X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fsaslauthz.c;h=b96b27256d52420827ba1e1a91e8059585cb2f1a;hb=c3960b98d3b5fbd6ebeb200ca7799ece7b766d50;hp=2aba4efe12d36bd418628c2399f478b8e644d618;hpb=14ac05436ac59e4c090fdfa99bacff3800ce7f6a;p=openldap

diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
index 2aba4efe12..b96b27256d 100644
--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -1882,14 +1882,18 @@ slap_sasl_check_authz( Operation *op,
 	AttributeDescription *ad,
 	struct berval *authc )
 {
-	int rc;
-	BerVarray vals = NULL;
+	int		rc,
+			do_not_cache = op->o_do_not_cache;
+	BerVarray	vals = NULL;
 
 	Debug( LDAP_DEBUG_TRACE,
 	   "==>slap_sasl_check_authz: does %s match %s rule in %s?\n",
 	   assertDN->bv_val, ad->ad_cname.bv_val, searchDN->bv_val);
 
+	/* ITS#4760: don't cache group access */
+	op->o_do_not_cache = 1;
 	rc = backend_attribute( op, NULL, searchDN, ad, &vals, ACL_AUTH );
+	op->o_do_not_cache = do_not_cache;
 	if( rc != LDAP_SUCCESS ) goto COMPLETE;
 
 	/* Check if the *assertDN matches any *vals */