ITS#7403 fix idassert non-override mode

doc/man/man5/slapd-ldap.5

@@ -40,7 +40,7 @@ for details.
 The proxy instance of
 .BR slapd (8)
 must contain schema information for the attributes and objectClasses
-used in filters, request DN and request-related data in general.
+used in filters, request DNs and request-related data in general.
 It should also contain schema information for the data returned
 by the proxied server.
 It is the responsibility of the proxy administrator to keep the schema
@@ -92,7 +92,7 @@ so its use is redundant and should be omitted.
 LDAP server to use.  Multiple URIs can be set in a single
 .B ldapurl
 argument, resulting in the underlying library automatically 
-call the first server of the list that responds, e.g. 
+calling the first server of the list that responds, e.g.
 
 \fBuri "ldap://host/ ldap://backup\-host/"\fP
 
@@ -100,7 +100,7 @@ The URI list is space- or comma-separated.
 Whenever the server that responds is not the first one in the list,
 the list is rearranged and the responsive server is moved to the head,
 so that it will be first contacted the next time a connection
-needs be created.
+needs to be created.
 .HP
 .hy 0
 .B acl\-bind
@@ -138,7 +138,7 @@ The connection between the proxy database and the remote server
 associated to this identity is cached regardless of the lifespan
 of the client-proxy connection that first established it.
 
-.B This identity is by no means implicitly used by the proxy 
+.B This identity is not implicitly used by the proxy
 .B when the client connects anonymously.
 The
 .B idassert\-bind
@@ -193,7 +193,7 @@ underlying libldap, with rebinding eventually performed if the
 
 .TP
 .B conn\-ttl <time>
-This directive causes a cached connection to be dropped an recreated
+This directive causes a cached connection to be dropped and recreated
 after a given ttl, regardless of being idle or not.
 
 .TP
@@ -232,6 +232,8 @@ for details on the syntax of this field.
 Allows to define the parameters of the authentication method that is 
 internally used by the proxy to authorize connections that are 
 authenticated by other databases.
+Direct binds are always proxied without any idassert handling.
+
 The identity defined by this directive, according to the properties
 associated to the authentication method, is supposed to have auth access 
 on the target server to attributes used on the proxy for authentication
@@ -303,7 +305,6 @@ which implies that the proxy will either perform a simple bind as the
 or a SASL bind as the
 .I authcID
 and assert the client's identity when it is not anonymous.
-Direct binds are always proxied.
 The other modes imply that the proxy will always either perform a simple bind 
 as the
 .IR authcDN

servers/slapd/back-ldap/bind.c

@@ -2116,6 +2116,18 @@ ldap_back_is_proxy_authz( Operation *op, SlapReply *rs, ldap_back_send_t sendok,
 		ndn = op->o_ndn;
 	}
 
+	if ( !( li->li_idassert_flags & LDAP_BACK_AUTH_OVERRIDE )) {
+		if ( op->o_tag == LDAP_REQ_BIND ) {
+			if ( !BER_BVISEMPTY( &ndn )) {
+				dobind = 0;
+				goto done;
+			}
+		} else if ( SLAP_IS_AUTHZ_BACKEND( op )) {
+			dobind = 0;
+			goto done;
+		}
+	}
+
 	switch ( li->li_idassert_mode ) {
 	case LDAP_BACK_IDASSERT_LEGACY:
 		if ( !BER_BVISNULL( &ndn ) && !BER_BVISEMPTY( &ndn ) ) {