From b769f446197c6e20058c2db5271a8fccd0ca68a6 Mon Sep 17 00:00:00 2001
From: Pierangelo Masarati <ando@openldap.org>
Date: Tue, 26 Sep 2006 15:12:07 +0000
Subject: [PATCH] fix ITS#4686 (retry with idassert)

---
 servers/slapd/back-meta/add.c    | 4 +++-
 servers/slapd/back-meta/delete.c | 4 +++-
 servers/slapd/back-meta/modify.c | 4 +++-
 servers/slapd/back-meta/modrdn.c | 4 +++-
 servers/slapd/back-meta/search.c | 4 +++-
 5 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/servers/slapd/back-meta/add.c b/servers/slapd/back-meta/add.c
index 66afd66e11..2d318bb1f0 100644
--- a/servers/slapd/back-meta/add.c
+++ b/servers/slapd/back-meta/add.c
@@ -167,6 +167,7 @@ meta_back_add( Operation *op, SlapReply *rs )
 	}
 	attrs[ i ] = NULL;
 
+retry:;
 	ctrls = op->o_ctrls;
 	if ( ldap_back_proxy_authz_ctrl( &mc->mc_conns[ candidate ].msc_bound_ndn,
 		mt->mt_version, &mt->mt_idassert, op, rs, &ctrls ) != LDAP_SUCCESS )
@@ -175,7 +176,6 @@ meta_back_add( Operation *op, SlapReply *rs )
 		goto cleanup;
 	}
 
-retry:;
 	rs->sr_err = ldap_add_ext( mc->mc_conns[ candidate ].msc_ld, mdn.bv_val,
 			      attrs, ctrls, NULL, &msgid );
 	rs->sr_err = meta_back_op_result( mc, op, rs, candidate, msgid,
@@ -183,6 +183,8 @@ retry:;
 	if ( rs->sr_err == LDAP_UNAVAILABLE && do_retry ) {
 		do_retry = 0;
 		if ( meta_back_retry( op, rs, &mc, candidate, LDAP_BACK_SENDERR ) ) {
+			/* if the identity changed, there might be need to re-authz */
+			(void)ldap_back_proxy_authz_ctrl_free( op, &ctrls );
 			goto retry;
 		}
 	}
diff --git a/servers/slapd/back-meta/delete.c b/servers/slapd/back-meta/delete.c
index 586f4bcffe..14ded8b4a8 100644
--- a/servers/slapd/back-meta/delete.c
+++ b/servers/slapd/back-meta/delete.c
@@ -65,6 +65,7 @@ meta_back_delete( Operation *op, SlapReply *rs )
 		goto cleanup;
 	}
 
+retry:;
 	ctrls = op->o_ctrls;
 	if ( ldap_back_proxy_authz_ctrl( &mc->mc_conns[ candidate ].msc_bound_ndn,
 		mt->mt_version, &mt->mt_idassert, op, rs, &ctrls ) != LDAP_SUCCESS )
@@ -73,7 +74,6 @@ meta_back_delete( Operation *op, SlapReply *rs )
 		goto cleanup;
 	}
 
-retry:;
 	rs->sr_err = ldap_delete_ext( mc->mc_conns[ candidate ].msc_ld,
 			mdn.bv_val, ctrls, NULL, &msgid );
 	rs->sr_err = meta_back_op_result( mc, op, rs, candidate, msgid,
@@ -81,6 +81,8 @@ retry:;
 	if ( rs->sr_err == LDAP_UNAVAILABLE && do_retry ) {
 		do_retry = 0;
 		if ( meta_back_retry( op, rs, &mc, candidate, LDAP_BACK_SENDERR ) ) {
+			/* if the identity changed, there might be need to re-authz */
+			(void)ldap_back_proxy_authz_ctrl_free( op, &ctrls );
 			goto retry;
 		}
 	}
diff --git a/servers/slapd/back-meta/modify.c b/servers/slapd/back-meta/modify.c
index 437d744c92..9b86b49b29 100644
--- a/servers/slapd/back-meta/modify.c
+++ b/servers/slapd/back-meta/modify.c
@@ -176,6 +176,7 @@ meta_back_modify( Operation *op, SlapReply *rs )
 	}
 	modv[ i ] = 0;
 
+retry:;
 	ctrls = op->o_ctrls;
 	rc = ldap_back_proxy_authz_ctrl( &mc->mc_conns[ candidate ].msc_bound_ndn,
 		mt->mt_version, &mt->mt_idassert, op, rs, &ctrls );
@@ -184,7 +185,6 @@ meta_back_modify( Operation *op, SlapReply *rs )
 		goto cleanup;
 	}
 
-retry:;
 	rs->sr_err = ldap_modify_ext( mc->mc_conns[ candidate ].msc_ld, mdn.bv_val,
 			modv, ctrls, NULL, &msgid );
 	rs->sr_err = meta_back_op_result( mc, op, rs, candidate, msgid,
@@ -192,6 +192,8 @@ retry:;
 	if ( rs->sr_err == LDAP_UNAVAILABLE && do_retry ) {
 		do_retry = 0;
 		if ( meta_back_retry( op, rs, &mc, candidate, LDAP_BACK_SENDERR ) ) {
+			/* if the identity changed, there might be need to re-authz */
+			(void)ldap_back_proxy_authz_ctrl_free( op, &ctrls );
 			goto retry;
 		}
 	}
diff --git a/servers/slapd/back-meta/modrdn.c b/servers/slapd/back-meta/modrdn.c
index c009afc84c..f6e27c6490 100644
--- a/servers/slapd/back-meta/modrdn.c
+++ b/servers/slapd/back-meta/modrdn.c
@@ -118,6 +118,7 @@ meta_back_modrdn( Operation *op, SlapReply *rs )
 		goto cleanup;
 	}
 
+retry:;
 	ctrls = op->o_ctrls;
 	if ( ldap_back_proxy_authz_ctrl( &mc->mc_conns[ candidate ].msc_bound_ndn,
 		mt->mt_version, &mt->mt_idassert, op, rs, &ctrls ) != LDAP_SUCCESS )
@@ -126,7 +127,6 @@ meta_back_modrdn( Operation *op, SlapReply *rs )
 		goto cleanup;
 	}
 
-retry:;
 	rs->sr_err = ldap_rename( mc->mc_conns[ candidate ].msc_ld,
 			mdn.bv_val, op->orr_newrdn.bv_val,
 			mnewSuperior.bv_val, op->orr_deleteoldrdn,
@@ -136,6 +136,8 @@ retry:;
 	if ( rs->sr_err == LDAP_UNAVAILABLE && do_retry ) {
 		do_retry = 0;
 		if ( meta_back_retry( op, rs, &mc, candidate, LDAP_BACK_SENDERR ) ) {
+			/* if the identity changed, there might be need to re-authz */
+			(void)ldap_back_proxy_authz_ctrl_free( op, &ctrls );
 			goto retry;
 		}
 	}
diff --git a/servers/slapd/back-meta/search.c b/servers/slapd/back-meta/search.c
index 650afddfb7..cc7647bf69 100644
--- a/servers/slapd/back-meta/search.c
+++ b/servers/slapd/back-meta/search.c
@@ -454,6 +454,7 @@ meta_back_search_start(
 		tvp = &tv;
 	}
 
+retry:;
 	ctrls = op->o_ctrls;
 	if ( ldap_back_proxy_authz_ctrl( &msc->msc_bound_ndn,
 		mt->mt_version, &mt->mt_idassert, op, rs, &ctrls )
@@ -467,7 +468,6 @@ meta_back_search_start(
 	/*
 	 * Starts the search
 	 */
-retry:;
 	assert( msc->msc_ld != NULL );
 	rc = ldap_search_ext( msc->msc_ld,
 			mbase.bv_val, realscope, mfilter.bv_val,
@@ -482,6 +482,8 @@ retry:;
 	case LDAP_SERVER_DOWN:
 		if ( nretries && meta_back_retry( op, rs, mcp, candidate, LDAP_BACK_DONTSEND ) ) {
 			nretries = 0;
+			/* if the identity changed, there might be need to re-authz */
+			(void)ldap_back_proxy_authz_ctrl_free( op, &ctrls );
 			goto retry;
 		}
 
-- 
2.39.5