From ef8228ad564f31992386bfc61553df8387d9e306 Mon Sep 17 00:00:00 2001

From: Noriko Hosoi <nhosoi@redhat.com>

Date: Wed, 13 Jul 2016 14:49:18 -0700

Subject: [PATCH 10/15] Bug 1347760 - CVE-2016-4992 389-ds-base: Information

 disclosure via repeated use of LDAP ADD operation, etc.

Description: If a bind user has no rights, it should not disclose

any information including the existence of the entry.

Fix description:

1) ALREADY_EXISTS in add -- If to be added entry is found existing

   in ldbm_back_add, it checks the ACI and if there is no rights,

   it returns INSUFFICIENT_ACCESS instead of ALREADY_EXISTS.

2) NO_SUCH_OBJECT in other update operations -- If the target entry

   is found not existing, it checks the ancestor entry's access

   rights in find_entry.  If it is not allowed to access the subtree,

   it returns INSUFFICIENT_ACCESS instead of NO_SUC_OBJECT.  Plus,

   it supresses the "Matched" ancestor message.

3) NO_SUCH_OBJECT in search -- If a bind entry has no rights to read

   a subtree, it returns no search results with SUCCESS.  It should

   be applied to the no existing subtree if the bind entry has no

   rights to the super tree.

4) If bind fails because of the non-existence of the bind user or

   the parent nodes, the bind returns LDAP_INVALID_CREDENTIALS to

   the client with no other information.

   The detailed cause is logged in the access log as follows:

	 RESULT err=49 .. etime=0 - No such suffix (<given suffix>)

	 RESULT err=49 .. etime=0 - Invalid credentials

	 RESULT err=49 .. etime=0 - No such entry

https://bugzilla.redhat.com/show_bug.cgi?id=1347760

Reviewed by lkrispen@redhat.com, mreynolds@redhat.com, and tbordaz@redhat.com.

Thank you!!!

(cherry picked from commit 0b932d4b926d46ac5060f02617330dc444e06da1)

---

 ldap/servers/slapd/back-ldbm/dn2entry.c        |  17 ++-

 ldap/servers/slapd/back-ldbm/findentry.c       | 139 +++++++++++++++++++------

 ldap/servers/slapd/back-ldbm/ldbm_add.c        |  21 +++-

 ldap/servers/slapd/back-ldbm/ldbm_bind.c       |  11 +-

 ldap/servers/slapd/back-ldbm/ldbm_compare.c    |   2 +-

 ldap/servers/slapd/back-ldbm/ldbm_delete.c     |   9 +-

 ldap/servers/slapd/back-ldbm/ldbm_modify.c     |  18 ++--

 ldap/servers/slapd/back-ldbm/ldbm_modrdn.c     |  15 +--

 ldap/servers/slapd/back-ldbm/ldbm_search.c     |   2 +-

 ldap/servers/slapd/back-ldbm/misc.c            |   2 +-

 ldap/servers/slapd/back-ldbm/proto-back-ldbm.h |  14 +--

 ldap/servers/slapd/back-ldbm/vlv_srch.c        |   2 +-

 ldap/servers/slapd/bind.c                      |  75 ++++++-------

 ldap/servers/slapd/defbackend.c                |  82 ++++++++++++++-

 ldap/servers/slapd/result.c                    |  16 ++-

 15 files changed, 311 insertions(+), 114 deletions(-)

diff --git a/ldap/servers/slapd/back-ldbm/dn2entry.c b/ldap/servers/slapd/back-ldbm/dn2entry.c

index 6d1d92f..7656688 100644

--- a/ldap/servers/slapd/back-ldbm/dn2entry.c

+++ b/ldap/servers/slapd/back-ldbm/dn2entry.c

@@ -151,14 +151,15 @@ struct backentry *

 dn2ancestor(

     Slapi_Backend *be,

     const Slapi_DN	*sdn,

-	Slapi_DN *ancestordn,

+    Slapi_DN *ancestordn,

     back_txn		*txn,

-    int			*err

+    int			*err,

+    int allow_suffix

 )

 {

-	struct backentry *e = NULL;

+    struct backentry *e = NULL;

-	LDAPDebug( LDAP_DEBUG_TRACE, "=> dn2ancestor \"%s\"\n", slapi_sdn_get_dn(sdn), 0, 0 );

+    LDAPDebug( LDAP_DEBUG_TRACE, "=> dn2ancestor \"%s\"\n", slapi_sdn_get_dn(sdn), 0, 0 );

     /* first, check to see if the given sdn is empty or a root suffix of the

        given backend - if so, it has no parent */

@@ -190,7 +191,13 @@ dn2ancestor(

         */

         /* stop when we get to "", or a backend suffix point */

-        while (!e && !slapi_sdn_isempty(&ancestorndn) && !slapi_be_issuffix( be, &ancestorndn )) {

+        while (!e && !slapi_sdn_isempty(&ancestorndn)) {

+            if (!allow_suffix) {

+                /* Original behavior. */

+                if (slapi_be_issuffix(be, &ancestorndn)) {

+                    break;

+                }

+            }

             /* find the entry - it uses the ndn, so no further conversion is necessary */

             e= dn2entry(be,&ancestorndn,txn,err);

             if (!e) {

diff --git a/ldap/servers/slapd/back-ldbm/findentry.c b/ldap/servers/slapd/back-ldbm/findentry.c

index 4a574bf..8b842e3 100644

--- a/ldap/servers/slapd/back-ldbm/findentry.c

+++ b/ldap/servers/slapd/back-ldbm/findentry.c

@@ -16,8 +16,8 @@

 #include "back-ldbm.h"

-static struct backentry *find_entry_internal_dn(Slapi_PBlock *pb, backend *be, const Slapi_DN *sdn, int lock, back_txn *txn, int flags);

-static struct backentry * find_entry_internal(Slapi_PBlock *pb, Slapi_Backend *be, const entry_address *addr, int lock, back_txn *txn, int flags);

+static struct backentry *find_entry_internal_dn(Slapi_PBlock *pb, backend *be, const Slapi_DN *sdn, int lock, back_txn *txn, int flags, int *rc);

+static struct backentry * find_entry_internal(Slapi_PBlock *pb, Slapi_Backend *be, const entry_address *addr, int lock, back_txn *txn, int flags, int *rc);

 /* The flags take these values */

 #define FE_TOMBSTONE_INCLUDED TOMBSTONE_INCLUDED /* :1 defined in back-ldbm.h */

 #define FE_REALLY_INTERNAL 0x2

@@ -27,7 +27,7 @@ check_entry_for_referral(Slapi_PBlock *pb, Slapi_Entry *entry, char *matched, co

 {

 	int rc=0, i=0, numValues=0;

 	Slapi_Attr *attr;

-	Slapi_Value *val=NULL;	

+	Slapi_Value *val=NULL;

 	struct berval **refscopy=NULL;

 	struct berval **url=NULL;

@@ -80,12 +80,13 @@ out:

 static struct backentry *

 find_entry_internal_dn(

-	Slapi_PBlock	*pb,

+    Slapi_PBlock	*pb,

     backend			*be,

     const Slapi_DN *sdn,

     int				lock,

-	back_txn		*txn,

-	int				flags

+    back_txn		*txn,

+    int				flags,

+    int				*rc /* return code */

 )

 { 

 	struct backentry *e;

@@ -93,9 +94,14 @@ find_entry_internal_dn(

 	int	err;

 	ldbm_instance *inst = (ldbm_instance *) be->be_instance_info;

 	size_t tries = 0;

+	int isroot = 0;

+	int op_type;

+	char *errbuf = NULL;

 	/* get the managedsait ldap message control */

-	slapi_pblock_get( pb, SLAPI_MANAGEDSAIT, &managedsait );

+	slapi_pblock_get(pb, SLAPI_MANAGEDSAIT, &managedsait);

+	slapi_pblock_get(pb, SLAPI_REQUESTOR_ISROOT, &isroot);

+	slapi_pblock_get(pb, SLAPI_OPERATION_TYPE, &op_type);

 	while ( (tries < LDBM_CACHE_RETRY_COUNT) && 

 	        (e = dn2entry_ext( be, sdn, txn, flags & TOMBSTONE_INCLUDED, &err ))

@@ -113,6 +119,9 @@ find_entry_internal_dn(

 			if(check_entry_for_referral(pb, e->ep_entry, NULL, "find_entry_internal_dn"))

 			{

 				CACHE_RETURN( &inst->inst_cache, &e );

+				if (rc) { /* if check_entry_for_referral returns non-zero, result is sent. */

+					*rc = FE_RC_SENT_RESULT;

+				}

 				return( NULL );

 			}

 		}

@@ -151,27 +160,89 @@ find_entry_internal_dn(

 		struct backentry *me;

 		Slapi_DN ancestorsdn;

 		slapi_sdn_init(&ancestorsdn);

-		me= dn2ancestor(pb->pb_backend,sdn,&ancestorsdn,txn,&err;;

+		me = dn2ancestor(pb->pb_backend, sdn, &ancestorsdn, txn, &err, 1 /* allow_suffix */);

 		if ( !managedsait && me != NULL ) {

 			/* if the entry is a referral send the referral */

 			if(check_entry_for_referral(pb, me->ep_entry, (char*)slapi_sdn_get_dn(&ancestorsdn), "find_entry_internal_dn"))

 			{

 				CACHE_RETURN( &inst->inst_cache, &me );

 				slapi_sdn_done(&ancestorsdn);

+				if (rc) { /* if check_entry_for_referral returns non-zero, result is sent. */

+					*rc = FE_RC_SENT_RESULT;

+				}

 				return( NULL );

 			}

 			/* else fall through to no such object */

 		}

 		/* entry not found */

-		slapi_send_ldap_result( pb, ( 0 == err || DB_NOTFOUND == err ) ?

-			LDAP_NO_SUCH_OBJECT : ( LDAP_INVALID_DN_SYNTAX == err ) ?

-			LDAP_INVALID_DN_SYNTAX : LDAP_OPERATIONS_ERROR,

-			(char*)slapi_sdn_get_dn(&ancestorsdn), NULL, 0, NULL );

+		if ((0 == err) || (DB_NOTFOUND == err)) {

+			if (me && !isroot) {

+				/* If not root, you may not want to reveal it. */

+				int acl_type = -1;

+				int return_err = LDAP_NO_SUCH_OBJECT;

+				err = LDAP_SUCCESS;

+				switch (op_type) {

+				case SLAPI_OPERATION_ADD:

+					acl_type = SLAPI_ACL_ADD;

+					return_err = LDAP_INSUFFICIENT_ACCESS;

+					break;

+				case SLAPI_OPERATION_DELETE:

+					acl_type = SLAPI_ACL_DELETE;

+					return_err = LDAP_INSUFFICIENT_ACCESS;

+					break;

+				case SLAPI_OPERATION_MODDN:

+					acl_type = SLAPI_ACL_MODDN;

+					return_err = LDAP_INSUFFICIENT_ACCESS;

+					break;

+				case SLAPI_OPERATION_MODIFY:

+					acl_type = SLAPI_ACL_WRITE;

+					return_err = LDAP_INSUFFICIENT_ACCESS;

+					break;

+				case SLAPI_OPERATION_SEARCH:

+				case SLAPI_OPERATION_COMPARE:

+					return_err = LDAP_SUCCESS;

+					acl_type = SLAPI_ACL_READ;

+					break;

+				case SLAPI_OPERATION_BIND:

+					acl_type = -1; /* skip acl check. acl is not set up for bind. */

+					return_err = LDAP_INVALID_CREDENTIALS;

+					slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, "No such entry");

+					break;

+				}

+				if (acl_type > 0) {

+					err = plugin_call_acl_plugin(pb, me->ep_entry, NULL, NULL, acl_type,

+					                             ACLPLUGIN_ACCESS_DEFAULT, &errbuf);

+				}

+				if (((acl_type > 0) && err) || (op_type == SLAPI_OPERATION_BIND)) {

+					/*

+					 * Operations to be checked && ACL returns disallow.

+					 * Not to disclose the info about the entry's existence,

+					 * do not return the "matched" DN.

+					 * Plus, the bind case returns LDAP_INAPPROPRIATE_AUTH.

+					 */

+					slapi_send_ldap_result(pb, return_err, NULL, NULL, 0, NULL);

+				} else {

+					slapi_send_ldap_result(pb, LDAP_NO_SUCH_OBJECT,

+						(char*)slapi_sdn_get_dn(&ancestorsdn), NULL, 0, NULL);

+				}

+			} else {

+				slapi_send_ldap_result( pb, LDAP_NO_SUCH_OBJECT,

+					(char*)slapi_sdn_get_dn(&ancestorsdn), NULL, 0, NULL);

+			}

+		} else {

+			slapi_send_ldap_result( pb, ( LDAP_INVALID_DN_SYNTAX == err ) ?

+				LDAP_INVALID_DN_SYNTAX : LDAP_OPERATIONS_ERROR,

+				(char*)slapi_sdn_get_dn(&ancestorsdn), NULL, 0, NULL );

+		}

+		if (rc) {

+			*rc = FE_RC_SENT_RESULT;

+		}

 		slapi_sdn_done(&ancestorsdn);

 		CACHE_RETURN( &inst->inst_cache, &me );

 	}

+	slapi_ch_free_string(&errbuf);

 	LDAPDebug( LDAP_DEBUG_TRACE, "<= find_entry_internal_dn not found (%s)\n",

 	    slapi_sdn_get_dn(sdn), 0, 0 );

 	return( NULL );

@@ -183,11 +254,11 @@ find_entry_internal_dn(

  */

 static struct backentry *

 find_entry_internal_uniqueid(

-	Slapi_PBlock	*pb,

+    Slapi_PBlock	*pb,

     backend *be,

-	const char 			*uniqueid,

+    const char 			*uniqueid,

     int				lock,

-	back_txn		*txn

+    back_txn		*txn

 )

 {

 	ldbm_instance *inst = (ldbm_instance *) be->be_instance_info;

@@ -243,8 +314,9 @@ find_entry_internal(

     Slapi_Backend *be,

     const entry_address *addr,

     int			lock,

-	back_txn *txn,

-	int flags

+    back_txn *txn,

+    int flags,

+    int *rc

 )

 {

 	/* check if we should search based on uniqueid or dn */

@@ -261,11 +333,9 @@ find_entry_internal(

 		LDAPDebug( LDAP_DEBUG_TRACE, "=> find_entry_internal (dn=%s) lock %d\n",

 		           slapi_sdn_get_dn(addr->sdn), lock, 0 );

 		if (addr->sdn) {

-			entry = find_entry_internal_dn (pb, be, addr->sdn, 

-			                                lock, txn, flags);

+			entry = find_entry_internal_dn (pb, be, addr->sdn, lock, txn, flags, rc);

 		} else {

-			LDAPDebug0Args( LDAP_DEBUG_ANY,

-			                "find_entry_internal: Null target dn\n" );

+			LDAPDebug0Args( LDAP_DEBUG_ANY, "find_entry_internal: Null target dn\n" );

 		}

 		LDAPDebug0Args( LDAP_DEBUG_TRACE, "<= find_entry_internal\n" );

@@ -278,10 +348,11 @@ find_entry(

     Slapi_PBlock		*pb,

     Slapi_Backend *be,

     const entry_address *addr,

-	back_txn *txn

+    back_txn *txn,

+    int *rc

 )

 {

-	return( find_entry_internal( pb, be, addr, 0/*!lock*/, txn, 0/*flags*/ ) );

+	return(find_entry_internal(pb, be, addr, 0/*!lock*/, txn, 0/*flags*/, rc));

 }

 struct backentry *

@@ -289,10 +360,11 @@ find_entry2modify(

     Slapi_PBlock		*pb,

     Slapi_Backend *be,

     const entry_address *addr,

-	back_txn *txn

+    back_txn *txn,

+    int *rc

 )

 {

-	return( find_entry_internal( pb, be, addr, 1/*lock*/, txn, 0/*flags*/ ) );

+	return(find_entry_internal(pb, be, addr, 1/*lock*/, txn, 0/*flags*/, rc));

 }

 /* New routines which do not do any referral stuff.

@@ -304,10 +376,11 @@ find_entry_only(

     Slapi_PBlock		*pb,

     Slapi_Backend *be,

     const entry_address *addr,

-	back_txn *txn

+    back_txn *txn,

+    int *rc

 )

 {

-	return( find_entry_internal( pb, be, addr, 0/*!lock*/, txn, FE_REALLY_INTERNAL ) );

+	return(find_entry_internal(pb, be, addr, 0/*!lock*/, txn, FE_REALLY_INTERNAL, rc));

 }

 struct backentry *

@@ -315,10 +388,11 @@ find_entry2modify_only(

     Slapi_PBlock		*pb,

     Slapi_Backend *be,

     const entry_address *addr,

-    back_txn *txn

+    back_txn *txn,

+    int *rc

 )

 {

-	return( find_entry_internal( pb, be, addr, 1/*lock*/, txn, FE_REALLY_INTERNAL ) );

+	return(find_entry_internal(pb, be, addr, 1/*lock*/, txn, 0 /* to check aci, disable INTERNAL */, rc));

 }

 struct backentry *

@@ -327,10 +401,9 @@ find_entry2modify_only_ext(

     Slapi_Backend *be,

     const entry_address *addr,

     int flags,

-    back_txn *txn

-

+    back_txn *txn,

+    int *rc

 )

 {

-	return( find_entry_internal( pb, be, addr, 1/*lock*/, txn, 

-		                         FE_REALLY_INTERNAL | flags ));

+	return(find_entry_internal(pb, be, addr, 1/*lock*/, txn, FE_REALLY_INTERNAL | flags, rc));

 }

diff --git a/ldap/servers/slapd/back-ldbm/ldbm_add.c b/ldap/servers/slapd/back-ldbm/ldbm_add.c

index 7eb8fe9..f462376 100644

--- a/ldap/servers/slapd/back-ldbm/ldbm_add.c

+++ b/ldap/servers/slapd/back-ldbm/ldbm_add.c

@@ -93,6 +93,7 @@ ldbm_back_add( Slapi_PBlock *pb )

 	int myrc = 0;

 	PRUint64 conn_id;

 	int op_id;

+	int result_sent = 0;

 	if (slapi_pblock_get(pb, SLAPI_CONN_ID, &conn_id) < 0) {

 		conn_id = 0; /* connection is NULL */

 	}

@@ -379,7 +380,7 @@ ldbm_back_add( Slapi_PBlock *pb )

 				addr.sdn = &parentsdn;

 				addr.udn = NULL;

 				addr.uniqueid = operation->o_params.p.p_add.parentuniqueid;

-				parententry = find_entry2modify_only(pb,be,&addr,&txn);

+				parententry = find_entry2modify_only(pb, be, &addr, &txn, &result_sent);

 				if (parententry && parententry->ep_entry) {

 					if (!operation->o_params.p.p_add.parentuniqueid){

 						/* Set the parentuniqueid now */

@@ -431,6 +432,14 @@ ldbm_back_add( Slapi_PBlock *pb )

 						/* The entry already exists */ 

 						ldap_result_code = LDAP_ALREADY_EXISTS;

 					}

+					if ((LDAP_ALREADY_EXISTS == ldap_result_code) && !isroot && !is_replicated_operation) {

+						myrc = plugin_call_acl_plugin(pb, e, NULL, NULL, SLAPI_ACL_ADD,

+						                              ACLPLUGIN_ACCESS_DEFAULT, &errbuf);

+						if (myrc) {

+							ldap_result_code = myrc;

+							ldap_result_message = errbuf;

+						}

+					}

 					goto error_return;

 				} 

 				else 

@@ -447,7 +456,7 @@ ldbm_back_add( Slapi_PBlock *pb )

 						Slapi_DN ancestorsdn;

 						struct backentry *ancestorentry;

 						slapi_sdn_init(&ancestorsdn);

-						ancestorentry= dn2ancestor(pb->pb_backend,sdn,&ancestorsdn,&txn,&err;;

+						ancestorentry = dn2ancestor(pb->pb_backend, sdn, &ancestorsdn, &txn, &err, 0);

 						slapi_sdn_done(&ancestorsdn);

 						if ( ancestorentry != NULL )

 						{

@@ -495,7 +504,7 @@ ldbm_back_add( Slapi_PBlock *pb )

 				addr.udn = NULL;

 				addr.sdn = NULL;

 				addr.uniqueid = (char *)slapi_entry_get_uniqueid(e); /* jcm - cast away const */

-				tombstoneentry = find_entry2modify( pb, be, &addr, &txn );

+				tombstoneentry = find_entry2modify(pb, be, &addr, &txn, &result_sent);

 				if ( tombstoneentry==NULL )

 				{

 					ldap_result_code= -1;

@@ -712,7 +721,7 @@ ldbm_back_add( Slapi_PBlock *pb )

 					LDAPDebug1Arg(LDAP_DEBUG_BACKLDBM, "ldbm_add: Parent \"%s\" does not exist. "

 					              "It might be a conflict entry.\n", slapi_sdn_get_dn(&parentsdn));

 					slapi_sdn_init(&ancestorsdn);

-					ancestorentry = dn2ancestor(be, &parentsdn, &ancestorsdn, &txn, &err );

+					ancestorentry = dn2ancestor(be, &parentsdn, &ancestorsdn, &txn, &err, 1);

 					CACHE_RETURN( &inst->inst_cache, &ancestorentry );

 					ldap_result_code= LDAP_NO_SUCH_OBJECT;

@@ -1349,7 +1358,9 @@ common_return:

 			 * And we don't want the supplier to halt sending the updates. */

 			ldap_result_code = LDAP_SUCCESS;

 		}

-		slapi_send_ldap_result( pb, ldap_result_code, ldap_result_matcheddn, ldap_result_message, 0, NULL );

+		if (!result_sent) {

+			slapi_send_ldap_result(pb, ldap_result_code, ldap_result_matcheddn, ldap_result_message, 0, NULL);

+		}

 	}

 	backentry_free(&originalentry);

 	backentry_free(&tmpentry);

diff --git a/ldap/servers/slapd/back-ldbm/ldbm_bind.c b/ldap/servers/slapd/back-ldbm/ldbm_bind.c

index ea0df33..99a0818 100644

--- a/ldap/servers/slapd/back-ldbm/ldbm_bind.c

+++ b/ldap/servers/slapd/back-ldbm/ldbm_bind.c

@@ -29,6 +29,7 @@ ldbm_back_bind( Slapi_PBlock *pb )

 	entry_address *addr;

 	back_txn txn = {NULL};

 	int rc = SLAPI_BIND_SUCCESS;

+	int result_sent = 0;

 	/* get parameters */

 	slapi_pblock_get( pb, SLAPI_BACKEND, &be );

@@ -63,8 +64,12 @@ ldbm_back_bind( Slapi_PBlock *pb )

 	 * find the target entry.  find_entry() takes care of referrals

 	 *   and sending errors if the entry does not exist.

 	 */

-	if (( e = find_entry( pb, be, addr, &txn )) == NULL ) {

+	if ((e = find_entry( pb, be, addr, &txn, &result_sent)) == NULL) {

 		rc = SLAPI_BIND_FAIL;

+		/* In the failure case, the result is supposed to be sent in the backend. */

+		if (!result_sent) {

+			slapi_send_ldap_result(pb, LDAP_INAPPROPRIATE_AUTH, NULL, NULL, 0, NULL);

+		}

 		goto bail;

 	}

@@ -82,8 +87,8 @@ ldbm_back_bind( Slapi_PBlock *pb )

 		bvals= attr_get_present_values(attr);

 		slapi_value_init_berval(&cv,cred);

 		if ( slapi_pw_find_sv( bvals, &cv ) != 0 ) {

-			slapi_send_ldap_result( pb, LDAP_INVALID_CREDENTIALS, NULL,

-			    NULL, 0, NULL );

+			slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, "Invalid credentials");

+			slapi_send_ldap_result( pb, LDAP_INVALID_CREDENTIALS, NULL, NULL, 0, NULL );

 			CACHE_RETURN( &inst->inst_cache, &e );

 			value_done(&cv;;

 			rc = SLAPI_BIND_FAIL;

diff --git a/ldap/servers/slapd/back-ldbm/ldbm_compare.c b/ldap/servers/slapd/back-ldbm/ldbm_compare.c

index e52cd6c..e9973a9 100644

--- a/ldap/servers/slapd/back-ldbm/ldbm_compare.c

+++ b/ldap/servers/slapd/back-ldbm/ldbm_compare.c

@@ -56,7 +56,7 @@ ldbm_back_compare( Slapi_PBlock *pb )

 	/* get the namespace dn */

 	namespace_dn = (Slapi_DN*)slapi_be_getsuffix(be, 0);

-	if ( (e = find_entry( pb, be, addr, &txn )) == NULL ) {

+	if ((e = find_entry(pb, be, addr, &txn, NULL)) == NULL) {

 		ret = -1;	/* error result sent by find_entry() */

 		goto bail;

 	}

diff --git a/ldap/servers/slapd/back-ldbm/ldbm_delete.c b/ldap/servers/slapd/back-ldbm/ldbm_delete.c

index 5b24af2..f801e01 100644

--- a/ldap/servers/slapd/back-ldbm/ldbm_delete.c

+++ b/ldap/servers/slapd/back-ldbm/ldbm_delete.c

@@ -77,6 +77,7 @@ ldbm_back_delete( Slapi_PBlock *pb )

 	int op_id;

 	ID ep_id = 0;

 	ID tomb_ep_id = 0;

+	int result_sent = 0;

 	if (slapi_pblock_get(pb, SLAPI_CONN_ID, &conn_id) < 0) {

 		conn_id = 0; /* connection is NULL */

@@ -266,7 +267,7 @@ ldbm_back_delete( Slapi_PBlock *pb )

 			 * deleted.  That is, the entry 'e' found with "addr" is a tomb-

 			 * stone.  If it is the case, we need to back off.

 			 */

-			if ( (e = find_entry2modify( pb, be, addr, &txn )) == NULL )

+			if ((e = find_entry2modify(pb, be, addr, &txn, &result_sent)) == NULL)

 			{

 				ldap_result_code= LDAP_NO_SUCH_OBJECT; 

 				retval = -1;

@@ -507,7 +508,7 @@ ldbm_back_delete( Slapi_PBlock *pb )

 						parent_addr.uniqueid = NULL;

 					}

 					parent_addr.sdn = &parentsdn;

-					parent = find_entry2modify_only_ext(pb, be, &parent_addr, TOMBSTONE_INCLUDED, &txn);

+					parent = find_entry2modify_only_ext(pb, be, &parent_addr, TOMBSTONE_INCLUDED, &txn, &result_sent);

 				}

 				if (parent) {

 					int isglue;

@@ -1466,7 +1467,9 @@ diskfull_return:

 			 * And we don't want the supplier to halt sending the updates. */

 			ldap_result_code = LDAP_SUCCESS;

 		}

-		slapi_send_ldap_result( pb, ldap_result_code, NULL, ldap_result_message, 0, NULL );

+		if (!result_sent) {

+			slapi_send_ldap_result( pb, ldap_result_code, NULL, ldap_result_message, 0, NULL );

+		}

 	}

 	slapi_log_error(SLAPI_LOG_BACKLDBM, "ldbm_back_delete",

 	                "conn=%lu op=%d modify_term: old_entry=0x%p, new_entry=0x%p, in_cache=%d\n",

diff --git a/ldap/servers/slapd/back-ldbm/ldbm_modify.c b/ldap/servers/slapd/back-ldbm/ldbm_modify.c

index 9b3062c..34d9861 100644

--- a/ldap/servers/slapd/back-ldbm/ldbm_modify.c

+++ b/ldap/servers/slapd/back-ldbm/ldbm_modify.c

@@ -392,6 +392,7 @@ ldbm_back_modify( Slapi_PBlock *pb )

 	int not_an_error = 0;

 	int fixup_tombstone = 0;

 	int ec_locked = 0;

+	int result_sent = 0;

 	slapi_pblock_get( pb, SLAPI_BACKEND, &be);

 	slapi_pblock_get( pb, SLAPI_PLUGIN_PRIVATE, &li );

@@ -466,12 +467,12 @@ ldbm_back_modify( Slapi_PBlock *pb )

 	if ( MANAGE_ENTRY_BEFORE_DBLOCK(li)) {

 		/* find and lock the entry we are about to modify */

 		if (fixup_tombstone) {

-			e = find_entry2modify_only_ext( pb, be, addr, TOMBSTONE_INCLUDED, &txn );

+			e = find_entry2modify_only_ext( pb, be, addr, TOMBSTONE_INCLUDED, &txn, &result_sent );

 		} else {

-			e = find_entry2modify( pb, be, addr, &txn );

+			e = find_entry2modify( pb, be, addr, &txn, &result_sent );

 		}

 		if (e == NULL) {

-			ldap_result_code= -1;

+			ldap_result_code = -1;

 			goto error_return; /* error result sent by find_entry2modify() */

 		}

 	}

@@ -551,12 +552,12 @@ ldbm_back_modify( Slapi_PBlock *pb )

 			if ( !MANAGE_ENTRY_BEFORE_DBLOCK(li)) {

 				/* find and lock the entry we are about to modify */

 				if (fixup_tombstone) {

-					e = find_entry2modify_only_ext( pb, be, addr, TOMBSTONE_INCLUDED, &txn );

+					e = find_entry2modify_only_ext( pb, be, addr, TOMBSTONE_INCLUDED, &txn, &result_sent );

 				} else {

-					e = find_entry2modify( pb, be, addr, &txn );

+					e = find_entry2modify( pb, be, addr, &txn, &result_sent );

 				}

 				if (e == NULL) {

-					ldap_result_code= -1;

+					ldap_result_code = -1;

 					goto error_return; /* error result sent by find_entry2modify() */

 				}

 			}

@@ -966,7 +967,10 @@ common_return:

 			 * And we don't want the supplier to halt sending the updates. */

 			ldap_result_code = LDAP_SUCCESS;

 		}

-		slapi_send_ldap_result( pb, ldap_result_code, NULL, ldap_result_message, 0, NULL );

+		if (!result_sent) {

+			/* result is already sent in find_entry. */

+			slapi_send_ldap_result( pb, ldap_result_code, NULL, ldap_result_message, 0, NULL );

+		}

 	}

 	/* free our backups */

diff --git a/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c b/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c

index c0cd2ab..f934305 100644

--- a/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c

+++ b/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c

@@ -95,6 +95,7 @@ ldbm_back_modrdn( Slapi_PBlock *pb )

     int myrc = 0;

     PRUint64 conn_id;

     int op_id;

+    int result_sent = 0;

     if (slapi_pblock_get(pb, SLAPI_CONN_ID, &conn_id) < 0) {

         conn_id = 0; /* connection is NULL */

     }

@@ -474,7 +475,7 @@ ldbm_back_modrdn( Slapi_PBlock *pb )

             /* find and lock the entry we are about to modify */

             /* JCMREPL - Argh, what happens about the stinking referrals? */

             slapi_pblock_get (pb, SLAPI_TARGET_ADDRESS, &old_addr);

-            e = find_entry2modify( pb, be, old_addr, &txn );

+            e = find_entry2modify(pb, be, old_addr, &txn, &result_sent);

             if ( e == NULL )

             {

                 ldap_result_code= -1;

@@ -510,7 +511,7 @@ ldbm_back_modrdn( Slapi_PBlock *pb )

             } else {

                 oldparent_addr.uniqueid = NULL;            

             }

-            parententry = find_entry2modify_only( pb, be, &oldparent_addr, &txn );

+            parententry = find_entry2modify_only(pb, be, &oldparent_addr, &txn, &result_sent);

             modify_init(&parent_modify_context,parententry);

             /* Fetch and lock the new parent of the entry that is moving */            

@@ -520,7 +521,7 @@ ldbm_back_modrdn( Slapi_PBlock *pb )

                 if (is_resurect_operation) {

                     newsuperior_addr->uniqueid = slapi_entry_attr_get_charptr(e->ep_entry, SLAPI_ATTR_VALUE_PARENT_UNIQUEID);

                 }

-                newparententry = find_entry2modify_only( pb, be, newsuperior_addr, &txn );

+                newparententry = find_entry2modify_only(pb, be, newsuperior_addr, &txn, &result_sent);

                 slapi_ch_free_string(&newsuperior_addr->uniqueid);

                 modify_init(&newparent_modify_context,newparententry);

             }

@@ -581,7 +582,7 @@ ldbm_back_modrdn( Slapi_PBlock *pb )

                         Slapi_DN ancestorsdn;

                         struct backentry *ancestorentry;

                         slapi_sdn_init(&ancestorsdn);

-                        ancestorentry= dn2ancestor(be,&dn_newdn,&ancestorsdn,&txn,&err;;

+                        ancestorentry = dn2ancestor(be, &dn_newdn, &ancestorsdn, &txn, &err, 0);

                         CACHE_RETURN( &inst->inst_cache, &ancestorentry );

                         ldap_result_matcheddn= slapi_ch_strdup((char *) slapi_sdn_get_dn(&ancestorsdn));

                         ldap_result_code= LDAP_NO_SUCH_OBJECT;

@@ -1486,8 +1487,10 @@ common_return:

              * And we don't want the supplier to halt sending the updates. */

             ldap_result_code = LDAP_SUCCESS;

         }

-        slapi_send_ldap_result( pb, ldap_result_code, ldap_result_matcheddn,

-                    ldap_result_message, 0,NULL );

+        if (!result_sent) {

+            slapi_send_ldap_result(pb, ldap_result_code, ldap_result_matcheddn,

+                                   ldap_result_message, 0, NULL);

+        }

     }

     slapi_mods_done(&smods_operation_wsi);

     slapi_mods_done(&smods_generated);

diff --git a/ldap/servers/slapd/back-ldbm/ldbm_search.c b/ldap/servers/slapd/back-ldbm/ldbm_search.c

index 535529c..cda1714 100644

--- a/ldap/servers/slapd/back-ldbm/ldbm_search.c

+++ b/ldap/servers/slapd/back-ldbm/ldbm_search.c

@@ -584,7 +584,7 @@ ldbm_back_search( Slapi_PBlock *pb )

     }

     else

     {

-        if ( ( e = find_entry( pb, be, addr, &txn )) == NULL )

+        if ((e = find_entry(pb, be, addr, &txn, NULL)) == NULL)

         {

             /* error or referral sent by find_entry */

             return ldbm_back_search_cleanup(pb, li, sort_control, 

diff --git a/ldap/servers/slapd/back-ldbm/misc.c b/ldap/servers/slapd/back-ldbm/misc.c

index 77c1e70..516b32d 100644

--- a/ldap/servers/slapd/back-ldbm/misc.c

+++ b/ldap/servers/slapd/back-ldbm/misc.c

@@ -412,7 +412,7 @@ ldbm_txn_ruv_modify_context( Slapi_PBlock *pb, modify_context *mc )

     /* Note: if we find the bentry, it will stay locked until someone calls

      * modify_term on the mc we'll be associating the bentry with */

-    bentry = find_entry2modify_only( pb, be, &bentry_addr, &txn );

+    bentry = find_entry2modify_only(pb, be, &bentry_addr, &txn, NULL);

     if (NULL == bentry) {

         /* Uh oh, we couldn't find and lock the RUV entry! */

diff --git a/ldap/servers/slapd/back-ldbm/proto-back-ldbm.h b/ldap/servers/slapd/back-ldbm/proto-back-ldbm.h

index 86e2237..8c813dd 100644

--- a/ldap/servers/slapd/back-ldbm/proto-back-ldbm.h

+++ b/ldap/servers/slapd/back-ldbm/proto-back-ldbm.h

@@ -174,7 +174,7 @@ int ldbm_back_ctrl_info(Slapi_Backend *be, int cmd, void *info);

 struct backentry *dn2entry(Slapi_Backend *be, const Slapi_DN *sdn, back_txn *txn, int    *err);

 struct backentry *dn2entry_ext(Slapi_Backend *be, const Slapi_DN *sdn, back_txn *txn, int flags, int *err);

 struct backentry *dn2entry_or_ancestor(Slapi_Backend *be, const Slapi_DN *sdn, Slapi_DN *ancestor, back_txn *txn, int *err);

-struct backentry *dn2ancestor(Slapi_Backend *be,const Slapi_DN *sdn,Slapi_DN *ancestordn,back_txn *txn,int *err);

+struct backentry *dn2ancestor(Slapi_Backend *be,const Slapi_DN *sdn,Slapi_DN *ancestordn,back_txn *txn,int *err, int allow_suffix);

 int get_copy_of_entry(Slapi_PBlock *pb, const entry_address *addr, back_txn *txn, int plock_parameter, int must_exist);

 int get_copy_of_entry_ext(Slapi_PBlock *pb, ID id, const entry_address *addr, back_txn *txn, int plock_parameter, int must_exist);

 void done_with_pblock_entry(Slapi_PBlock *pb, int plock_parameter);

@@ -194,11 +194,13 @@ IDList * filter_candidates_ext( Slapi_PBlock *pb, backend *be, const char *base,

 /*

  * findentry.c

  */

-struct backentry * find_entry2modify( Slapi_PBlock *pb, Slapi_Backend *be, const entry_address *addr, back_txn *txn );

-struct backentry * find_entry( Slapi_PBlock *pb, Slapi_Backend *be, const entry_address *addr, back_txn *txn );

-struct backentry * find_entry2modify_only( Slapi_PBlock *pb, Slapi_Backend *be, const entry_address *addr, back_txn *txn);

-struct backentry * find_entry2modify_only_ext( Slapi_PBlock *pb, Slapi_Backend *be, const entry_address *addr, int flags, back_txn *txn);

-struct backentry * find_entry_only( Slapi_PBlock *pb, Slapi_Backend *be, const entry_address *addr, back_txn *txn);

+/* Return code */

+#define FE_RC_SENT_RESULT 1

+struct backentry *find_entry2modify(Slapi_PBlock *pb, Slapi_Backend *be, const entry_address *addr, back_txn *txn, int *rc);

+struct backentry *find_entry(Slapi_PBlock *pb, Slapi_Backend *be, const entry_address *addr, back_txn *txn, int *rc);

+struct backentry *find_entry2modify_only(Slapi_PBlock *pb, Slapi_Backend *be, const entry_address *addr, back_txn *txn, int *rc);

+struct backentry *find_entry2modify_only_ext(Slapi_PBlock *pb, Slapi_Backend *be, const entry_address *addr, int flags, back_txn *txn, int *rc);

+struct backentry *find_entry_only(Slapi_PBlock *pb, Slapi_Backend *be, const entry_address *addr, back_txn *txn, int *rc);

 int check_entry_for_referral(Slapi_PBlock *pb, Slapi_Entry *entry, char *matched, const char *callingfn);

 /*

diff --git a/ldap/servers/slapd/back-ldbm/vlv_srch.c b/ldap/servers/slapd/back-ldbm/vlv_srch.c

index fcd0c2d..df378211 100644

--- a/ldap/servers/slapd/back-ldbm/vlv_srch.c

+++ b/ldap/servers/slapd/back-ldbm/vlv_srch.c

@@ -162,7 +162,7 @@ vlvSearch_init(struct vlvSearch* p, Slapi_PBlock *pb, const Slapi_Entry *e, ldbm

             addr.sdn = p->vlv_base;

             addr.uniqueid = NULL;

-            e = find_entry( pb, inst->inst_be, &addr, &txn );

+            e = find_entry(pb, inst->inst_be, &addr, &txn, NULL);

             /* Check to see if the entry is absent. If it is, mark this search

              * as not initialized */

             if (NULL == e) {