destroy cached groups after identity change (ITS#4760)

servers/slapd/controls.c

@@ -991,6 +991,13 @@ static int parseProxyAuthz (
 	op->o_ndn = dn;
 	ber_dupbv( &op->o_dn, &dn );
 
+	/*
+	 * since the authzid has changed, we need to delete
+	 * cached groups (ITS#4760)
+	 */
+        if ( op->o_groups ) {
+                slap_op_groups_free( op );
+        }
 
 	Statslog( LDAP_DEBUG_STATS, "%s PROXYAUTHZ dn=\"%s\"\n",
 	    op->o_log_prefix, dn.bv_val, 0, 0, 0 );

servers/slapd/operation.c

@@ -60,6 +60,17 @@ void slap_op_destroy(void)
 	ldap_pvt_thread_mutex_destroy( &slap_op_mutex );
 }
 
+void
+slap_op_groups_free( Operation *op )
+{
+	GroupAssertion *g, *n;
+	for ( g = op->o_groups; g; g = n ) {
+		n = g->ga_next;
+		slap_sl_free( g, op->o_tmpmemctx );
+	}
+	op->o_groups = NULL;
+}
+
 void
 slap_op_free( Operation *op )
 {
@@ -87,13 +98,8 @@ slap_op_free( Operation *op )
 	}
 #endif
 
-	{
-		GroupAssertion *g, *n;
-		for ( g = op->o_groups; g; g = n ) {
-			n = g->ga_next;
-			slap_sl_free( g, op->o_tmpmemctx );
-		}
-		op->o_groups = NULL;
+	if ( op->o_groups ) {
+		slap_op_groups_free( op );
 	}
 
 #if defined( LDAP_SLAPI )

servers/slapd/proto-slap.h

@@ -1273,6 +1273,7 @@ LDAP_SLAPD_F (int) parse_oidm LDAP_P((
  */
 LDAP_SLAPD_F (void) slap_op_init LDAP_P(( void ));
 LDAP_SLAPD_F (void) slap_op_destroy LDAP_P(( void ));
+LDAP_SLAPD_F (void) slap_op_groups_free LDAP_P(( Operation *op ));
 LDAP_SLAPD_F (void) slap_op_free LDAP_P(( Operation *op ));
 LDAP_SLAPD_F (void) slap_op_time LDAP_P(( time_t *t, int *n ));
 LDAP_SLAPD_F (Operation *) slap_op_alloc LDAP_P((