don't idassert anonymous unless explicitly configured (ITS#4272)

author Pierangelo Masarati <ando@openldap.org>

Tue, 20 Dec 2005 20:43:14 +0000 (20:43 +0000)

committer Pierangelo Masarati <ando@openldap.org>

Tue, 20 Dec 2005 20:43:14 +0000 (20:43 +0000)
author Pierangelo Masarati <ando@openldap.org>
Tue, 20 Dec 2005 20:43:14 +0000 (20:43 +0000)
committer Pierangelo Masarati <ando@openldap.org>
Tue, 20 Dec 2005 20:43:14 +0000 (20:43 +0000)
diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c

index ac5cef995d92b8d15b342df4ae17846d7e1180ac..ea5bfdedaffa8864228c004959cf8b474c7a05a7 100644 (file)
--- a/servers/slapd/back-ldap/bind.c
+++ b/servers/slapd/back-ldap/bind.c
@@ -1032,7 +1032,22 @@ ldap_back_proxy_authz_bind( ldapconn_t *lc, Operation *op, SlapReply *rs )
  
         default:
                 /* NOTE: rootdn can always idassert */
-               if ( li->li_idassert_authz && !be_isroot( op ) ) {
+               if ( BER_BVISNULL( &ndn ) && li->li_idassert_authz == NULL ) {
+                       if ( li->li_idassert_flags & LDAP_BACK_AUTH_PRESCRIPTIVE ) {
+                               rs->sr_err = LDAP_INAPPROPRIATE_AUTH;
+                               send_ldap_result( op, rs );
+                               LDAP_BACK_CONN_ISBOUND_CLEAR( lc );
+
+                       } else {
+                               rs->sr_err = LDAP_SUCCESS;
+                               binddn = slap_empty_bv;
+                               bindcred = slap_empty_bv;
+                               break;
+                       }
+
+                       goto done;
+
+               } else if ( li->li_idassert_authz && !be_isroot( op ) ) {
                         struct berval authcDN;
  
                         if ( BER_BVISNULL( &ndn ) ) {
author	Pierangelo Masarati <ando@openldap.org>
	Tue, 20 Dec 2005 20:43:14 +0000 (20:43 +0000)
committer	Pierangelo Masarati <ando@openldap.org>
	Tue, 20 Dec 2005 20:43:14 +0000 (20:43 +0000)