Added rebind-as-user option; saves bind credentials and sets a rebind_proc

to allow chasing referrals using the same user's credentials.

servers/slapd/back-ldap/back-ldap.h

@@ -53,6 +53,7 @@ struct slap_op;
 struct ldapconn {
 	struct slap_conn	*conn;
 	LDAP		*ld;
+	struct berval	cred;
 	struct berval 	bound_dn;
 	int		bound;
 };
@@ -74,6 +75,7 @@ struct ldapinfo {
 	char *binddn;
 	char *bindpw;
 	ldap_pvt_thread_mutex_t		conn_mutex;
+	int savecred;
 	Avlnode *conntree;
 #ifdef ENABLE_REWRITE
 	struct rewrite_info *rwinfo;

servers/slapd/back-ldap/bind.c

@@ -49,6 +49,8 @@
 
 #define PRINT_CONNTREE 0
 
+static LDAP_REBIND_PROC	ldap_back_rebind;
+
 int
 ldap_back_bind(
     Backend		*be,
@@ -111,8 +113,19 @@ ldap_back_bind(
 		lc->bound = 1;
 	}
 
+	if ( li->savecred ) {
+		if ( lc->cred.bv_val )
+			ch_free( lc->cred.bv_val );
+		ber_dupbv( &lc->cred, cred );
+		ldap_set_rebind_proc( lc->ld, ldap_back_rebind, lc );
+	}
+
+	if ( lc->bound_dn.bv_val )
+		ch_free( lc->bound_dn.bv_val );
 	if ( mdn.bv_val != dn->bv_val ) {
-		free( mdn.bv_val );
+		lc->bound_dn = mdn;
+	} else {
+		ber_dupbv( &lc->bound_dn, dn );
 	}
 	
 	return( rc );
@@ -219,6 +232,9 @@ ldap_back_getconn(struct ldapinfo *li, Connection *conn, Operation *op)
 		lc->conn = conn;
 		lc->ld = ld;
 
+		lc->cred.bv_len = 0;
+		lc->cred.bv_val = NULL;
+
 #ifdef ENABLE_REWRITE
 		/*
 		 * Sets a cookie for the rewrite session
@@ -341,7 +357,7 @@ ldap_back_dobind(struct ldapconn *lc, Operation *op)
 		return( lc->bound );
 	}
 
-	if (ldap_bind_s(lc->ld, lc->bound_dn.bv_val, NULL, LDAP_AUTH_SIMPLE) !=
+	if (ldap_bind_s(lc->ld, lc->bound_dn.bv_val, lc->cred.bv_val, LDAP_AUTH_SIMPLE) !=
 		LDAP_SUCCESS) {
 		ldap_back_op_result(lc, op);
 		return( 0 );
@@ -349,6 +365,21 @@ ldap_back_dobind(struct ldapconn *lc, Operation *op)
 	return( lc->bound = 1 );
 }
 
+/*
+ * ldap_back_rebind
+ *
+ * This is a callback used for chasing referrals using the same
+ * credentials as the original user on this session.
+ */
+static int 
+ldap_back_rebind( LDAP *ld, LDAP_CONST char *url, ber_tag_t request,
+	ber_int_t msgid, void *params )
+{
+	struct ldapconn *lc = params;
+
+	return ldap_bind_s( ld, lc->bound_dn.bv_val, lc->cred.bv_val, LDAP_AUTH_SIMPLE );
+}
+
 /* Map API errors to protocol errors... */
 
 int

servers/slapd/back-ldap/config.c

@@ -111,6 +111,16 @@ ldap_back_db_config(
 		}
 		li->bindpw = ch_strdup(argv[1]);
 	
+	/* save bind creds for referral rebinds? */
+	} else if ( strcasecmp( argv[0], "rebind-as-user" ) == 0 ) {
+		if (argc != 1) {
+			fprintf( stderr,
+	"%s: line %d: rebind-as-user takes no arguments\n",
+			    fname, lineno );
+			return( 1 );
+		}
+		li->savecred = 1;
+	
 	/* dn massaging */
 	} else if ( strcasecmp( argv[0], "suffixmassage" ) == 0 ) {
 #ifndef ENABLE_REWRITE

servers/slapd/back-ldap/init.c

@@ -136,6 +136,9 @@ conn_free(
 	if ( lc->bound_dn.bv_val ) {
 		ch_free( lc->bound_dn.bv_val );
 	}
+	if ( lc->cred.bv_val ) {
+		ch_free( lc->cred.bv_val );
+	}
 	ch_free( lc );
 }
 

servers/slapd/back-ldap/unbind.c

@@ -97,6 +97,9 @@ ldap_back_conn_destroy(
 		if ( lc->bound_dn.bv_val ) {
 			ch_free( lc->bound_dn.bv_val );
 		}
+		if ( lc->cred.bv_val ) {
+			ch_free( lc->cred.bv_val );
+		}
 		ch_free( lc );
 	}