Don't bother setting up threads if there are no indexed attrs

[openldap] / servers / slapd / saslauthz.c

diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
index c309d110fb638b6a0b91537d42bd8113d8c6678d..dcf0c0c9ef1f4bd7d0f8b923600ab35fc5ff6d9b 100644 (file)
--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -1136,6 +1136,7 @@ is_dn:            bv.bv_len = uri->bv_len - (bv.bv_val - uri->bv_val);
 
                } else {
                        BER_BVSTR( &group_oc, SLAPD_GROUP_CLASS );
+                       BER_BVSTR( &member_at, SLAPD_GROUP_ATTR );
                }
                group_dn.bv_val++;
                group_dn.bv_len = uri->bv_len - ( group_dn.bv_val - uri->bv_val );
@@ -1576,24 +1577,25 @@ static int slap_authz_regexp( struct berval *in, struct berval *out,
 }
 
 /* This callback actually does some work...*/
-static int sasl_sc_sasl2dn( Operation *o, SlapReply *rs )
+static int sasl_sc_sasl2dn( Operation *op, SlapReply *rs )
 {
-       struct berval *ndn = o->o_callback->sc_private;
+       struct berval *ndn = op->o_callback->sc_private;
 
-       if (rs->sr_type != REP_SEARCH) return 0;
+       if ( rs->sr_type != REP_SEARCH ) return LDAP_SUCCESS;
 
        /* We only want to be called once */
        if ( !BER_BVISNULL( ndn ) ) {
-               o->o_tmpfree(ndn->bv_val, o->o_tmpmemctx);
+               op->o_tmpfree( ndn->bv_val, op->o_tmpmemctx );
                BER_BVZERO( ndn );
 
                Debug( LDAP_DEBUG_TRACE,
-                       "slap_sc_sasl2dn: search DN returned more than 1 entry\n", 0, 0, 0 );
-               return -1;
+                       "%s: slap_sc_sasl2dn: search DN returned more than 1 entry\n",
+                       op->o_log_prefix, 0, 0 );
+               return LDAP_UNAVAILABLE; /* short-circuit the search */
        }
 
-       ber_dupbv_x(ndn, &rs->sr_entry->e_nname, o->o_tmpmemctx);
-       return 0;
+       ber_dupbv_x( ndn, &rs->sr_entry->e_nname, op->o_tmpmemctx );
+       return LDAP_SUCCESS;
 }
 
 
@@ -1606,23 +1608,11 @@ static int sasl_sc_smatch( Operation *o, SlapReply *rs )
 {
        smatch_info *sm = o->o_callback->sc_private;
 
-       if ( rs->sr_type != REP_SEARCH ) {
-               if ( rs->sr_err != LDAP_SUCCESS ) {
-                       sm->match = -1;
-               }
-               return 0;
-       }
-
-       if ( sm->match == 1 ) {
-               sm->match = -1;
-               return 0;
-       }
+       if (rs->sr_type != REP_SEARCH) return 0;
 
        if (dn_match(sm->dn, &rs->sr_entry->e_nname)) {
                sm->match = 1;
-
-       } else {
-               sm->match = -1;
+               return LDAP_UNAVAILABLE;        /* short-circuit the search */
        }
 
        return 0;
@@ -1848,7 +1838,7 @@ exact_match:
 
        op.o_bd->be_search( &op, &rs );
 
-       if (sm.match == 1) {
+       if (sm.match) {
                rc = LDAP_SUCCESS;
        } else {
                rc = LDAP_INAPPROPRIATE_AUTH;
@@ -1882,14 +1872,18 @@ slap_sasl_check_authz( Operation *op,
        AttributeDescription *ad,
        struct berval *authc )
 {
-       int rc;
-       BerVarray vals = NULL;
+       int             rc,
+                       do_not_cache = op->o_do_not_cache;
+       BerVarray       vals = NULL;
 
        Debug( LDAP_DEBUG_TRACE,
           "==>slap_sasl_check_authz: does %s match %s rule in %s?\n",
           assertDN->bv_val, ad->ad_cname.bv_val, searchDN->bv_val);
 
+       /* ITS#4760: don't cache group access */
+       op->o_do_not_cache = 1;
        rc = backend_attribute( op, NULL, searchDN, ad, &vals, ACL_AUTH );
+       op->o_do_not_cache = do_not_cache;
        if( rc != LDAP_SUCCESS ) goto COMPLETE;
 
        /* Check if the *assertDN matches any *vals */