X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fback-ldap%2Fsearch.c;h=69fb082565866021fb2f2828c9f56c876cfd6a9c;hb=1df85d3427c287086df4ef41ef0edb1fa7e5bcec;hp=eeab466a568a229bc0eee54d1b014874d8ab9469;hpb=20407ec5da1d1db6daa1abdd9099a93c90e72d0b;p=openldap diff --git a/servers/slapd/back-ldap/search.c b/servers/slapd/back-ldap/search.c index eeab466a56..69fb082565 100644 --- a/servers/slapd/back-ldap/search.c +++ b/servers/slapd/back-ldap/search.c @@ -2,7 +2,7 @@ /* $OpenLDAP$ */ /* This work is part of OpenLDAP Software . * - * Copyright 1999-2014 The OpenLDAP Foundation. + * Copyright 1999-2017 The OpenLDAP Foundation. * Portions Copyright 1999-2003 Howard Chu. * Portions Copyright 2000-2003 Pierangelo Masarati. * All rights reserved. @@ -338,7 +338,7 @@ retry: } else { /* only touch when activity actually took place... */ - if ( li->li_idle_timeout && lc ) { + if ( li->li_idle_timeout ) { lc->lc_time = op->o_time; } @@ -645,6 +645,13 @@ finish:; ldap_back_release_conn( li, lc ); } + if ( rs->sr_err == LDAP_UNAVAILABLE && + /* if we originally bound and wanted rebind-as-user, must drop + * the connection now because we just discarded the credentials. + * ITS#7464, #8142 + */ + LDAP_BACK_SAVECRED( li ) && SLAP_IS_AUTHZ_BACKEND( op ) ) + rs->sr_err = SLAPD_DISCONNECT; return rs->sr_err; } @@ -900,9 +907,7 @@ ldap_back_entry_get( ldapinfo_t *li = (ldapinfo_t *) op->o_bd->be_private; ldapconn_t *lc = NULL; - int rc, - do_not_cache; - ber_tag_t tag; + int rc; struct berval bdn; LDAPMessage *result = NULL, *e = NULL; @@ -911,20 +916,20 @@ ldap_back_entry_get( SlapReply rs; int do_retry = 1; LDAPControl **ctrls = NULL; + Operation op2 = *op; *ent = NULL; /* Tell getconn this is a privileged op */ - do_not_cache = op->o_do_not_cache; - tag = op->o_tag; - /* do not cache */ - op->o_do_not_cache = 1; + op2.o_do_not_cache = 1; + /* use rootdn to be doubly explicit this is privileged */ + op2.o_dn = op->o_bd->be_rootdn; + op2.o_ndn = op->o_bd->be_rootndn; /* ldap_back_entry_get() is an entry lookup, so it does not need * to know what the entry is being looked up for */ - op->o_tag = LDAP_REQ_SEARCH; - rc = ldap_back_dobind( &lc, op, &rs, LDAP_BACK_DONTSEND ); - op->o_do_not_cache = do_not_cache; - op->o_tag = tag; + op2.o_tag = LDAP_REQ_SEARCH; + op2.o_ctrls = NULL; + rc = ldap_back_dobind( &lc, &op2, &rs, LDAP_BACK_DONTSEND ); if ( !rc ) { return rs.sr_err; } @@ -954,8 +959,8 @@ ldap_back_entry_get( } retry: - ctrls = op->o_ctrls; - rc = ldap_back_controls_add( op, &rs, lc, &ctrls ); + ctrls = NULL; + rc = ldap_back_controls_add( &op2, &rs, lc, &ctrls ); if ( rc != LDAP_SUCCESS ) { goto cleanup; } @@ -967,9 +972,9 @@ retry: if ( rc != LDAP_SUCCESS ) { if ( rc == LDAP_SERVER_DOWN && do_retry ) { do_retry = 0; - if ( ldap_back_retry( &lc, op, &rs, LDAP_BACK_DONTSEND ) ) { + if ( ldap_back_retry( &lc, &op2, &rs, LDAP_BACK_DONTSEND ) ) { /* if the identity changed, there might be need to re-authz */ - (void)ldap_back_controls_free( op, &rs, &ctrls ); + (void)ldap_back_controls_free( &op2, &rs, &ctrls ); goto retry; } } @@ -996,7 +1001,7 @@ retry: } cleanup: - (void)ldap_back_controls_free( op, &rs, &ctrls ); + (void)ldap_back_controls_free( &op2, &rs, &ctrls ); if ( result ) { ldap_msgfree( result );