From: Pierangelo Masarati <ando@openldap.org>
Date: Tue, 16 May 2006 01:10:51 +0000 (+0000)
Subject: idassert: setup rebind stuff when binding for proxyAuthz, so that referral chasing... 
X-Git-Tag: OPENLDAP_REL_ENG_2_4_1ALPHA~2^2~5
X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=9c9b6f7353f9340cf27021de344ea20a0c900b69;p=openldap

idassert: setup rebind stuff when binding for proxyAuthz, so that referral chasing tries to rebind with the correct identity (partially address ITS#3526)
---

diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c
index d43d13df33..66349e6d26 100644
--- a/servers/slapd/back-ldap/bind.c
+++ b/servers/slapd/back-ldap/bind.c
@@ -129,10 +129,12 @@ ldap_back_bind( Operation *op, SlapReply *rs )
 			ldap_back_proxy_authz_bind( lc, op, rs, LDAP_BACK_SENDERR );
 			if ( !LDAP_BACK_CONN_ISBOUND( lc ) ) {
 				rc = 1;
-				goto done;
 			}
+			goto done;
 		}
 
+		/* rebind is now done inside ldap_back_proxy_authz_bind()
+		 * in case of success */
 		LDAP_BACK_CONN_ISBOUND_SET( lc );
 		ber_dupbv( &lc->lc_bound_ndn, &op->o_req_ndn );
 
@@ -1512,7 +1514,20 @@ ldap_back_proxy_authz_bind( ldapconn_t *lc, Operation *op, SlapReply *rs, ldap_b
 
 	rc = ldap_back_op_result( lc, op, rs, msgid, 0, sendok );
 	if ( rc == LDAP_SUCCESS ) {
+		/* set rebind stuff in case of successful proxyAuthz bind,
+		 * so that referral chasing is attempted using the right
+		 * identity */
 		LDAP_BACK_CONN_ISBOUND_SET( lc );
+		ber_dupbv( &lc->lc_bound_ndn, &binddn );
+
+		if ( LDAP_BACK_SAVECRED( li ) ) {
+			if ( !BER_BVISNULL( &lc->lc_cred ) ) {
+				memset( lc->lc_cred.bv_val, 0,
+						lc->lc_cred.bv_len );
+			}
+			ber_bvreplace( &lc->lc_cred, &bindcred );
+			ldap_set_rebind_proc( lc->lc_ld, li->li_rebind_f, lc );
+		}
 	}
 done:;
 	return LDAP_BACK_CONN_ISBOUND( lc );