add idassert code (undocumented yet)

servers/slapd/back-ldap/add.c

@@ -46,8 +46,8 @@ ldap_back_add(
 	ber_int_t msgid;
 	dncookie dc;
 	int isupdate;
-#ifdef LDAP_BACK_PROXY_AUTHZ 
 	LDAPControl **ctrls = NULL;
+#ifdef LDAP_BACK_PROXY_AUTHZ 
 	int rc = LDAP_SUCCESS;
 #endif /* LDAP_BACK_PROXY_AUTHZ */
 
@@ -128,6 +128,7 @@ ldap_back_add(
 	}
 	attrs[i] = NULL;
 
+	ctrls = op->o_ctrls;
 #ifdef LDAP_BACK_PROXY_AUTHZ
 	rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls );
 	if ( rc != LDAP_SUCCESS ) {
@@ -136,12 +137,7 @@ ldap_back_add(
 #endif /* LDAP_BACK_PROXY_AUTHZ */
 
 	rs->sr_err = ldap_add_ext(lc->ld, mdn.bv_val, attrs,
-#ifdef LDAP_BACK_PROXY_AUTHZ
-			ctrls,
-#else /* ! LDAP_BACK_PROXY_AUTHZ */
-			op->o_ctrls,
-#endif /* ! LDAP_BACK_PROXY_AUTHZ */
-			NULL, &msgid);
+			ctrls, NULL, &msgid);
 
 #ifdef LDAP_BACK_PROXY_AUTHZ
 cleanup:

servers/slapd/back-ldap/back-ldap.h

@@ -31,6 +31,10 @@
 #include "rewrite.h"
 #endif /* ENABLE_REWRITE */
 
+#ifdef LDAP_DEVEL
+#define LDAP_BACK_PROXY_AUTHZ
+#endif
+
 LDAP_BEGIN_DECL
 
 struct slap_conn;
@@ -87,7 +91,19 @@ struct ldapinfo {
 #ifdef LDAP_BACK_PROXY_AUTHZ
 	struct berval proxyauthzdn;
 	struct berval proxyauthzpw;
+
+	/* ID assert stuff */
+	int		idassert_mode;
+#define	LDAP_BACK_IDASSERT_NONE		0
+#define	LDAP_BACK_IDASSERT_PROXYID	1
+#define	LDAP_BACK_IDASSERT_ANONYMOUS	2
+#define	LDAP_BACK_IDASSERT_SELF		3
+#define	LDAP_BACK_IDASSERT_OTHER	4
+	struct berval	idassert_dn;
+	BerVarray	idassert_authz;
+	/* end of ID assert stuff */
 #endif /* LDAP_BACK_PROXY_AUTHZ */
+
 	ldap_pvt_thread_mutex_t		conn_mutex;
 	int savecred;
 	Avlnode *conntree;

servers/slapd/back-ldap/bind.c

@@ -72,10 +72,9 @@ ldap_back_bind(
 		return -1;
 	}
 
-	if ( lc->bound_dn.bv_val ) {
+	if ( !BER_BVISNULL( &lc->bound_dn ) ) {
 		ch_free( lc->bound_dn.bv_val );
-		lc->bound_dn.bv_len = 0;
-		lc->bound_dn.bv_val = NULL;
+		BER_BVZERO( &lc->bound_dn );
 	}
 	lc->bound = 0;
 	/* method is always LDAP_AUTH_SIMPLE if we got here */
@@ -89,10 +88,10 @@ ldap_back_bind(
 		} else {
 			ber_dupbv( &lc->bound_dn, &op->o_req_dn );
 		}
-		mdn.bv_val = NULL;
+		BER_BVZERO( &mdn );
 
 		if ( li->savecred ) {
-			if ( lc->cred.bv_val ) {
+			if ( !BER_BVISNULL( &lc->cred ) ) {
 				memset( lc->cred.bv_val, 0, lc->cred.bv_len );
 				ch_free( lc->cred.bv_val );
 			}
@@ -108,7 +107,7 @@ ldap_back_bind(
 		ldap_pvt_thread_mutex_lock( &li->conn_mutex );
 		lc = avl_delete( &li->conntree, (caddr_t)lc,
 				ldap_back_conn_cmp );
-		if ( lc->local_dn.bv_val )
+		if ( !BER_BVISNULL( &lc->local_dn ) )
 			ch_free( lc->local_dn.bv_val );
 		ber_dupbv( &lc->local_dn, &op->o_req_ndn );
 		lerr = avl_insert( &li->conntree, (caddr_t)lc,
@@ -119,7 +118,7 @@ ldap_back_bind(
 		}
 	}
 
-	if ( mdn.bv_val && mdn.bv_val != op->o_req_dn.bv_val ) {
+	if ( !BER_BVISNULL( &mdn ) && mdn.bv_val != op->o_req_dn.bv_val ) {
 		free( mdn.bv_val );
 	}
 
@@ -286,11 +285,9 @@ ldap_back_getconn(Operation *op, SlapReply *rs)
 			ber_dupbv( &lc->cred, &li->bindpw );
 			ber_dupbv( &lc->bound_dn, &li->binddn );
 		} else {
-			lc->cred.bv_len = 0;
-			lc->cred.bv_val = NULL;
-			lc->bound_dn.bv_val = NULL;
-			lc->bound_dn.bv_len = 0;
-			if ( op->o_conn && op->o_conn->c_dn.bv_len != 0
+			BER_BVZERO( &lc->cred );
+			BER_BVZERO( &lc->bound_dn );
+			if ( op->o_conn && !BER_BVISEMPTY( &op->o_conn->c_dn )
 					&& ( op->o_bd == op->o_conn->c_authz_backend ) ) {
 				
 				dncookie dc;
@@ -407,12 +404,40 @@ ldap_back_dobind( struct ldapconn *lc, Operation *op, SlapReply *rs )
 		 * control to every operation with the dn bound 
 		 * to the connection as control value.
 		 */
-		if ( ( lc->bound_dn.bv_val == NULL || lc->bound_dn.bv_len == 0 )
-	      			&& ( op->o_conn && op->o_conn->c_dn.bv_val != NULL && op->o_conn->c_dn.bv_len != 0 )
-	      			&& ( li->proxyauthzdn.bv_val != NULL && li->proxyauthzdn.bv_len != 0 ) 
-	      			&& ! gotit ) {
-			rs->sr_err = ldap_sasl_bind(lc->ld, li->proxyauthzdn.bv_val,
-				LDAP_SASL_SIMPLE, &li->proxyauthzpw, NULL, NULL, &msgid);
+		if ( op->o_conn != NULL
+				&& ( BER_BVISNULL( &lc->bound_dn ) || BER_BVISEMPTY( &lc->bound_dn ) ) ) {
+			struct berval	binddn = slap_empty_bv;
+			struct berval	bindcred = slap_empty_bv;
+
+			/* bind as proxyauthzdn only if no idassert mode is requested,
+			 * or if the client's identity is authorized */
+			switch ( li->idassert_mode ) {
+			case LDAP_BACK_IDASSERT_NONE:
+	      			if ( !BER_BVISNULL( &op->o_conn->c_dn ) && !BER_BVISEMPTY( &op->o_conn->c_dn )
+	      					&& !BER_BVISNULL( &li->proxyauthzdn ) && !BER_BVISEMPTY( &li->proxyauthzdn )
+	      					&& !gotit ) {
+					binddn = li->proxyauthzdn;
+					bindcred = li->proxyauthzpw;
+				}
+				break;
+
+			default:
+				if ( li->idassert_authz ) {
+					struct berval	authcDN = BER_BVISNULL( &op->o_conn->c_dn ) ? slap_empty_bv : op->o_conn->c_dn;
+
+					rc = slap_sasl_matches( op, li->idassert_authz,
+							&authcDN, &authcDN );
+					if ( rc != LDAP_SUCCESS ) {
+						break;
+					}
+				}
+				binddn = li->proxyauthzdn;
+				bindcred = li->proxyauthzpw;
+				break;
+			}
+
+			rs->sr_err = ldap_sasl_bind(lc->ld, binddn.bv_val,
+				LDAP_SASL_SIMPLE, &bindcred, NULL, NULL, &msgid);
 
 		} else
 #endif /* LDAP_BACK_PROXY_AUTHZ */
@@ -610,34 +635,21 @@ ldap_back_proxy_authz_ctrl(
 {
 	struct ldapinfo	*li = (struct ldapinfo *) op->o_bd->be_private;
 	LDAPControl	**ctrls = NULL;
+	int		i = 0;
+	struct berval	assertedDN;
 
 	*pctrls = NULL;
 
-	if ( ( lc->bound_dn.bv_val == NULL || lc->bound_dn.bv_len == 0 )
-	      		&& ( op->o_conn && op->o_conn->c_dn.bv_val != NULL && op->o_conn->c_dn.bv_len != 0 )
-	      		&& ( li->proxyauthzdn.bv_val != NULL && li->proxyauthzdn.bv_len != 0 ) ) {
-		int	i = 0;
+	if ( BER_BVISNULL( &li->proxyauthzdn ) ) {
+		goto done;
+	}
 
-		if ( !op->o_proxy_authz ) {
-			ctrls = ch_malloc( sizeof( LDAPControl * ) * (i + 2) );
-			ctrls[ 0 ] = ch_malloc( sizeof( LDAPControl ) );
-			
-			ctrls[ 0 ]->ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
-			ctrls[ 0 ]->ldctl_iscritical = 1;
-			ctrls[ 0 ]->ldctl_value.bv_len = op->o_conn->c_dn.bv_len + 3;
-			ctrls[ 0 ]->ldctl_value.bv_val = ch_malloc( ctrls[ 0 ]->ldctl_value.bv_len + 1 );
-			AC_MEMCPY( ctrls[ 0 ]->ldctl_value.bv_val, "dn:", sizeof( "dn:" ) - 1 );
-			AC_MEMCPY( ctrls[ 0 ]->ldctl_value.bv_val + sizeof( "dn:") - 1,
-					op->o_conn->c_dn.bv_val, op->o_conn->c_dn.bv_len + 1 );
+	if ( !op->o_conn ) {
+		goto done;
+	}
 
-			if ( op->o_ctrls ) {
-				for ( i = 0; op->o_ctrls[ i ]; i++ ) {
-					ctrls[ i + 1 ] = op->o_ctrls[ i ];
-				}
-			}
-			ctrls[ i + 1 ] = NULL;
-
-		} else {
+	if ( li->idassert_mode == LDAP_BACK_IDASSERT_NONE ) {
+		if ( op->o_proxy_authz ) {
 			/*
 			 * FIXME: we do not want to perform proxyAuthz
 			 * on behalf of the client, because this would
@@ -652,9 +664,85 @@ ldap_back_proxy_authz_ctrl(
 			rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
 			rs->sr_text = "proxyAuthz not allowed within namingContext";
 #endif
+			goto done;
+		}
+
+		if ( !BER_BVISNULL( &lc->bound_dn ) && !BER_BVISEMPTY( &lc->bound_dn ) ) {
+			goto done;
+		}
+
+		if ( BER_BVISNULL( &op->o_conn->c_dn ) || BER_BVISEMPTY( &op->o_conn->c_dn ) ) {
+			goto done;
+		}
+
+		if ( BER_BVISEMPTY( &li->proxyauthzdn ) ) {
+			goto done;
+		}
+
+	} else if ( li->idassert_authz ) {
+		int		rc;
+		struct berval	authcDN = BER_BVISNULL( &op->o_conn->c_dn ) ? slap_empty_bv : op->o_conn->c_dn;
+
+
+		rc = slap_sasl_matches( op, li->idassert_authz,
+				&authcDN, & authcDN );
+		if ( rc != LDAP_SUCCESS ) {
+			/* op->o_conn->c_dn is not authorized
+			 * to use idassert */
+			return rc;
 		}
 	}
 
+	switch ( li->idassert_mode ) {
+	case LDAP_BACK_IDASSERT_NONE:
+	case LDAP_BACK_IDASSERT_SELF:
+		/* original behavior:
+		 * assert the client's identity */
+		assertedDN = op->o_conn->c_dn;
+		break;
+
+	case LDAP_BACK_IDASSERT_ANONYMOUS:
+		/* assert "anonymous" */
+		assertedDN = slap_empty_bv;
+		break;
+
+	case LDAP_BACK_IDASSERT_PROXYID:
+		/* don't assert; bind as proxyauthzdn */
+		goto done;
+
+	case LDAP_BACK_IDASSERT_OTHER:
+		/* assert idassert DN */
+		assertedDN = li->idassert_dn;
+		break;
+
+	default:
+		assert( 0 );
+	}
+
+	if ( BER_BVISNULL( &assertedDN ) ) {
+		assertedDN = slap_empty_bv;
+	}
+
+	ctrls = ch_malloc( sizeof( LDAPControl * ) * (i + 2) );
+	ctrls[ 0 ] = ch_malloc( sizeof( LDAPControl ) );
+	
+	ctrls[ 0 ]->ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
+	ctrls[ 0 ]->ldctl_iscritical = 1;
+	ctrls[ 0 ]->ldctl_value.bv_len = assertedDN.bv_len + STRLENOF( "dn:" );
+	ctrls[ 0 ]->ldctl_value.bv_val = ch_malloc( ctrls[ 0 ]->ldctl_value.bv_len + 1 );
+	AC_MEMCPY( ctrls[ 0 ]->ldctl_value.bv_val, "dn:", STRLENOF( "dn:" ) );
+	AC_MEMCPY( ctrls[ 0 ]->ldctl_value.bv_val + STRLENOF( "dn:" ),
+			assertedDN.bv_val, assertedDN.bv_len );
+	ctrls[ 0 ]->ldctl_value.bv_val[ ctrls[ 0 ]->ldctl_value.bv_len ] = '\0';
+
+	if ( op->o_ctrls ) {
+		for ( i = 0; op->o_ctrls[ i ]; i++ ) {
+			ctrls[ i + 1 ] = op->o_ctrls[ i ];
+		}
+	}
+	ctrls[ i + 1 ] = NULL;
+
+done:;
 	if ( ctrls == NULL ) {
 		ctrls = op->o_ctrls;
 	}

servers/slapd/back-ldap/compare.c

@@ -43,8 +43,8 @@ ldap_back_compare(
 	ber_int_t msgid;
 	int freeval = 0;
 	dncookie dc;
-#ifdef LDAP_BACK_PROXY_AUTHZ 
 	LDAPControl **ctrls = NULL;
+#ifdef LDAP_BACK_PROXY_AUTHZ 
 	int rc = LDAP_SUCCESS;
 #endif /* LDAP_BACK_PROXY_AUTHZ */
 
@@ -100,6 +100,7 @@ ldap_back_compare(
 		}
 	}
 
+	ctrls = op->o_ctrls;
 #ifdef LDAP_BACK_PROXY_AUTHZ
 	rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls );
 	if ( rc != LDAP_SUCCESS ) {
@@ -109,12 +110,7 @@ ldap_back_compare(
 
 	rs->sr_err = ldap_compare_ext( lc->ld, mdn.bv_val,
 			mapped_at.bv_val, &mapped_val, 
-#ifdef LDAP_BACK_PROXY_AUTHZ
-			ctrls,
-#else /* ! LDAP_BACK_PROXY_AUTHZ */
-			op->o_ctrls,
-#endif /* ! LDAP_BACK_PROXY_AUTHZ */
-			NULL, &msgid );
+			ctrls, NULL, &msgid );
 
 #ifdef LDAP_BACK_PROXY_AUTHZ
 cleanup:

servers/slapd/back-ldap/config.c

@@ -34,6 +34,10 @@
 
 static SLAP_EXTOP_MAIN_FN ldap_back_exop_whoami;
 
+static int
+parse_idassert( BackendDB *be, const char *fname, int lineno,
+		int argc, char **argv );
+
 int
 ldap_back_db_config(
     BackendDB	*be,
@@ -168,6 +172,10 @@ ldap_back_db_config(
 			return( 1 );
 		}
 		ber_str2bv( argv[1], 0, 1, &li->proxyauthzpw );
+
+	/* identity assertion stuff... */
+	} else if ( strncasecmp( argv[0], "idassert-", STRLENOF( "idassert-" ) ) == 0 ) {
+		return parse_idassert( be, fname, lineno, argc, argv );
 #endif /* LDAP_BACK_PROXY_AUTHZ */
 
 	/* save bind creds for referral rebinds? */
@@ -652,3 +660,80 @@ suffix_massage_config(
 	return 0;
 }
 #endif /* ENABLE_REWRITE */
+
+#ifdef LDAP_BACK_PROXY_AUTHZ
+static int
+parse_idassert(
+    BackendDB	*be,
+    const char	*fname,
+    int		lineno,
+    int		argc,
+    char	**argv
+)
+{
+	struct ldapinfo	*li = (struct ldapinfo *) be->be_private;
+
+	if ( strcasecmp( argv[0], "idassert-mode" ) == 0 ) {
+		if ( argc != 2 ) {
+#ifdef NEW_LOGGING
+			LDAP_LOG( CONFIG, CRIT, 
+				"%s: line %d: illegal args number %d in \"idassert-mode <args>\" line.\n",
+				fname, lineno, argc );
+#else
+			Debug( LDAP_DEBUG_ANY,
+				"%s: line %d: illegal args number %d in \"idassert-mode <args>\" line.\n",
+				fname, lineno, argc );
+#endif
+			return 1;
+		}
+
+		if ( strcasecmp( argv[1], "self" ) == 0 ) {
+			/* will proxyAuthz as (rewritten) client's identity */
+			li->idassert_mode = LDAP_BACK_IDASSERT_SELF;
+
+		} else if ( strcasecmp( argv[1], "anonymous" ) == 0 ) {
+			/* will proxyAuthz as anonymous */
+			li->idassert_mode = LDAP_BACK_IDASSERT_ANONYMOUS;
+
+		} else if ( strcasecmp( argv[1], "proxyid" ) == 0 ) {
+			/* will not proxyAuthz */
+			li->idassert_mode = LDAP_BACK_IDASSERT_PROXYID;
+
+		} else {
+			struct berval	dn;
+			int		rc;
+
+			/* will proxyAuthz as argv[1] */
+			li->idassert_mode = LDAP_BACK_IDASSERT_OTHER;
+			
+			ber_str2bv( argv[1], 0, 0, &dn );
+
+			rc = dnNormalize( 0, NULL, NULL, &dn, &li->idassert_dn, NULL );
+			if ( rc != LDAP_SUCCESS ) {
+#ifdef NEW_LOGGING
+				LDAP_LOG( CONFIG, CRIT, 
+					"%s: line %d: idassert DN \"%s\" is invalid.\n",
+					fname, lineno, argv[1] );
+#else
+				Debug( LDAP_DEBUG_ANY,
+					"%s: line %d: idassert DN \"%s\" is invalid\n",
+					fname, lineno, argv[1] );
+#endif
+				return 1;
+			}
+		}
+
+	} else if ( strcasecmp( argv[0], "idassert-authz" ) == 0 ) {
+		struct berval	rule;
+
+		ber_str2bv( argv[1], 0, 1, &rule );
+
+		ber_bvarray_add( &li->idassert_authz, &rule );
+
+	} else {
+		return SLAP_CONF_UNKNOWN;
+	}
+
+	return 0;
+}
+#endif /* LDAP_BACK_PROXY_AUTHZ */

servers/slapd/back-ldap/delete.c

@@ -40,8 +40,8 @@ ldap_back_delete(
 	struct ldapconn *lc;
 	ber_int_t msgid;
 	dncookie dc;
-#ifdef LDAP_BACK_PROXY_AUTHZ 
 	LDAPControl **ctrls = NULL;
+#ifdef LDAP_BACK_PROXY_AUTHZ 
 	int rc = LDAP_SUCCESS;
 #endif /* LDAP_BACK_PROXY_AUTHZ */
 
@@ -71,6 +71,7 @@ ldap_back_delete(
 	}
 
 #ifdef LDAP_BACK_PROXY_AUTHZ
+	ctrls = op->o_ctrls;
 	rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls );
 	if ( rc != LDAP_SUCCESS ) {
 		goto cleanup;
@@ -78,12 +79,7 @@ ldap_back_delete(
 #endif /* LDAP_BACK_PROXY_AUTHZ */
 
 	rs->sr_err = ldap_delete_ext( lc->ld, mdn.bv_val,
-#ifdef LDAP_BACK_PROXY_AUTHZ
-			ctrls,
-#else /* ! LDAP_BACK_PROXY_AUTHZ */
-			op->o_ctrls,
-#endif /* ! LDAP_BACK_PROXY_AUTHZ */
-			NULL, &msgid );
+			ctrls, NULL, &msgid );
 
 #ifdef LDAP_BACK_PROXY_AUTHZ
 cleanup:

servers/slapd/back-ldap/init.c

@@ -98,16 +98,15 @@ ldap_back_db_init(
  		return -1;
  	}
 
-	li->binddn.bv_val = NULL;
-	li->binddn.bv_len = 0;
-	li->bindpw.bv_val = NULL;
-	li->bindpw.bv_len = 0;
+	BER_BVZERO( &li->binddn );
+	BER_BVZERO( &li->bindpw );
 
 #ifdef LDAP_BACK_PROXY_AUTHZ
-	li->proxyauthzdn.bv_val = NULL;
-	li->proxyauthzdn.bv_len = 0;
-	li->proxyauthzpw.bv_val = NULL;
-	li->proxyauthzpw.bv_len = 0;
+	BER_BVZERO( &li->proxyauthzdn );
+	BER_BVZERO( &li->proxyauthzpw );
+
+	li->idassert_mode = LDAP_BACK_IDASSERT_NONE;
+	BER_BVZERO( &li->idassert_dn );
 #endif /* LDAP_BACK_PROXY_AUTHZ */
 
 #ifdef ENABLE_REWRITE
@@ -201,22 +200,26 @@ ldap_back_db_destroy(
 			ldap_free_urldesc( li->lud );
 			li->lud = NULL;
 		}
-		if (li->binddn.bv_val) {
-			ch_free(li->binddn.bv_val);
-			li->binddn.bv_val = NULL;
+		if ( !BER_BVISNULL( &li->binddn ) ) {
+			ch_free( li->binddn.bv_val );
+			BER_BVZERO( &li->binddn );
 		}
-		if (li->bindpw.bv_val) {
-			ch_free(li->bindpw.bv_val);
-			li->bindpw.bv_val = NULL;
+		if ( !BER_BVISNULL( &li->bindpw ) ) {
+			ch_free( li->bindpw.bv_val );
+			BER_BVZERO( &li->bindpw );
 		}
 #ifdef LDAP_BACK_PROXY_AUTHZ
-		if (li->proxyauthzdn.bv_val) {
-			ch_free(li->proxyauthzdn.bv_val);
-			li->proxyauthzdn.bv_val = NULL;
+		if ( !BER_BVISNULL( &li->proxyauthzdn ) ) {
+			ch_free( li->proxyauthzdn.bv_val );
+			BER_BVZERO( &li->proxyauthzdn );
 		}
-		if (li->proxyauthzpw.bv_val) {
-			ch_free(li->proxyauthzpw.bv_val);
-			li->proxyauthzpw.bv_val = NULL;
+		if ( !BER_BVISNULL( &li->proxyauthzpw ) ) {
+			ch_free( li->proxyauthzpw.bv_val );
+			BER_BVZERO( &li->proxyauthzpw );
+		}
+		if ( !BER_BVISNULL( &li->idassert_dn ) ) {
+			ch_free( li->idassert_dn.bv_val );
+			BER_BVZERO( &li->idassert_dn );
 		}
 #endif /* LDAP_BACK_PROXY_AUTHZ */
                 if (li->conntree) {

servers/slapd/back-ldap/modify.c

@@ -47,9 +47,7 @@ ldap_back_modify(
 	ber_int_t msgid;
 	dncookie dc;
 	int isupdate;
-#ifdef LDAP_BACK_PROXY_AUTHZ 
 	LDAPControl **ctrls = NULL;
-#endif /* LDAP_BACK_PROXY_AUTHZ */
 
 	lc = ldap_back_getconn(op, rs);
 	if ( !lc || !ldap_back_dobind( lc, op, rs ) ) {
@@ -159,6 +157,7 @@ ldap_back_modify(
 	}
 	modv[i] = 0;
 
+	ctrls = op->o_ctrls;
 #ifdef LDAP_BACK_PROXY_AUTHZ
 	rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls );
 	if ( rc != LDAP_SUCCESS ) {
@@ -167,12 +166,7 @@ ldap_back_modify(
 #endif /* LDAP_BACK_PROXY_AUTHZ */
 
 	rs->sr_err = ldap_modify_ext( lc->ld, mdn.bv_val, modv,
-#ifdef LDAP_BACK_PROXY_AUTHZ
-			ctrls,
-#else /* ! LDAP_BACK_PROXY_AUTHZ */
-			op->o_ctrls,
-#endif /* ! LDAP_BACK_PROXY_AUTHZ */
-			NULL, &msgid );
+			ctrls, NULL, &msgid );
 
 cleanup:;
 #ifdef LDAP_BACK_PROXY_AUTHZ

servers/slapd/back-ldap/modrdn.c

@@ -40,8 +40,8 @@ ldap_back_modrdn(
 	struct ldapconn *lc;
 	ber_int_t msgid;
 	dncookie dc;
-#ifdef LDAP_BACK_PROXY_AUTHZ 
 	LDAPControl **ctrls = NULL;
+#ifdef LDAP_BACK_PROXY_AUTHZ 
 	int rc = LDAP_SUCCESS;
 #endif /* LDAP_BACK_PROXY_AUTHZ */
 
@@ -88,6 +88,7 @@ ldap_back_modrdn(
 		return -1;
 	}
 
+	ctrls = op->o_ctrls;
 #ifdef LDAP_BACK_PROXY_AUTHZ
 	rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls );
 	if ( rc != LDAP_SUCCESS ) {
@@ -98,11 +99,7 @@ ldap_back_modrdn(
 	rs->sr_err = ldap_rename( lc->ld, mdn.bv_val,
 			op->orr_newrdn.bv_val, mnewSuperior.bv_val,
 			op->orr_deleteoldrdn,
-#ifdef LDAP_BACK_PROXY_AUTHZ
 			ctrls,
-#else /* ! LDAP_BACK_PROXY_AUTHZ */
-			op->o_ctrls,
-#endif /* ! LDAP_BACK_PROXY_AUTHZ */
 			NULL, &msgid );
 
 #ifdef LDAP_BACK_PROXY_AUTHZ

servers/slapd/back-ldap/search.c

@@ -60,9 +60,7 @@ ldap_back_search(
 	struct berval mfilter = BER_BVNULL;
 	int dontfreetext = 0;
 	dncookie dc;
-#ifdef LDAP_BACK_PROXY_AUTHZ
 	LDAPControl **ctrls = NULL;
-#endif /* LDAP_BACK_PROXY_AUTHZ */
 
 	lc = ldap_back_getconn(op, rs);
 	if ( !lc ) {
@@ -133,6 +131,7 @@ ldap_back_search(
 		goto finish;
 	}
 
+	ctrls = op->o_ctrls;
 #ifdef LDAP_BACK_PROXY_AUTHZ
 	rc = ldap_back_proxy_authz_ctrl( lc, op, rs, &ctrls );
 	if ( rc != LDAP_SUCCESS ) {
@@ -144,12 +143,7 @@ ldap_back_search(
 	rs->sr_err = ldap_search_ext(lc->ld, mbase.bv_val,
 			op->ors_scope, mfilter.bv_val,
 			mapped_attrs, op->ors_attrsonly,
-#ifdef LDAP_BACK_PROXY_AUTHZ
-			ctrls,
-#else /* ! LDAP_BACK_PROXY_AUTHZ */
-			op->o_ctrls,
-#endif /* ! LDAP_BACK_PROXY_AUTHZ */
-			NULL,
+			ctrls, NULL,
 			tv.tv_sec ? &tv : NULL, op->ors_slimit,
 			&msgid );