Fix ITS#4576 reset restrict after successful pw mod

diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c
index aa343a1946535c26228134d229f6bacaaee6b337..d7df8105a186c9a4ad55e1b2c5f88be9f654fe59 100644 (file)
--- a/servers/slapd/overlays/ppolicy.c
+++ b/servers/slapd/overlays/ppolicy.c
@@ -1276,6 +1276,19 @@ ppolicy_add(
        return SLAP_CB_CONTINUE;
 }
 
+static int
+ppolicy_mod_cb( Operation *op, SlapReply *rs )
+{
+       slap_callback *sc = op->o_callback;
+       op->o_callback = sc->sc_next;
+       if ( rs->sr_err == LDAP_SUCCESS ) {
+               ch_free( pwcons[op->o_conn->c_conn_idx].dn.bv_val );
+               BER_BVZERO( &pwcons[op->o_conn->c_conn_idx].dn );
+       }
+       op->o_tmpfree( sc, op->o_tmpmemctx );
+       return SLAP_CB_CONTINUE;
+}
+
 static int
 ppolicy_modify( Operation *op, SlapReply *rs )
 {
@@ -1673,7 +1686,22 @@ do_modify:
                struct berval timestamp;
                char timebuf[ LDAP_LUTIL_GENTIME_BUFSIZE ];
                time_t now = slap_get_time();
-               
+
+               /* If the conn is restricted, set a callback to clear it
+                * if the pwmod succeeds
+                */
+               if (!BER_BVISEMPTY( &pwcons[op->o_conn->c_conn_idx].dn )) {
+                       slap_callback *sc = op->o_tmpcalloc( 1, sizeof( slap_callback ),
+                               op->o_tmpmemctx );
+                       sc->sc_next = op->o_callback;
+                       /* Must use sc_response to insure we reset on success, before
+                        * the client sees the response. Must use sc_cleanup to insure
+                        * that it gets cleaned up if sc_response is not called.
+                        */
+                       sc->sc_response = ppolicy_mod_cb;
+                       sc->sc_cleanup = ppolicy_mod_cb;
+               }
+
                /*
                 * keep the necessary pwd.. operational attributes
                 * up to date.