ITS#6699

diff --git a/CHANGES b/CHANGES
index c8c45100f330587ded58e83c7a992e4288c093e8..aa3b752be736237cde637b481a3d33bedfecb0c4 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -30,6 +30,7 @@ OpenLDAP 2.4.24 Engineering
        Fixed slapd-bdb error propogation to overlays (ITS#6633)
        Fixed slapd-ldap debug output of timeout (ITS#6721)
        Fixed slapd-ldap DNSSRV referral chaining (ITS#6565)
+       Fixed slapd-ldap chaining with onelevel scope (ITS#6699)
        Fixed slapd-ldap with SASL/EXTERNAL (ITS#6642)
        Fixed slapd-ndb to honor rootpw setting (ITS#6661)
        Fixed slapd-meta anon retry with failed auth method (ITS#6643)

diff --git a/servers/slapd/back-ldap/chain.c b/servers/slapd/back-ldap/chain.c
index a6c33e4d2fa9c1d25194879ddb1a22de0f8dc725..9c23dbf9b17b677bd556df0f066b2635f20e68f0 100644 (file)
--- a/servers/slapd/back-ldap/chain.c
+++ b/servers/slapd/back-ldap/chain.c
@@ -708,7 +708,11 @@ ldap_chain_search(
 
                } else {
                        /* RFC 4511: if scope is absent, use original */
-                       tmp_oq_search.rs_scope = op->ors_scope;
+                       /* Section 4.5.3: if scope is onelevel, use base */
+                       if ( op->ors_scope == LDAP_SCOPE_ONELEVEL )
+                               tmp_oq_search.rs_scope = LDAP_SCOPE_BASE;
+                       else
+                               tmp_oq_search.rs_scope = op->ors_scope;
                }
 
                rc = LDAP_SUCCESS;