don't leak callbacks if stuff cannot be registered; provide a means to dispose of...

[openldap] / servers / slapd / saslauthz.c

diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
index 60f1879fcae60316a75832b5a076408e2e1548ff..b96b27256d52420827ba1e1a91e8059585cb2f1a 100644 (file)
--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -1130,6 +1130,7 @@ is_dn:            bv.bv_len = uri->bv_len - (bv.bv_val - uri->bv_val);
 
                } else {
                        BER_BVSTR( &group_oc, SLAPD_GROUP_CLASS );
+                       BER_BVSTR( &member_at, SLAPD_GROUP_ATTR );
                }
                group_dn.bv_val++;
                group_dn.bv_len = uri->bv_len - ( group_dn.bv_val - uri->bv_val );
@@ -1606,7 +1607,7 @@ static int sasl_sc_sasl2dn( Operation *op, SlapReply *rs )
                Debug( LDAP_DEBUG_TRACE,
                        "%s: slap_sc_sasl2dn: search DN returned more than 1 entry\n",
                        op->o_log_prefix, 0, 0 );
-               return LDAP_OTHER;
+               return LDAP_UNAVAILABLE; /* short-circuit the search */
        }
 
        ber_dupbv_x( ndn, &rs->sr_entry->e_nname, op->o_tmpmemctx );
@@ -1627,10 +1628,10 @@ static int sasl_sc_smatch( Operation *o, SlapReply *rs )
 
        if (dn_match(sm->dn, &rs->sr_entry->e_nname)) {
                sm->match = 1;
-               return -1;      /* short-circuit the search */
+               return LDAP_UNAVAILABLE;        /* short-circuit the search */
        }
 
-       return 1;
+       return 0;
 }
 
 int
@@ -1881,14 +1882,18 @@ slap_sasl_check_authz( Operation *op,
        AttributeDescription *ad,
        struct berval *authc )
 {
-       int rc;
-       BerVarray vals = NULL;
+       int             rc,
+                       do_not_cache = op->o_do_not_cache;
+       BerVarray       vals = NULL;
 
        Debug( LDAP_DEBUG_TRACE,
           "==>slap_sasl_check_authz: does %s match %s rule in %s?\n",
           assertDN->bv_val, ad->ad_cname.bv_val, searchDN->bv_val);
 
+       /* ITS#4760: don't cache group access */
+       op->o_do_not_cache = 1;
        rc = backend_attribute( op, NULL, searchDN, ad, &vals, ACL_AUTH );
+       op->o_do_not_cache = do_not_cache;
        if( rc != LDAP_SUCCESS ) goto COMPLETE;
 
        /* Check if the *assertDN matches any *vals */