improved authz_backend detection for internal databases (ITS#4018)

servers/slapd/back-ldap/bind.c

@@ -451,11 +451,7 @@ ldap_back_getconn( Operation *op, SlapReply *rs, ldap_back_send_t sendok )
 	/* Searches for a ldapconn in the avl tree */
 
 	/* Explicit binds must not be shared */
-	if ( op->o_tag == LDAP_REQ_BIND
-		|| ( op->o_conn
-			&& op->o_conn->c_authz_backend
-			&& op->o_bd->be_private == op->o_conn->c_authz_backend->be_private ) )
-	{
+	if ( op->o_tag == LDAP_REQ_BIND || SLAP_IS_AUTHZ_BACKEND( op ) ) {
 		lc_curr.lc_conn = op->o_conn;
 
 	} else {
@@ -513,8 +509,8 @@ ldap_back_getconn( Operation *op, SlapReply *rs, ldap_back_send_t sendok )
 		} else {
 			BER_BVZERO( &lc->lc_cred );
 			BER_BVZERO( &lc->lc_bound_ndn );
-			if ( op->o_conn && !BER_BVISEMPTY( &op->o_ndn )
-				&& op->o_bd->be_private == op->o_conn->c_authz_backend->be_private )
+			if ( !BER_BVISEMPTY( &op->o_ndn )
+				&& SLAP_IS_AUTHZ_BACKEND( op ) )
 			{
 				ber_dupbv( &lc->lc_bound_ndn, &op->o_ndn );
 			}

servers/slapd/bind.c

@@ -452,6 +452,8 @@ fe_op_bind( Operation *op, SlapReply *rs )
 	}
 
 	if( op->o_bd->be_bind ) {
+		op->o_conn->c_authz_cookie = NULL;
+
 		rs->sr_err = (op->o_bd->be_bind)( op, rs );
 
 		if ( rs->sr_err == 0 ) {

servers/slapd/slap.h

@@ -2621,6 +2621,14 @@ typedef struct slap_conn {
 
 	/* authorization backend */
 	Backend *c_authz_backend;
+	void	*c_authz_cookie;
+#define SLAP_IS_AUTHZ_BACKEND( op )	\
+	( (op)->o_bd != NULL \
+		&& (op)->o_bd->be_private != NULL \
+		&& (op)->o_conn != NULL \
+		&& (op)->o_conn->c_authz_backend != NULL \
+		&& ( (op)->o_bd->be_private == (op)->o_conn->c_authz_backend->be_private \
+			|| (op)->o_bd->be_private == (op)->o_conn->c_authz_cookie ) )
 
 	AuthorizationInformation c_authz;