diff --git a/CHANGES b/CHANGES
index 58a2ca682ae6a2d826f370d4c27c802e60c7837e..3dcc4a4f5f85596818f695b89bfe9ccb70917f6c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,5 @@
 OpenLDAP 2.4 Change Log
 
 OpenLDAP 2.4.6 Engineering
+	Fixed slapd-ldap SASL idassert w/o autchId
 	Fixed slapo-rwm modlist handling (ITS#5124)
diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c
index e5878a2cbd965e22919dc4042d9be6f46356faa6..882058302a1eec5140561f50aa43296cf058dd1f 100644
--- a/servers/slapd/back-ldap/bind.c
+++ b/servers/slapd/back-ldap/bind.c
@@ -2249,7 +2249,8 @@ ldap_back_proxy_authz_ctrl(
 	 * but if it is not set this test fails.  We need a different
 	 * means to detect if idassert is enabled */
 	if ( ( BER_BVISNULL( &si->si_bc.sb_authcId ) || BER_BVISEMPTY( &si->si_bc.sb_authcId ) )
-			&& ( BER_BVISNULL( &si->si_bc.sb_binddn ) || BER_BVISEMPTY( &si->si_bc.sb_binddn ) ) )
+		&& ( BER_BVISNULL( &si->si_bc.sb_binddn ) || BER_BVISEMPTY( &si->si_bc.sb_binddn ) )
+		&& BER_BVISNULL( &si->si_bc.sb_saslmech ) )
 	{
 		goto done;
 	}
@@ -2393,11 +2394,14 @@ ldap_back_proxy_authz_ctrl(
 		goto done;
 	}
 
+	ctrl->ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
+
 	switch ( si->si_mode ) {
 	/* already in u:ID or dn:DN form */
 	case LDAP_BACK_IDASSERT_OTHERID:
 	case LDAP_BACK_IDASSERT_OTHERDN:
 		ber_dupbv_x( &ctrl->ldctl_value, &assertedID, op->o_tmpmemctx );
+		rs->sr_err = LDAP_SUCCESS;
 		break;
 
 	/* needs the dn: prefix */
@@ -2408,6 +2412,7 @@ ldap_back_proxy_authz_ctrl(
 		AC_MEMCPY( ctrl->ldctl_value.bv_val, "dn:", STRLENOF( "dn:" ) );
 		AC_MEMCPY( &ctrl->ldctl_value.bv_val[ STRLENOF( "dn:" ) ],
 				assertedID.bv_val, assertedID.bv_len + 1 );
+		rs->sr_err = LDAP_SUCCESS;
 		break;
 	}
 
@@ -2435,6 +2440,8 @@ ldap_back_proxy_authz_ctrl(
 			goto free_ber;
 		}
 
+		rs->sr_err = LDAP_SUCCESS;
+
 free_ber:;
 		op->o_tmpfree( authzID.bv_val, op->o_tmpmemctx );
 		ber_free_buf( ber );
@@ -2475,6 +2482,9 @@ free_ber:;
 			goto free_ber2;
 		}
 
+		ctrl->ldctl_oid = LDAP_CONTROL_OBSOLETE_PROXY_AUTHZ;
+		rs->sr_err = LDAP_SUCCESS;
+
 free_ber2:;
 		op->o_tmpfree( authzID.bv_val, op->o_tmpmemctx );
 		ber_free_buf( ber );
@@ -2482,8 +2492,6 @@ free_ber2:;
 		if ( rs->sr_err != LDAP_SUCCESS ) {
 			goto done;
 		}
-
-		ctrl->ldctl_oid = LDAP_CONTROL_OBSOLETE_PROXY_AUTHZ;
 	}
 
 done:;