From 2d9b67988599ebd997d0d8d1726564f8e22a9bc1 Mon Sep 17 00:00:00 2001
From: Pierangelo Masarati <ando@openldap.org>
Date: Mon, 8 Jan 2007 18:35:59 +0000
Subject: [PATCH] import fix to ITS#4798

---
 CHANGES                        |  1 +
 servers/slapd/back-ldap/bind.c | 20 ++++++--------------
 2 files changed, 7 insertions(+), 14 deletions(-)

diff --git a/CHANGES b/CHANGES
index bd1a4cd901..a0d73a582d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -5,6 +5,7 @@ OpenLDAP 2.3.33 Engineering
 	Fixed slapd-ldap chase-referrals switch (ITS#4557)
 	Fixed slapd-ldap bind behavior when idassert is always used (ITS#4781)
 	Fixed slapd-ldap response handling bugs (ITS#4782)
+	Fixed slapd-ldap idassert mode=self anonymous ops (ITS#4798)
 	Fixed slapd-ldap/meta privileged connections handling (ITS#4791)
 	Fixed slapd-meta retrying (ITS#4594, 4762)
 	Fixed slapo-chain referral DN use (ITS#4776)
diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c
index 2fb5f27488..10a562f5ab 100644
--- a/servers/slapd/back-ldap/bind.c
+++ b/servers/slapd/back-ldap/bind.c
@@ -2131,6 +2131,7 @@ ldap_back_proxy_authz_ctrl(
 	slap_idassert_mode_t	mode;
 	struct berval		assertedID,
 				ndn;
+	int			isroot = 0;
 
 	*pctrls = NULL;
 
@@ -2160,7 +2161,7 @@ ldap_back_proxy_authz_ctrl(
 		goto done;
 	}
 
-	if ( !op->o_conn || op->o_do_not_cache || be_isroot( op ) ) {
+	if ( !op->o_conn || op->o_do_not_cache || ( isroot = be_isroot( op ) ) ) {
 		goto done;
 	}
 
@@ -2212,7 +2213,7 @@ ldap_back_proxy_authz_ctrl(
 			goto done;
 		}
 
-	} else if ( si->si_authz && !be_isroot( op ) ) {
+	} else if ( si->si_authz && !isroot ) {
 		int		rc;
 		struct berval authcDN;
 
@@ -2263,21 +2264,11 @@ ldap_back_proxy_authz_ctrl(
 	}
 
 	switch ( mode ) {
-	case LDAP_BACK_IDASSERT_SELF:
-		if ( BER_BVISNULL( &ndn ) ) {
-			goto done;
-		}
-		assertedID = ndn;
-		break;
-
 	case LDAP_BACK_IDASSERT_LEGACY:
 		/* original behavior:
 		 * assert the client's identity */
-		if ( BER_BVISNULL( &ndn ) ) {
-			assertedID = slap_empty_bv;
-		} else {
-			assertedID = ndn;
-		}
+	case LDAP_BACK_IDASSERT_SELF:
+		assertedID = ndn;
 		break;
 
 	case LDAP_BACK_IDASSERT_ANONYMOUS:
@@ -2299,6 +2290,7 @@ ldap_back_proxy_authz_ctrl(
 		assert( 0 );
 	}
 
+	/* if we got here, "" is allowed to proxyAuthz */
 	if ( BER_BVISNULL( &assertedID ) ) {
 		assertedID = slap_empty_bv;
 	}
-- 
2.39.5