don't idassert if proxyAuthz == boundDN (ITS#4497)

diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c
index 131219683fc0db4b607ae0b9be4d11e7ad485cdb..61f69630b3d58f3fb45852d97ed09cad33fe88de 100644 (file)
--- a/servers/slapd/back-ldap/bind.c
+++ b/servers/slapd/back-ldap/bind.c
@@ -1652,6 +1652,11 @@ ldap_back_proxy_authz_ctrl(
                assertedID = slap_empty_bv;
        }
 
+       /* don't idassert the bound DN (ITS#4497) */
+       if ( dn_match( &assertedID, &lc->lc_bound_ndn ) ) {
+               goto done;
+       }
+
        if ( op->o_ctrls ) {
                for ( i = 0; op->o_ctrls[ i ]; i++ )
                        /* just count ctrls */ ;