Add limited LDAP_INVALID_DN_SYNTAX support. dn_normalize{,_case}() now returns

[openldap] / servers / slapd / acl.c

diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c
index e632c1a9f69260e50cf22b01ece5645369850ccc..15bbcd4fba8b16150251b30e1e3a8a0cafad2c65 100644 (file)
--- a/servers/slapd/acl.c
+++ b/servers/slapd/acl.c
@@ -360,7 +360,10 @@ acl_access_allowed(
                         */
                        /* see if asker is listed in dnattr */
                        string_expand(buf, sizeof(buf), b->a_group_pat, edn, matches);
-                       (void) dn_normalize_case(buf);
+                       if ( dn_normalize_case(buf) == NULL ) {
+                               /* did not expand to a valid dn */
+                               continue;
+                       }
 
                        if (backend_group(be, e, buf, op->o_ndn,
                                b->a_group_oc, b->a_group_at) != 0)