rs->sr_text = NULL;
@@ -902,12 +1096,32 @@ done:;
                        return NULL;
                }
 
+               Debug( LDAP_DEBUG_TRACE,
+                       "%s meta_back_getconn: candidates=%d conn=%ld inserted\n",
+                       op->o_log_prefix, ncandidates,
+                       LDAP_BACK_PCONN_ID( mc->mc_conn ) );
+
        } else {
                Debug( LDAP_DEBUG_TRACE,
-                       "%s meta_back_getconn: conn %ld fetched\n",
-                       op->o_log_prefix, mc->mc_conn->c_connid, 0 );
+                       "%s meta_back_getconn: candidates=%d conn=%ld fetched\n",
+                       op->o_log_prefix, ncandidates,
+                       LDAP_BACK_PCONN_ID( mc->mc_conn ) );
        }
        
        return mc;
 }
 
+void
+meta_back_release_conn(
+               Operation               *op,
+       metaconn_t              *mc )
+{
+       metainfo_t      *mi = ( metainfo_t * )op->o_bd->be_private;
+
+       assert( mc != NULL );
+
+       ldap_pvt_thread_mutex_lock( &mi->mi_conn_mutex );
+       assert( mc->mc_refcnt > 0 );
+       mc->mc_refcnt--;
+       ldap_pvt_thread_mutex_unlock( &mi->mi_conn_mutex );
+}
Cloned from git://git.openldap.org/openldap.git