From de254abb279cb107d38c40c35e878e2d86163351 Mon Sep 17 00:00:00 2001
From: Pierangelo Masarati <ando@openldap.org>
Date: Fri, 24 Nov 2006 11:43:47 +0000
Subject: [PATCH] destroy cached groups after identity change (ITS#4760)

---
 servers/slapd/controls.c   |  7 +++++++
 servers/slapd/operation.c  | 20 +++++++++++++-------
 servers/slapd/proto-slap.h |  1 +
 3 files changed, 21 insertions(+), 7 deletions(-)

diff --git a/servers/slapd/controls.c b/servers/slapd/controls.c
index bc31133bac..1d6efbb66e 100644
--- a/servers/slapd/controls.c
+++ b/servers/slapd/controls.c
@@ -991,6 +991,13 @@ static int parseProxyAuthz (
 	op->o_ndn = dn;
 	ber_dupbv( &op->o_dn, &dn );
 
+	/*
+	 * since the authzid has changed, we need to delete
+	 * cached groups (ITS#4760)
+	 */
+        if ( op->o_groups ) {
+                slap_op_groups_free( op );
+        }
 
 	Statslog( LDAP_DEBUG_STATS, "%s PROXYAUTHZ dn=\"%s\"\n",
 	    op->o_log_prefix, dn.bv_val, 0, 0, 0 );
diff --git a/servers/slapd/operation.c b/servers/slapd/operation.c
index 2ffddce841..3d38d0cef9 100644
--- a/servers/slapd/operation.c
+++ b/servers/slapd/operation.c
@@ -60,6 +60,17 @@ void slap_op_destroy(void)
 	ldap_pvt_thread_mutex_destroy( &slap_op_mutex );
 }
 
+void
+slap_op_groups_free( Operation *op )
+{
+	GroupAssertion *g, *n;
+	for ( g = op->o_groups; g; g = n ) {
+		n = g->ga_next;
+		slap_sl_free( g, op->o_tmpmemctx );
+	}
+	op->o_groups = NULL;
+}
+
 void
 slap_op_free( Operation *op )
 {
@@ -87,13 +98,8 @@ slap_op_free( Operation *op )
 	}
 #endif
 
-	{
-		GroupAssertion *g, *n;
-		for ( g = op->o_groups; g; g = n ) {
-			n = g->ga_next;
-			slap_sl_free( g, op->o_tmpmemctx );
-		}
-		op->o_groups = NULL;
+	if ( op->o_groups ) {
+		slap_op_groups_free( op );
 	}
 
 #if defined( LDAP_SLAPI )
diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h
index 6fc5bcc4cf..f674f4cc6d 100644
--- a/servers/slapd/proto-slap.h
+++ b/servers/slapd/proto-slap.h
@@ -1273,6 +1273,7 @@ LDAP_SLAPD_F (int) parse_oidm LDAP_P((
  */
 LDAP_SLAPD_F (void) slap_op_init LDAP_P(( void ));
 LDAP_SLAPD_F (void) slap_op_destroy LDAP_P(( void ));
+LDAP_SLAPD_F (void) slap_op_groups_free LDAP_P(( Operation *op ));
 LDAP_SLAPD_F (void) slap_op_free LDAP_P(( Operation *op ));
 LDAP_SLAPD_F (void) slap_op_time LDAP_P(( time_t *t, int *n ));
 LDAP_SLAPD_F (Operation *) slap_op_alloc LDAP_P((
-- 
2.39.5