ITS#9897 fix dynlist to ignore entries with wrong objectclass

servers/slapd/overlays/dynlist.c

@@ -846,15 +846,24 @@ dynlist_compare( Operation *op, SlapReply *rs )
 			 */
 			BerVarray id = NULL, authz = NULL;
 
+			if ( e == NULL && ( overlay_entry_get_ov( &o, &o.o_req_ndn, NULL, NULL, 0, &e, on ) !=
+				LDAP_SUCCESS || e == NULL ))
+			{
+				return SLAP_CB_CONTINUE;
+			}
+			if ( !is_entry_objectclass_or_sub( e, dli->dli_oc )) {
+				continue;
+			}
+
 			o.o_do_not_cache = 1;
 
-			if ( ad_dgIdentity && backend_attribute( &o, NULL, &o.o_req_ndn,
+			if ( ad_dgIdentity && backend_attribute( &o, e, &o.o_req_ndn,
 				ad_dgIdentity, &id, ACL_READ ) == LDAP_SUCCESS )
 			{
 				/* if not rootdn and dgAuthz is present,
 				 * check if user can be authorized as dgIdentity */
 				if ( ad_dgAuthz && !BER_BVISEMPTY( id ) && !be_isroot( op )
-					&& backend_attribute( &o, NULL, &o.o_req_ndn,
+					&& backend_attribute( &o, e, &o.o_req_ndn,
 						ad_dgAuthz, &authz, ACL_READ ) == LDAP_SUCCESS )
 				{
 					
@@ -871,7 +880,7 @@ dynlist_compare( Operation *op, SlapReply *rs )
 				o.o_groups = NULL; /* authz changed, invalidate cached groups */
 			}
 
-			rs->sr_err = backend_group( &o, NULL, &o.o_req_ndn,
+			rs->sr_err = backend_group( &o, e, &o.o_req_ndn,
 				&o.oq_compare.rs_ava->aa_value, dli->dli_oc, dli->dli_ad );
 			switch ( rs->sr_err ) {
 			case LDAP_SUCCESS:
@@ -899,6 +908,7 @@ dynlist_compare( Operation *op, SlapReply *rs )
 
 done:;
 			if ( id ) ber_bvarray_free_x( id, o.o_tmpmemctx );
+			overlay_entry_release_ov( &o, e, 0, on );
 
 			send_ldap_result( op, rs );
 			return rs->sr_err;
@@ -910,8 +920,8 @@ done:;
 		return SLAP_CB_CONTINUE;
 	}
 
-	if ( overlay_entry_get_ov( &o, &o.o_req_ndn, NULL, NULL, 0, &e, on ) !=
-		LDAP_SUCCESS || e == NULL )
+	if ( e == NULL && ( overlay_entry_get_ov( &o, &o.o_req_ndn, NULL, NULL, 0, &e, on ) !=
+		LDAP_SUCCESS || e == NULL ))
 	{
 		return SLAP_CB_CONTINUE;
 	}