Fix ITS#1607, longstanding bug in group and dnattr acls, gave access

to anonymous connections.

diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c
index 518238084374f30251ed14a186a81a9f59a43648..c9051f854f2cef3305ae82ab457ff10c2ce67287 100644 (file)
--- a/servers/slapd/acl.c
+++ b/servers/slapd/acl.c
@@ -768,7 +768,7 @@ acl_mask(
                        }
                }
 
-               if ( b->a_dn_at != NULL && op->o_ndn.bv_len != 0 ) {
+               if ( b->a_dn_at != NULL ) {
                        Attribute       *at;
                        struct berval   bv;
                        int rc, match = 0;
@@ -777,6 +777,10 @@ acl_mask(
 
                        assert( attr != NULL );
 
+                       if ( op->o_ndn.bv_len == 0 ) {
+                               continue;
+                       }
+
 #ifdef NEW_LOGGING
                        LDAP_LOG(( "acl", LDAP_LEVEL_DETAIL1,
                                   "acl_mask: conn %d  check a_dn_pat: %s\n",
@@ -843,12 +847,16 @@ acl_mask(
                        }
                }
 
-               if ( b->a_group_pat.bv_len && op->o_ndn.bv_len ) {
+               if ( b->a_group_pat.bv_len ) {
                        char buf[1024];
                        struct berval bv;
                        struct berval ndn = { 0, NULL };
                        int rc;
 
+                       if ( op->o_ndn.bv_len == 0 ) {
+                               continue;
+                       }
+
                        bv.bv_len = sizeof(buf) - 1;
                        bv.bv_val = buf;