From: Howard Chu <hyc@openldap.org>
Date: Mon, 14 Sep 2015 04:42:20 +0000 (+0100)
Subject: ITS#8244 skip client controls in ldap_back_entry_get()
X-Git-Tag: OPENLDAP_REL_ENG_2_4_43~49
X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=e8850435a39209fe88ea1d1f34d67a5c6a8061d5;p=openldap

ITS#8244 skip client controls in ldap_back_entry_get()
---

diff --git a/servers/slapd/back-ldap/search.c b/servers/slapd/back-ldap/search.c
index b28b694945..cc27f17afe 100644
--- a/servers/slapd/back-ldap/search.c
+++ b/servers/slapd/back-ldap/search.c
@@ -907,9 +907,7 @@ ldap_back_entry_get(
 	ldapinfo_t	*li = (ldapinfo_t *) op->o_bd->be_private;
 
 	ldapconn_t	*lc = NULL;
-	int		rc,
-			do_not_cache;
-	ber_tag_t	tag;
+	int		rc;
 	struct berval	bdn;
 	LDAPMessage	*result = NULL,
 			*e = NULL;
@@ -918,20 +916,20 @@ ldap_back_entry_get(
 	SlapReply	rs;
 	int		do_retry = 1;
 	LDAPControl	**ctrls = NULL;
+	Operation op2 = *op;
 
 	*ent = NULL;
 
 	/* Tell getconn this is a privileged op */
-	do_not_cache = op->o_do_not_cache;
-	tag = op->o_tag;
-	/* do not cache */
-	op->o_do_not_cache = 1;
+	op2.o_do_not_cache = 1;
+	/* use rootdn to be doubly explicit this is privileged */
+	op2.o_dn = op->o_bd->be_rootdn;
+	op2.o_ndn = op->o_bd->be_rootndn;
 	/* ldap_back_entry_get() is an entry lookup, so it does not need
 	 * to know what the entry is being looked up for */
-	op->o_tag = LDAP_REQ_SEARCH;
-	rc = ldap_back_dobind( &lc, op, &rs, LDAP_BACK_DONTSEND );
-	op->o_do_not_cache = do_not_cache;
-	op->o_tag = tag;
+	op2.o_tag = LDAP_REQ_SEARCH;
+	op2.o_ctrls = NULL;
+	rc = ldap_back_dobind( &lc, &op2, &rs, LDAP_BACK_DONTSEND );
 	if ( !rc ) {
 		return rs.sr_err;
 	}
@@ -961,8 +959,8 @@ ldap_back_entry_get(
 	}
 
 retry:
-	ctrls = op->o_ctrls;
-	rc = ldap_back_controls_add( op, &rs, lc, &ctrls );
+	ctrls = NULL;
+	rc = ldap_back_controls_add( &op2, &rs, lc, &ctrls );
 	if ( rc != LDAP_SUCCESS ) {
 		goto cleanup;
 	}
@@ -974,9 +972,9 @@ retry:
 	if ( rc != LDAP_SUCCESS ) {
 		if ( rc == LDAP_SERVER_DOWN && do_retry ) {
 			do_retry = 0;
-			if ( ldap_back_retry( &lc, op, &rs, LDAP_BACK_DONTSEND ) ) {
+			if ( ldap_back_retry( &lc, &op2, &rs, LDAP_BACK_DONTSEND ) ) {
 				/* if the identity changed, there might be need to re-authz */
-				(void)ldap_back_controls_free( op, &rs, &ctrls );
+				(void)ldap_back_controls_free( &op2, &rs, &ctrls );
 				goto retry;
 			}
 		}
@@ -1003,7 +1001,7 @@ retry:
 	}
 
 cleanup:
-	(void)ldap_back_controls_free( op, &rs, &ctrls );
+	(void)ldap_back_controls_free( &op2, &rs, &ctrls );
 
 	if ( result ) {
 		ldap_msgfree( result );