diff --git a/CHANGES b/CHANGES
index 1a7f00a1f21eccbe13e8a93d63b31228d6fd3470..4b86a70969b259f965e0d77f51d3b6459f327ca2 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,7 @@
OpenLDAP 2.4 Change Log
OpenLDAP 2.4.12 Engineering
+ Fixed slapo-constraint string termination (ITS#5609)
OpenLDAP 2.4.11 Release (2008/07/16)
Fixed liblber ber_get_next length decoding (ITS#5580)
diff --git a/doc/man/man5/slapo-constraint.5 b/doc/man/man5/slapo-constraint.5
index 1a60c0e2449ade893cc71168d603a2a78640040f..2c6a0592154259b9a86175962f230c06ddae68bb 100644
--- a/doc/man/man5/slapo-constraint.5
+++ b/doc/man/man5/slapo-constraint.5
@@ -72,8 +72,7 @@ constraint_attribute title uri
A specification like the above would reject any
.B mail
attribute which did not look like
-.B
-<alpha-numeric string>@mydomain.com
+.BR "<alpha-numeric string>@mydomain.com" .
It would also reject any
.B title
attribute whose values were not listed in the
diff --git a/servers/slapd/overlays/constraint.c b/servers/slapd/overlays/constraint.c
index bb4d9504b121764d2bef8081d15f71c9e095f1b1..09fae8e0201e3fdac5b69a75b78692a01497ad2e 100644
--- a/servers/slapd/overlays/constraint.c
+++ b/servers/slapd/overlays/constraint.c
@@ -282,8 +282,16 @@ constraint_cf_gen( ConfigArgs *c )
if (ap.lud->lud_dn == NULL)
ap.lud->lud_dn = ch_strdup("");
- if (ap.lud->lud_filter == NULL)
+ if (ap.lud->lud_filter == NULL) {
ap.lud->lud_filter = ch_strdup("objectClass=*");
+ } else if ( ap.lud->lud_filter[0] == '(' ) {
+ ber_len_t len = strlen( ap.lud->lud_filter );
+ if ( ap.lud->lud_filter[len - 1] != ')' ) {
+ return( ARG_BAD_CONF );
+ }
+ AC_MEMCPY( &ap.lud->lud_filter[0], &ap.lud->lud_filter[1], len - 2 );
+ ap.lud->lud_filter[len - 2] = '\0';
+ }
ber_str2bv( c->argv[3], 0, 1, &ap.val );
} else {
@@ -427,6 +435,7 @@ constraint_violation( constraint *c, struct berval *bv, Operation *op, SlapReply
}
*ptr++ = ')';
*ptr++ = ')';
+ *ptr++ = '\0';
Debug(LDAP_DEBUG_TRACE,
"==> constraint_violation uri filter = %s\n",