add 'rebind-as-user' according to back-ldap's implementation

doc/man/man5/slapd-meta.5

@@ -140,6 +140,10 @@ check permissions.
 This directive sets the password for acl checking in conjunction
 with the above mentioned "binddn" directive.
 .TP
+.B rebind-as-user
+If this option is given, the client's bind credentials are remembered
+for rebinds when chasing referrals.
+.TP
 .B pseudorootdn "<substitute DN in case of rootdn bind>"
 This directive, if present, sets the DN that will be substituted to
 the bind DN if a bind with the backend's "rootdn" succeeds.

servers/slapd/back-meta/back-meta.h

@@ -91,6 +91,7 @@ struct metasingleconn {
 	
 	LDAP            	*ld;
 	struct berval          	bound_dn;
+	struct berval		cred;
 	int             	bound;
 #define META_UNBOUND		0
 #define META_BOUND		1
@@ -149,6 +150,8 @@ struct metainfo {
 	
 	ldap_pvt_thread_mutex_t	conn_mutex;
 	Avlnode			*conntree;
+
+	int			savecred;
 };
 
 #define META_OP_ALLOW_MULTIPLE		0x00

servers/slapd/back-meta/bind.c

@@ -77,6 +77,8 @@
 #include "../back-ldap/back-ldap.h"
 #include "back-meta.h"
 
+static LDAP_REBIND_PROC	meta_back_rebind;
+
 static int
 meta_back_do_single_bind(
 		struct metainfo		*li,
@@ -293,6 +295,15 @@ meta_back_do_single_bind(
 		lc->conns[ candidate ].bound = META_BOUND;
 		lc->bound_target = candidate;
 
+		if ( li->savecred ) {
+			if ( lc->conns[ candidate ].cred.bv_val )
+				ch_free( lc->conns[ candidate ].cred.bv_val );
+			ber_dupbv( &lc->conns[ candidate ].cred, cred );
+			ldap_set_rebind_proc( lc->conns[ candidate ].ld, 
+					meta_back_rebind, 
+					&lc->conns[ candidate ] );
+		}
+
 		if ( li->cache.ttl != META_DNCACHE_DISABLED
 				&& ndn->bv_len != 0 ) {
 			( void )meta_dncache_update_entry( &li->cache,
@@ -428,6 +439,21 @@ meta_back_is_valid( struct metaconn *lc, int candidate )
 	return 0;
 }
 
+/*
+ * meta_back_rebind
+ *
+ * This is a callback used for chasing referrals using the same
+ * credentials as the original user on this session.
+ */
+static int 
+meta_back_rebind( LDAP *ld, LDAP_CONST char *url, ber_tag_t request,
+	ber_int_t msgid, void *params )
+{
+	struct metasingleconn *lc = params;
+
+	return ldap_bind_s( ld, lc->bound_dn.bv_val, lc->cred.bv_val, LDAP_AUTH_SIMPLE );
+}
+
 /*
  * FIXME: error return must be handled in a cleaner way ...
  */

servers/slapd/back-meta/config.c

@@ -356,6 +356,16 @@ meta_back_db_config(
 		}
 		ber_str2bv( argv[ 1 ], 0L, 1, &li->targets[ i ]->bindpw );
 		
+	/* save bind creds for referral rebinds? */
+	} else if ( strcasecmp( argv[0], "rebind-as-user" ) == 0 ) {
+		if (argc != 1) {
+			fprintf( stderr,
+	"%s: line %d: rebind-as-user takes no arguments\n",
+			    fname, lineno );
+			return( 1 );
+		}
+		li->savecred = 1;
+	
 	/* name to use as pseudo-root dn */
 	} else if ( strcasecmp( argv[ 0 ], "pseudorootdn" ) == 0 ) {
 		int 		i = li->ntargets-1;