More proper criticality handling. Implementation is a kludge.

servers/slapd/backend.c

@@ -803,22 +803,20 @@ backend_check_controls(
 
 	if( ctrls ) {
 		for( ; *ctrls != NULL ; ctrls++ ) {
+			/* KLUDGE: ldctl_iscritical munged by controls.c:get_ctrls()
+			 * to ensure this check is enabled/disabled appropriately.
+			 */
 			if( (*ctrls)->ldctl_iscritical && !ldap_charray_inlist(
 				op->o_bd->be_controls, (*ctrls)->ldctl_oid ) )
 			{
 				/* Per RFC 2251 (and LDAPBIS discussions), if the control
 				 * is recognized and appropriate for the operation (which
 				 * we've already verified), then the server should make
-				 * use of the control when performing the operation
-				 * (regardless of the criticality of the control).
+				 * use of the control when performing the operation.
 				 * 
 				 * Here we find that operation extended by the control
 				 * is not unavailable in a particular context, hence the
 				 * return of unwillingToPerform.
-				 *
-				 * FIXME: As noted above, this check should be done
-				 * regardless of the criticality of the control.  The
-				 * frontend infrastructure doesn't (yet) support this.
 				 */
 				rs->sr_text = "control unavailable in context";
 				rs->sr_err = LDAP_UNWILLING_TO_PERFORM;

servers/slapd/controls.c

@@ -613,14 +613,18 @@ int get_ctrls(
 				}
 
 				if ( sc->sc_mask & SLAP_CTRL_FRONTEND ) {
-					/* kludge to disable backend_control() check */
+					/* KLUDGE: disable backend_control() check */
 					c->ldctl_iscritical = 0;
 
 				} else if ( tagmask == SLAP_CTRL_SEARCH &&
 					sc->sc_mask & SLAP_CTRL_FRONTEND_SEARCH )
 				{
-					/* kludge to disable backend_control() check */
+					/* KLUDGE: disable backend_control() check */
 					c->ldctl_iscritical = 0;
+
+				} else {
+					/* KLUDGE: enable backend_control() check */
+					c->ldctl_iscritical = 1;
 				}
 
 			} else if( c->ldctl_iscritical ) {