From: Howard Chu <hyc@openldap.org>
Date: Wed, 11 Jun 2003 22:35:31 +0000 (+0000)
Subject: Bind fixes for chaining
X-Git-Tag: OPENLDAP_REL_ENG_2_1_MP~893
X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=9c4735991259478559ba0fc33db37aa457f472b5;p=openldap

Bind fixes for chaining
---

diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c
index 015660a7d6..f9fbcfdaa7 100644
--- a/servers/slapd/back-ldap/bind.c
+++ b/servers/slapd/back-ldap/bind.c
@@ -304,7 +304,7 @@ ldap_back_getconn(Operation *op, SlapReply *rs)
 			lc->cred.bv_val = NULL;
 			lc->bound_dn.bv_val = NULL;
 			lc->bound_dn.bv_len = 0;
-			if ( op->o_conn->c_dn.bv_len != 0
+			if ( op->o_conn && op->o_conn->c_dn.bv_len != 0
 					&& ( op->o_bd == op->o_conn->c_authz_backend ) ) {
 				
 				dncookie dc;
@@ -324,7 +324,7 @@ ldap_back_getconn(Operation *op, SlapReply *rs)
 #endif
 
 				if ( ldap_back_dn_massage( &dc, &op->o_conn->c_dn, &bv ) ) {
-					if (op->o_conn) send_ldap_result( op, rs );
+					send_ldap_result( op, rs );
 					return NULL;
 				}
 
diff --git a/servers/slapd/back-ldap/chain.c b/servers/slapd/back-ldap/chain.c
index 596c003d2d..03784d2e55 100644
--- a/servers/slapd/back-ldap/chain.c
+++ b/servers/slapd/back-ldap/chain.c
@@ -47,6 +47,7 @@ ldap_chain_response( Operation *op, SlapReply *rs )
 	int cache = op->o_do_not_cache;
 	char *authzid = NULL;
 	BerVarray ref;
+	struct berval ndn = op->o_ndn;
 
 	if ( rs->sr_err != LDAP_REFERRAL )
 		return SLAP_CB_CONTINUE;
@@ -60,6 +61,10 @@ ldap_chain_response( Operation *op, SlapReply *rs )
 	op->o_bd->be_private = on->on_bi.bi_private;
 	op->o_callback = NULL;
 
+	/* Chaining is performed by a privileged user on behalf
+	 * of a normal user, using the ProxyAuthz control. However,
+	 * Binds are done separately, on an anonymous session.
+	 */
 	if ( op->o_tag != LDAP_REQ_BIND ) {
 		for (i=0; prev && prev[i]; i++);
 		nctrls = i;
@@ -85,16 +90,19 @@ ldap_chain_response( Operation *op, SlapReply *rs )
 			authz.ldctl_value.bv_val = authzid;
 		}
 		op->o_ctrls = ctrls;
+		op->o_ndn = op->o_bd->be_rootndn;
 	}
 
-	/* Chaining is performed by a privileged user on behalf
-	 * of a normal user
-	 */
-	op->o_do_not_cache = 1;
-
 	switch( op->o_tag ) {
-	case LDAP_REQ_BIND:
+	case LDAP_REQ_BIND: {
+		struct berval rndn = op->o_req_ndn;
+		Connection *conn = op->o_conn;
+		op->o_req_ndn = slap_empty_bv;
+		op->o_conn = NULL;
 		rc = ldap_back_bind( op, rs );
+		op->o_req_ndn = rndn;
+		op->o_conn = conn;
+		}
 		break;
 	case LDAP_REQ_ADD:
 		rc = ldap_back_add( op, rs );
@@ -125,6 +133,7 @@ ldap_chain_response( Operation *op, SlapReply *rs )
 	op->o_ctrls = prev;
 	op->o_bd->be_private = private;
 	op->o_callback = sc;
+	op->o_ndn = ndn;
 	if ( ctrls ) op->o_tmpfree( ctrls, op->o_tmpmemctx );
 	if ( authzid ) op->o_tmpfree( authzid, op->o_tmpmemctx );
 	rs->sr_ref = ref;