From e778611dd28e57c0c72ad81d7317cefc86af1e01 Mon Sep 17 00:00:00 2001
From: Pierangelo Masarati <ando@openldap.org>
Date: Fri, 24 Nov 2006 13:02:11 +0000
Subject: [PATCH] fix ITS#4760 differently

---
 servers/slapd/controls.c  | 8 --------
 servers/slapd/saslauthz.c | 8 ++++++--
 2 files changed, 6 insertions(+), 10 deletions(-)

diff --git a/servers/slapd/controls.c b/servers/slapd/controls.c
index 2c955eedeb..56b32d3df2 100644
--- a/servers/slapd/controls.c
+++ b/servers/slapd/controls.c
@@ -919,14 +919,6 @@ static int parseProxyAuthz (
 	op->o_ndn = dn;
 	ber_dupbv( &op->o_dn, &dn );
 
-	/*
-	 * since the authzid has changed, we need to delete
-	 * cached groups (ITS#4760)
-	 */
-        if ( op->o_groups ) {
-                slap_op_groups_free( op );
-        }
-
 	Statslog( LDAP_DEBUG_STATS, "%s PROXYAUTHZ dn=\"%s\"\n",
 	    op->o_log_prefix, dn.bv_val, 0, 0, 0 );
 
diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
index 7b8a606f66..dcf0c0c9ef 100644
--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -1872,14 +1872,18 @@ slap_sasl_check_authz( Operation *op,
 	AttributeDescription *ad,
 	struct berval *authc )
 {
-	int rc;
-	BerVarray vals = NULL;
+	int		rc,
+			do_not_cache = op->o_do_not_cache;
+	BerVarray	vals = NULL;
 
 	Debug( LDAP_DEBUG_TRACE,
 	   "==>slap_sasl_check_authz: does %s match %s rule in %s?\n",
 	   assertDN->bv_val, ad->ad_cname.bv_val, searchDN->bv_val);
 
+	/* ITS#4760: don't cache group access */
+	op->o_do_not_cache = 1;
 	rc = backend_attribute( op, NULL, searchDN, ad, &vals, ACL_AUTH );
+	op->o_do_not_cache = do_not_cache;
 	if( rc != LDAP_SUCCESS ) goto COMPLETE;
 
 	/* Check if the *assertDN matches any *vals */
-- 
GitLab