From: Pierangelo Masarati <ando@openldap.org>
Date: Tue, 20 Dec 2005 20:43:14 +0000 (+0000)
Subject: don't idassert anonymous unless explicitly configured (ITS#4272)
X-Git-Tag: OPENLDAP_REL_ENG_2_4_BP~537
X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=8c2ceeb605813a8ca32e77030c5b19e5f82df3f5;p=openldap

don't idassert anonymous unless explicitly configured (ITS#4272)
---

diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c
index ac5cef995d..ea5bfdedaf 100644
--- a/servers/slapd/back-ldap/bind.c
+++ b/servers/slapd/back-ldap/bind.c
@@ -1032,7 +1032,22 @@ ldap_back_proxy_authz_bind( ldapconn_t *lc, Operation *op, SlapReply *rs )
 
 	default:
 		/* NOTE: rootdn can always idassert */
-		if ( li->li_idassert_authz && !be_isroot( op ) ) {
+		if ( BER_BVISNULL( &ndn ) && li->li_idassert_authz == NULL ) {
+			if ( li->li_idassert_flags & LDAP_BACK_AUTH_PRESCRIPTIVE ) {
+				rs->sr_err = LDAP_INAPPROPRIATE_AUTH;
+				send_ldap_result( op, rs );
+				LDAP_BACK_CONN_ISBOUND_CLEAR( lc );
+
+			} else {
+				rs->sr_err = LDAP_SUCCESS;
+				binddn = slap_empty_bv;
+				bindcred = slap_empty_bv;
+				break;
+			}
+
+			goto done;
+
+		} else if ( li->li_idassert_authz && !be_isroot( op ) ) {
 			struct berval authcDN;
 
 			if ( BER_BVISNULL( &ndn ) ) {