From c1d96bcea0b1762cbf89797167a7bff4811c2da5 Mon Sep 17 00:00:00 2001
From: Pierangelo Masarati <ando@openldap.org>
Date: Sun, 9 Sep 2007 22:23:58 +0000
Subject: [PATCH] idassert also in case of SASL mechs that do not set authcId

---
 CHANGES                        |  1 +
 servers/slapd/back-ldap/bind.c | 14 +++++++++++---
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index 58a2ca682a..3dcc4a4f5f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,5 @@
 OpenLDAP 2.4 Change Log
 
 OpenLDAP 2.4.6 Engineering
+	Fixed slapd-ldap SASL idassert w/o autchId
 	Fixed slapo-rwm modlist handling (ITS#5124)
diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c
index e5878a2cbd..882058302a 100644
--- a/servers/slapd/back-ldap/bind.c
+++ b/servers/slapd/back-ldap/bind.c
@@ -2249,7 +2249,8 @@ ldap_back_proxy_authz_ctrl(
 	 * but if it is not set this test fails.  We need a different
 	 * means to detect if idassert is enabled */
 	if ( ( BER_BVISNULL( &si->si_bc.sb_authcId ) || BER_BVISEMPTY( &si->si_bc.sb_authcId ) )
-			&& ( BER_BVISNULL( &si->si_bc.sb_binddn ) || BER_BVISEMPTY( &si->si_bc.sb_binddn ) ) )
+		&& ( BER_BVISNULL( &si->si_bc.sb_binddn ) || BER_BVISEMPTY( &si->si_bc.sb_binddn ) )
+		&& BER_BVISNULL( &si->si_bc.sb_saslmech ) )
 	{
 		goto done;
 	}
@@ -2393,11 +2394,14 @@ ldap_back_proxy_authz_ctrl(
 		goto done;
 	}
 
+	ctrl->ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
+
 	switch ( si->si_mode ) {
 	/* already in u:ID or dn:DN form */
 	case LDAP_BACK_IDASSERT_OTHERID:
 	case LDAP_BACK_IDASSERT_OTHERDN:
 		ber_dupbv_x( &ctrl->ldctl_value, &assertedID, op->o_tmpmemctx );
+		rs->sr_err = LDAP_SUCCESS;
 		break;
 
 	/* needs the dn: prefix */
@@ -2408,6 +2412,7 @@ ldap_back_proxy_authz_ctrl(
 		AC_MEMCPY( ctrl->ldctl_value.bv_val, "dn:", STRLENOF( "dn:" ) );
 		AC_MEMCPY( &ctrl->ldctl_value.bv_val[ STRLENOF( "dn:" ) ],
 				assertedID.bv_val, assertedID.bv_len + 1 );
+		rs->sr_err = LDAP_SUCCESS;
 		break;
 	}
 
@@ -2435,6 +2440,8 @@ ldap_back_proxy_authz_ctrl(
 			goto free_ber;
 		}
 
+		rs->sr_err = LDAP_SUCCESS;
+
 free_ber:;
 		op->o_tmpfree( authzID.bv_val, op->o_tmpmemctx );
 		ber_free_buf( ber );
@@ -2475,6 +2482,9 @@ free_ber:;
 			goto free_ber2;
 		}
 
+		ctrl->ldctl_oid = LDAP_CONTROL_OBSOLETE_PROXY_AUTHZ;
+		rs->sr_err = LDAP_SUCCESS;
+
 free_ber2:;
 		op->o_tmpfree( authzID.bv_val, op->o_tmpmemctx );
 		ber_free_buf( ber );
@@ -2482,8 +2492,6 @@ free_ber2:;
 		if ( rs->sr_err != LDAP_SUCCESS ) {
 			goto done;
 		}
-
-		ctrl->ldctl_oid = LDAP_CONTROL_OBSOLETE_PROXY_AUTHZ;
 	}
 
 done:;
-- 
GitLab