Commit 66ddf629 authored by Pierangelo Masarati's avatar Pierangelo Masarati
Browse files

add idassert code (undocumented yet)

parent 3eebd5bb
......@@ -46,8 +46,8 @@ ldap_back_add(
ber_int_t msgid;
dncookie dc;
int isupdate;
#ifdef LDAP_BACK_PROXY_AUTHZ
LDAPControl **ctrls = NULL;
#ifdef LDAP_BACK_PROXY_AUTHZ
int rc = LDAP_SUCCESS;
#endif /* LDAP_BACK_PROXY_AUTHZ */
......@@ -128,6 +128,7 @@ ldap_back_add(
}
attrs[i] = NULL;
ctrls = op->o_ctrls;
#ifdef LDAP_BACK_PROXY_AUTHZ
rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls );
if ( rc != LDAP_SUCCESS ) {
......@@ -136,12 +137,7 @@ ldap_back_add(
#endif /* LDAP_BACK_PROXY_AUTHZ */
rs->sr_err = ldap_add_ext(lc->ld, mdn.bv_val, attrs,
#ifdef LDAP_BACK_PROXY_AUTHZ
ctrls,
#else /* ! LDAP_BACK_PROXY_AUTHZ */
op->o_ctrls,
#endif /* ! LDAP_BACK_PROXY_AUTHZ */
NULL, &msgid);
ctrls, NULL, &msgid);
#ifdef LDAP_BACK_PROXY_AUTHZ
cleanup:
......
......@@ -31,6 +31,10 @@
#include "rewrite.h"
#endif /* ENABLE_REWRITE */
#ifdef LDAP_DEVEL
#define LDAP_BACK_PROXY_AUTHZ
#endif
LDAP_BEGIN_DECL
struct slap_conn;
......@@ -87,7 +91,19 @@ struct ldapinfo {
#ifdef LDAP_BACK_PROXY_AUTHZ
struct berval proxyauthzdn;
struct berval proxyauthzpw;
/* ID assert stuff */
int idassert_mode;
#define LDAP_BACK_IDASSERT_NONE 0
#define LDAP_BACK_IDASSERT_PROXYID 1
#define LDAP_BACK_IDASSERT_ANONYMOUS 2
#define LDAP_BACK_IDASSERT_SELF 3
#define LDAP_BACK_IDASSERT_OTHER 4
struct berval idassert_dn;
BerVarray idassert_authz;
/* end of ID assert stuff */
#endif /* LDAP_BACK_PROXY_AUTHZ */
ldap_pvt_thread_mutex_t conn_mutex;
int savecred;
Avlnode *conntree;
......
......@@ -72,10 +72,9 @@ ldap_back_bind(
return -1;
}
if ( lc->bound_dn.bv_val ) {
if ( !BER_BVISNULL( &lc->bound_dn ) ) {
ch_free( lc->bound_dn.bv_val );
lc->bound_dn.bv_len = 0;
lc->bound_dn.bv_val = NULL;
BER_BVZERO( &lc->bound_dn );
}
lc->bound = 0;
/* method is always LDAP_AUTH_SIMPLE if we got here */
......@@ -89,10 +88,10 @@ ldap_back_bind(
} else {
ber_dupbv( &lc->bound_dn, &op->o_req_dn );
}
mdn.bv_val = NULL;
BER_BVZERO( &mdn );
if ( li->savecred ) {
if ( lc->cred.bv_val ) {
if ( !BER_BVISNULL( &lc->cred ) ) {
memset( lc->cred.bv_val, 0, lc->cred.bv_len );
ch_free( lc->cred.bv_val );
}
......@@ -108,7 +107,7 @@ ldap_back_bind(
ldap_pvt_thread_mutex_lock( &li->conn_mutex );
lc = avl_delete( &li->conntree, (caddr_t)lc,
ldap_back_conn_cmp );
if ( lc->local_dn.bv_val )
if ( !BER_BVISNULL( &lc->local_dn ) )
ch_free( lc->local_dn.bv_val );
ber_dupbv( &lc->local_dn, &op->o_req_ndn );
lerr = avl_insert( &li->conntree, (caddr_t)lc,
......@@ -119,7 +118,7 @@ ldap_back_bind(
}
}
if ( mdn.bv_val && mdn.bv_val != op->o_req_dn.bv_val ) {
if ( !BER_BVISNULL( &mdn ) && mdn.bv_val != op->o_req_dn.bv_val ) {
free( mdn.bv_val );
}
......@@ -286,11 +285,9 @@ ldap_back_getconn(Operation *op, SlapReply *rs)
ber_dupbv( &lc->cred, &li->bindpw );
ber_dupbv( &lc->bound_dn, &li->binddn );
} else {
lc->cred.bv_len = 0;
lc->cred.bv_val = NULL;
lc->bound_dn.bv_val = NULL;
lc->bound_dn.bv_len = 0;
if ( op->o_conn && op->o_conn->c_dn.bv_len != 0
BER_BVZERO( &lc->cred );
BER_BVZERO( &lc->bound_dn );
if ( op->o_conn && !BER_BVISEMPTY( &op->o_conn->c_dn )
&& ( op->o_bd == op->o_conn->c_authz_backend ) ) {
dncookie dc;
......@@ -407,12 +404,40 @@ ldap_back_dobind( struct ldapconn *lc, Operation *op, SlapReply *rs )
* control to every operation with the dn bound
* to the connection as control value.
*/
if ( ( lc->bound_dn.bv_val == NULL || lc->bound_dn.bv_len == 0 )
&& ( op->o_conn && op->o_conn->c_dn.bv_val != NULL && op->o_conn->c_dn.bv_len != 0 )
&& ( li->proxyauthzdn.bv_val != NULL && li->proxyauthzdn.bv_len != 0 )
&& ! gotit ) {
rs->sr_err = ldap_sasl_bind(lc->ld, li->proxyauthzdn.bv_val,
LDAP_SASL_SIMPLE, &li->proxyauthzpw, NULL, NULL, &msgid);
if ( op->o_conn != NULL
&& ( BER_BVISNULL( &lc->bound_dn ) || BER_BVISEMPTY( &lc->bound_dn ) ) ) {
struct berval binddn = slap_empty_bv;
struct berval bindcred = slap_empty_bv;
/* bind as proxyauthzdn only if no idassert mode is requested,
* or if the client's identity is authorized */
switch ( li->idassert_mode ) {
case LDAP_BACK_IDASSERT_NONE:
if ( !BER_BVISNULL( &op->o_conn->c_dn ) && !BER_BVISEMPTY( &op->o_conn->c_dn )
&& !BER_BVISNULL( &li->proxyauthzdn ) && !BER_BVISEMPTY( &li->proxyauthzdn )
&& !gotit ) {
binddn = li->proxyauthzdn;
bindcred = li->proxyauthzpw;
}
break;
default:
if ( li->idassert_authz ) {
struct berval authcDN = BER_BVISNULL( &op->o_conn->c_dn ) ? slap_empty_bv : op->o_conn->c_dn;
rc = slap_sasl_matches( op, li->idassert_authz,
&authcDN, &authcDN );
if ( rc != LDAP_SUCCESS ) {
break;
}
}
binddn = li->proxyauthzdn;
bindcred = li->proxyauthzpw;
break;
}
rs->sr_err = ldap_sasl_bind(lc->ld, binddn.bv_val,
LDAP_SASL_SIMPLE, &bindcred, NULL, NULL, &msgid);
} else
#endif /* LDAP_BACK_PROXY_AUTHZ */
......@@ -610,34 +635,21 @@ ldap_back_proxy_authz_ctrl(
{
struct ldapinfo *li = (struct ldapinfo *) op->o_bd->be_private;
LDAPControl **ctrls = NULL;
int i = 0;
struct berval assertedDN;
*pctrls = NULL;
if ( ( lc->bound_dn.bv_val == NULL || lc->bound_dn.bv_len == 0 )
&& ( op->o_conn && op->o_conn->c_dn.bv_val != NULL && op->o_conn->c_dn.bv_len != 0 )
&& ( li->proxyauthzdn.bv_val != NULL && li->proxyauthzdn.bv_len != 0 ) ) {
int i = 0;
if ( !op->o_proxy_authz ) {
ctrls = ch_malloc( sizeof( LDAPControl * ) * (i + 2) );
ctrls[ 0 ] = ch_malloc( sizeof( LDAPControl ) );
ctrls[ 0 ]->ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
ctrls[ 0 ]->ldctl_iscritical = 1;
ctrls[ 0 ]->ldctl_value.bv_len = op->o_conn->c_dn.bv_len + 3;
ctrls[ 0 ]->ldctl_value.bv_val = ch_malloc( ctrls[ 0 ]->ldctl_value.bv_len + 1 );
AC_MEMCPY( ctrls[ 0 ]->ldctl_value.bv_val, "dn:", sizeof( "dn:" ) - 1 );
AC_MEMCPY( ctrls[ 0 ]->ldctl_value.bv_val + sizeof( "dn:") - 1,
op->o_conn->c_dn.bv_val, op->o_conn->c_dn.bv_len + 1 );
if ( op->o_ctrls ) {
for ( i = 0; op->o_ctrls[ i ]; i++ ) {
ctrls[ i + 1 ] = op->o_ctrls[ i ];
}
}
ctrls[ i + 1 ] = NULL;
if ( BER_BVISNULL( &li->proxyauthzdn ) ) {
goto done;
}
} else {
if ( !op->o_conn ) {
goto done;
}
if ( li->idassert_mode == LDAP_BACK_IDASSERT_NONE ) {
if ( op->o_proxy_authz ) {
/*
* FIXME: we do not want to perform proxyAuthz
* on behalf of the client, because this would
......@@ -652,9 +664,85 @@ ldap_back_proxy_authz_ctrl(
rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
rs->sr_text = "proxyAuthz not allowed within namingContext";
#endif
goto done;
}
if ( !BER_BVISNULL( &lc->bound_dn ) && !BER_BVISEMPTY( &lc->bound_dn ) ) {
goto done;
}
if ( BER_BVISNULL( &op->o_conn->c_dn ) || BER_BVISEMPTY( &op->o_conn->c_dn ) ) {
goto done;
}
if ( BER_BVISEMPTY( &li->proxyauthzdn ) ) {
goto done;
}
} else if ( li->idassert_authz ) {
int rc;
struct berval authcDN = BER_BVISNULL( &op->o_conn->c_dn ) ? slap_empty_bv : op->o_conn->c_dn;
rc = slap_sasl_matches( op, li->idassert_authz,
&authcDN, & authcDN );
if ( rc != LDAP_SUCCESS ) {
/* op->o_conn->c_dn is not authorized
* to use idassert */
return rc;
}
}
switch ( li->idassert_mode ) {
case LDAP_BACK_IDASSERT_NONE:
case LDAP_BACK_IDASSERT_SELF:
/* original behavior:
* assert the client's identity */
assertedDN = op->o_conn->c_dn;
break;
case LDAP_BACK_IDASSERT_ANONYMOUS:
/* assert "anonymous" */
assertedDN = slap_empty_bv;
break;
case LDAP_BACK_IDASSERT_PROXYID:
/* don't assert; bind as proxyauthzdn */
goto done;
case LDAP_BACK_IDASSERT_OTHER:
/* assert idassert DN */
assertedDN = li->idassert_dn;
break;
default:
assert( 0 );
}
if ( BER_BVISNULL( &assertedDN ) ) {
assertedDN = slap_empty_bv;
}
ctrls = ch_malloc( sizeof( LDAPControl * ) * (i + 2) );
ctrls[ 0 ] = ch_malloc( sizeof( LDAPControl ) );
ctrls[ 0 ]->ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
ctrls[ 0 ]->ldctl_iscritical = 1;
ctrls[ 0 ]->ldctl_value.bv_len = assertedDN.bv_len + STRLENOF( "dn:" );
ctrls[ 0 ]->ldctl_value.bv_val = ch_malloc( ctrls[ 0 ]->ldctl_value.bv_len + 1 );
AC_MEMCPY( ctrls[ 0 ]->ldctl_value.bv_val, "dn:", STRLENOF( "dn:" ) );
AC_MEMCPY( ctrls[ 0 ]->ldctl_value.bv_val + STRLENOF( "dn:" ),
assertedDN.bv_val, assertedDN.bv_len );
ctrls[ 0 ]->ldctl_value.bv_val[ ctrls[ 0 ]->ldctl_value.bv_len ] = '\0';
if ( op->o_ctrls ) {
for ( i = 0; op->o_ctrls[ i ]; i++ ) {
ctrls[ i + 1 ] = op->o_ctrls[ i ];
}
}
ctrls[ i + 1 ] = NULL;
done:;
if ( ctrls == NULL ) {
ctrls = op->o_ctrls;
}
......
......@@ -43,8 +43,8 @@ ldap_back_compare(
ber_int_t msgid;
int freeval = 0;
dncookie dc;
#ifdef LDAP_BACK_PROXY_AUTHZ
LDAPControl **ctrls = NULL;
#ifdef LDAP_BACK_PROXY_AUTHZ
int rc = LDAP_SUCCESS;
#endif /* LDAP_BACK_PROXY_AUTHZ */
......@@ -100,6 +100,7 @@ ldap_back_compare(
}
}
ctrls = op->o_ctrls;
#ifdef LDAP_BACK_PROXY_AUTHZ
rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls );
if ( rc != LDAP_SUCCESS ) {
......@@ -109,12 +110,7 @@ ldap_back_compare(
rs->sr_err = ldap_compare_ext( lc->ld, mdn.bv_val,
mapped_at.bv_val, &mapped_val,
#ifdef LDAP_BACK_PROXY_AUTHZ
ctrls,
#else /* ! LDAP_BACK_PROXY_AUTHZ */
op->o_ctrls,
#endif /* ! LDAP_BACK_PROXY_AUTHZ */
NULL, &msgid );
ctrls, NULL, &msgid );
#ifdef LDAP_BACK_PROXY_AUTHZ
cleanup:
......
......@@ -34,6 +34,10 @@
static SLAP_EXTOP_MAIN_FN ldap_back_exop_whoami;
static int
parse_idassert( BackendDB *be, const char *fname, int lineno,
int argc, char **argv );
int
ldap_back_db_config(
BackendDB *be,
......@@ -168,6 +172,10 @@ ldap_back_db_config(
return( 1 );
}
ber_str2bv( argv[1], 0, 1, &li->proxyauthzpw );
/* identity assertion stuff... */
} else if ( strncasecmp( argv[0], "idassert-", STRLENOF( "idassert-" ) ) == 0 ) {
return parse_idassert( be, fname, lineno, argc, argv );
#endif /* LDAP_BACK_PROXY_AUTHZ */
/* save bind creds for referral rebinds? */
......@@ -652,3 +660,80 @@ suffix_massage_config(
return 0;
}
#endif /* ENABLE_REWRITE */
#ifdef LDAP_BACK_PROXY_AUTHZ
static int
parse_idassert(
BackendDB *be,
const char *fname,
int lineno,
int argc,
char **argv
)
{
struct ldapinfo *li = (struct ldapinfo *) be->be_private;
if ( strcasecmp( argv[0], "idassert-mode" ) == 0 ) {
if ( argc != 2 ) {
#ifdef NEW_LOGGING
LDAP_LOG( CONFIG, CRIT,
"%s: line %d: illegal args number %d in \"idassert-mode <args>\" line.\n",
fname, lineno, argc );
#else
Debug( LDAP_DEBUG_ANY,
"%s: line %d: illegal args number %d in \"idassert-mode <args>\" line.\n",
fname, lineno, argc );
#endif
return 1;
}
if ( strcasecmp( argv[1], "self" ) == 0 ) {
/* will proxyAuthz as (rewritten) client's identity */
li->idassert_mode = LDAP_BACK_IDASSERT_SELF;
} else if ( strcasecmp( argv[1], "anonymous" ) == 0 ) {
/* will proxyAuthz as anonymous */
li->idassert_mode = LDAP_BACK_IDASSERT_ANONYMOUS;
} else if ( strcasecmp( argv[1], "proxyid" ) == 0 ) {
/* will not proxyAuthz */
li->idassert_mode = LDAP_BACK_IDASSERT_PROXYID;
} else {
struct berval dn;
int rc;
/* will proxyAuthz as argv[1] */
li->idassert_mode = LDAP_BACK_IDASSERT_OTHER;
ber_str2bv( argv[1], 0, 0, &dn );
rc = dnNormalize( 0, NULL, NULL, &dn, &li->idassert_dn, NULL );
if ( rc != LDAP_SUCCESS ) {
#ifdef NEW_LOGGING
LDAP_LOG( CONFIG, CRIT,
"%s: line %d: idassert DN \"%s\" is invalid.\n",
fname, lineno, argv[1] );
#else
Debug( LDAP_DEBUG_ANY,
"%s: line %d: idassert DN \"%s\" is invalid\n",
fname, lineno, argv[1] );
#endif
return 1;
}
}
} else if ( strcasecmp( argv[0], "idassert-authz" ) == 0 ) {
struct berval rule;
ber_str2bv( argv[1], 0, 1, &rule );
ber_bvarray_add( &li->idassert_authz, &rule );
} else {
return SLAP_CONF_UNKNOWN;
}
return 0;
}
#endif /* LDAP_BACK_PROXY_AUTHZ */
......@@ -40,8 +40,8 @@ ldap_back_delete(
struct ldapconn *lc;
ber_int_t msgid;
dncookie dc;
#ifdef LDAP_BACK_PROXY_AUTHZ
LDAPControl **ctrls = NULL;
#ifdef LDAP_BACK_PROXY_AUTHZ
int rc = LDAP_SUCCESS;
#endif /* LDAP_BACK_PROXY_AUTHZ */
......@@ -71,6 +71,7 @@ ldap_back_delete(
}
#ifdef LDAP_BACK_PROXY_AUTHZ
ctrls = op->o_ctrls;
rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls );
if ( rc != LDAP_SUCCESS ) {
goto cleanup;
......@@ -78,12 +79,7 @@ ldap_back_delete(
#endif /* LDAP_BACK_PROXY_AUTHZ */
rs->sr_err = ldap_delete_ext( lc->ld, mdn.bv_val,
#ifdef LDAP_BACK_PROXY_AUTHZ
ctrls,
#else /* ! LDAP_BACK_PROXY_AUTHZ */
op->o_ctrls,
#endif /* ! LDAP_BACK_PROXY_AUTHZ */
NULL, &msgid );
ctrls, NULL, &msgid );
#ifdef LDAP_BACK_PROXY_AUTHZ
cleanup:
......
......@@ -98,16 +98,15 @@ ldap_back_db_init(
return -1;
}
li->binddn.bv_val = NULL;
li->binddn.bv_len = 0;
li->bindpw.bv_val = NULL;
li->bindpw.bv_len = 0;
BER_BVZERO( &li->binddn );
BER_BVZERO( &li->bindpw );
#ifdef LDAP_BACK_PROXY_AUTHZ
li->proxyauthzdn.bv_val = NULL;
li->proxyauthzdn.bv_len = 0;
li->proxyauthzpw.bv_val = NULL;
li->proxyauthzpw.bv_len = 0;
BER_BVZERO( &li->proxyauthzdn );
BER_BVZERO( &li->proxyauthzpw );
li->idassert_mode = LDAP_BACK_IDASSERT_NONE;
BER_BVZERO( &li->idassert_dn );
#endif /* LDAP_BACK_PROXY_AUTHZ */
#ifdef ENABLE_REWRITE
......@@ -201,22 +200,26 @@ ldap_back_db_destroy(
ldap_free_urldesc( li->lud );
li->lud = NULL;
}
if (li->binddn.bv_val) {
ch_free(li->binddn.bv_val);
li->binddn.bv_val = NULL;
if ( !BER_BVISNULL( &li->binddn ) ) {
ch_free( li->binddn.bv_val );
BER_BVZERO( &li->binddn );
}
if (li->bindpw.bv_val) {
ch_free(li->bindpw.bv_val);
li->bindpw.bv_val = NULL;
if ( !BER_BVISNULL( &li->bindpw ) ) {
ch_free( li->bindpw.bv_val );
BER_BVZERO( &li->bindpw );
}
#ifdef LDAP_BACK_PROXY_AUTHZ
if (li->proxyauthzdn.bv_val) {
ch_free(li->proxyauthzdn.bv_val);
li->proxyauthzdn.bv_val = NULL;
if ( !BER_BVISNULL( &li->proxyauthzdn ) ) {
ch_free( li->proxyauthzdn.bv_val );
BER_BVZERO( &li->proxyauthzdn );
}
if ( !BER_BVISNULL( &li->proxyauthzpw ) ) {
ch_free( li->proxyauthzpw.bv_val );
BER_BVZERO( &li->proxyauthzpw );
}
if (li->proxyauthzpw.bv_val) {
ch_free(li->proxyauthzpw.bv_val);
li->proxyauthzpw.bv_val = NULL;
if ( !BER_BVISNULL( &li->idassert_dn ) ) {
ch_free( li->idassert_dn.bv_val );
BER_BVZERO( &li->idassert_dn );
}
#endif /* LDAP_BACK_PROXY_AUTHZ */
if (li->conntree) {
......
......@@ -47,9 +47,7 @@ ldap_back_modify(
ber_int_t msgid;
dncookie dc;
int isupdate;
#ifdef LDAP_BACK_PROXY_AUTHZ
LDAPControl **ctrls = NULL;
#endif /* LDAP_BACK_PROXY_AUTHZ */
lc = ldap_back_getconn(op, rs);
if ( !lc || !ldap_back_dobind( lc, op, rs ) ) {
......@@ -159,6 +157,7 @@ ldap_back_modify(
}
modv[i] = 0;
ctrls = op->o_ctrls;
#ifdef LDAP_BACK_PROXY_AUTHZ
rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls );
if ( rc != LDAP_SUCCESS ) {
......@@ -167,12 +166,7 @@ ldap_back_modify(
#endif /* LDAP_BACK_PROXY_AUTHZ */
rs->sr_err = ldap_modify_ext( lc->ld, mdn.bv_val, modv,
#ifdef LDAP_BACK_PROXY_AUTHZ
ctrls,
#else /* ! LDAP_BACK_PROXY_AUTHZ */
op->o_ctrls,
#endif /* ! LDAP_BACK_PROXY_AUTHZ */
NULL, &msgid );
ctrls, NULL, &msgid );
cleanup:;
#ifdef LDAP_BACK_PROXY_AUTHZ
......
......@@ -40,8 +40,8 @@ ldap_back_modrdn(
struct ldapconn *lc;
ber_int_t msgid;
dncookie dc;
#ifdef LDAP_BACK_PROXY_AUTHZ
LDAPControl **ctrls = NULL;
#ifdef LDAP_BACK_PROXY_AUTHZ
int rc = LDAP_SUCCESS;
#endif /* LDAP_BACK_PROXY_AUTHZ */
......@@ -88,6 +88,7 @@ ldap_back_modrdn(
return -1;
}
ctrls = op->o_ctrls;
#ifdef LDAP_BACK_PROXY_AUTHZ
rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls );
if ( rc != LDAP_SUCCESS ) {
......@@ -98,11 +99,7 @@ ldap_back_modrdn(
rs->sr_err = ldap_rename( lc->ld, mdn.bv_val,
op->orr_newrdn.bv_val, mnewSuperior.bv_val,
op->orr_deleteoldrdn,
#ifdef LDAP_BACK_PROXY_AUTHZ
ctrls,
#else /* ! LDAP_BACK_PROXY_AUTHZ */
op->o_ctrls,
#endif /* ! LDAP_BACK_PROXY_AUTHZ */
NULL, &msgid );
#ifdef LDAP_BACK_PROXY_AUTHZ
......
......@@ -60,9 +60,7 @@ ldap_back_search(
struct berval mfilter = BER_BVNULL;
int dontfreetext = 0;
dncookie dc;
#ifdef LDAP_BACK_PROXY_AUTHZ
LDAPControl **ctrls = NULL;
#endif /* LDAP_BACK_PROXY_AUTHZ */
lc = ldap_back_getconn(op, rs);
if ( !lc ) {
......@@ -133,6 +131,7 @@ ldap_back_search(
goto finish;
}
ctrls = op->o_ctrls;
#ifdef LDAP_BACK_PROXY_AUTHZ
rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls );
if ( rc != LDAP_SUCCESS ) {
......@@ -144,12 +143,7 @@ ldap_back_search(
rs->sr_err = ldap_search_ext(lc->ld, mbase.bv_val,