backport ITS#4320 fix from HEAD

diff --git a/CHANGES b/CHANGES
index 82acef939954b297799754cb2130d85a868acf7b..5aa177fbd9d05c2d7042f956e8656d3b4e2ea2a3 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,7 @@
 OpenLDAP 2.3 Change Log
 
 OpenLDAP 2.3.17 Engineering
+       Fixed slapd anonymous proxy authorization issue (ITS#4320)
        Fixed slapd-ldap/meta session reuse issue (ITS#4315)
        Fixed slapd-monitor thread issue (ITS#4318)
        Build environment

diff --git a/servers/slapd/controls.c b/servers/slapd/controls.c
index 6d5bdcb1dc9b39322ff69dfb55344614baec71b2..f88ce1171b2bebbacf3dc0cf5a1e35d9c941eeb5 100644 (file)
--- a/servers/slapd/controls.c
+++ b/servers/slapd/controls.c
@@ -844,6 +844,11 @@ static int parseProxyAuthz (
                return LDAP_PROTOCOL_ERROR;
        }
 
+       if ( BER_BVISEMPTY( &op->o_ndn ) ) {
+               rs->sr_text = "anonymous proxyAuthz not allowed";
+               return LDAP_PROXY_AUTHZ_FAILURE;
+       }
+
        op->o_proxy_authz = ctrl->ldctl_iscritical
                ? SLAP_CONTROL_CRITICAL
                : SLAP_CONTROL_NONCRITICAL;
@@ -860,10 +865,14 @@ static int parseProxyAuthz (
                        op->o_connid, 0, 0 );
 
                /* anonymous */
-               op->o_ndn.bv_val[ 0 ] = '\0';
+               if ( !BER_BVISNULL( &op->o_ndn ) ) {
+                       op->o_ndn.bv_val[ 0 ] = '\0';
+               }
                op->o_ndn.bv_len = 0;
 
-               op->o_dn.bv_val[ 0 ] = '\0';
+               if ( !BER_BVISNULL( &op->o_dn ) ) {
+                       op->o_dn.bv_val[ 0 ] = '\0';
+               }
                op->o_dn.bv_len = 0;
 
                return LDAP_SUCCESS;