fix ITS#4760 differently

diff --git a/servers/slapd/controls.c b/servers/slapd/controls.c
index 1d6efbb66e6056214b15ead691d3aebf35e534f7..acf36b7d5a16ddac31ac20b5c2439088b4bcfc5d 100644 (file)
--- a/servers/slapd/controls.c
+++ b/servers/slapd/controls.c
@@ -991,14 +991,6 @@ static int parseProxyAuthz (
        op->o_ndn = dn;
        ber_dupbv( &op->o_dn, &dn );
 
-       /*
-        * since the authzid has changed, we need to delete
-        * cached groups (ITS#4760)
-        */
-        if ( op->o_groups ) {
-                slap_op_groups_free( op );
-        }
-
        Statslog( LDAP_DEBUG_STATS, "%s PROXYAUTHZ dn=\"%s\"\n",
            op->o_log_prefix, dn.bv_val, 0, 0, 0 );
 

diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
index 2aba4efe12d36bd418628c2399f478b8e644d618..b96b27256d52420827ba1e1a91e8059585cb2f1a 100644 (file)
--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -1882,14 +1882,18 @@ slap_sasl_check_authz( Operation *op,
        AttributeDescription *ad,
        struct berval *authc )
 {
-       int rc;
-       BerVarray vals = NULL;
+       int             rc,
+                       do_not_cache = op->o_do_not_cache;
+       BerVarray       vals = NULL;
 
        Debug( LDAP_DEBUG_TRACE,
           "==>slap_sasl_check_authz: does %s match %s rule in %s?\n",
           assertDN->bv_val, ad->ad_cname.bv_val, searchDN->bv_val);
 
+       /* ITS#4760: don't cache group access */
+       op->o_do_not_cache = 1;
        rc = backend_attribute( op, NULL, searchDN, ad, &vals, ACL_AUTH );
+       op->o_do_not_cache = do_not_cache;
        if( rc != LDAP_SUCCESS ) goto COMPLETE;
 
        /* Check if the *assertDN matches any *vals */